New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check: CKV_AWS_35: "Ensure CloudTrail logs are encrypted at rest using KMS CMKs" for terraform plan if kms_key_id is a reference to kms resource #800
Comments
Hello @ismailyenigul ,
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id Please could you test ensuring you are using the right name. If you are still seeing a failure please come back and post the entire This could be because of interpolation of outputs. It could be because outputs are not yet known in the plan. It could be to do with your module usage or something else. But, it may just be that you are using the wrong name. |
Hi @njgibbon
|
@ismailyenigul ah okey fair enough. Thanks for updating the description. In that case we will have to look further into the issue 🙂 |
@ismailyenigul Also, thanks for the plan output. Really useful! I'm not properly looking in to it now but I have just come across this recently raised related issue which could help understand what's happening here hashicorp/terraform-provider-aws#11823 |
@ismailyenigul so we need to add the "after_unknown" properties into the resource analysis. is that correct? |
Hi @schosterbarak
and
but it seeems checking in after_unknown block is the easiest
|
i'll research more on the best way to handle this. |
Just done some analysis on this: When we parse through a plan we are looking at the https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/plan_parser.py#L98 See https://www.terraform.io/docs/internals/json-format.html#plan-representation
Note the "with any as-yet-unknown values omitted.". Which captures the case being reported here and the linked hashicorp issue where they are using a kms key that has just been created in the same run. In this case, we appear to need look under Then we can identify the thing we want to scan by the I have linked the whole body of this item so you can clearly see what's going on.
If we check here we can find what we want. We do not want false negatives or duplicate scans so we will need logic that takes this in to account and adds the Importantly. the |
thanks for the analysis @njgibbon . I miss something "s3_bucket_name" appears in "after_unknown" as boolean value, i was expecting a string. is there further anlsysis to be done to get the string / object value of it? |
@schosterbarak I think all values in |
so what would the policy check in that case? |
If "kms_key_id" true or not |
does it work the same for object elements? like |
@schosterbarak - Yeah, I think some more understanding may be needed. It looks as if the Booleans just mean that "yes, this will have a value", but it doesn't tell us about what the value will be yet. In the case of a kms_key_id for cloudtrail this would pass the check because we just want any value because any valid value indicates that a key is being used for encryption. But you could imagine other scenrios where it would cause the wrong result. So, the whole thing needs to be thought about and understood a bit more before jumping into a change. |
First I have to check s3 case.
So if it is in planned_values no need to make another check. Nothing about kms_key_id in `after_unknow
nothing in planned but
Because default value is "" at
I got |
and what about AES encryption (which is an object and not a string) ? |
About
Again it is reference to output of another module and sse is set in s3_bucket module nothing in after_unknown
btw, kms_master_key_arn is set "" by default at |
Seems #799 is related with the |
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io |
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks! |
Describe the bug
I used this example https://github.com/cloudposse/terraform-aws-cloudtrail/tree/master/examples/complete to test cloudtrail kms encryption check.
Experiencing same issue reported at #799 scanning terraform files is working fine. It reports SUCCESS for KMS CMKs check.
but terraform plan scanning fails
Desktop (please complete the following information):
Additional context
Attached failed terraform plan in json
kms-key-reference.txt
The text was updated successfully, but these errors were encountered: