Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warnings when scanning terraform code with dynamic blocks with 3.2.303+ #6861

Closed
tberreis opened this issue Nov 21, 2024 · 3 comments
Closed
Labels

Comments

@tberreis
Copy link

Describe the issue
We are using dynamic blocks in our terraform code and while scanning with checkov 3.2.302 ran successfully, 3.2.303 throws lots of warnings with "Failed updating attribute for key ... Falling back to explicitly setting it.Exception - Parse error at 1:12 near token rule (ID)" as shown in line three of the example below.

This seems to be related to the PR #6852.

All in all the scan result is the same but I don't know whether these warnings are expected here or a code change is needed.
Feel free to close this issue.

Examples
Terraform code snippet:

  dynamic "immutability_policy" {
    for_each = var.immutability.enabled ? [1] : []

    content {
      state                         = var.immutability.storage_account_policy.state
      allow_protected_append_writes = var.immutability.storage_account_policy.allow_protected_append_writes
      period_since_creation_in_days = var.immutability.storage_account_policy.period_since_creation_in_days
    }
  }

Scan result with 3.2.302:

# docker run -v $PWD:/data --rm -it docker.io/bridgecrew/checkov:3.2.302 -d /data --quiet --compact
2024-11-21 08:04:44,540 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-21 08:04:44,541 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 7, Failed checks: 2, Skipped checks: 10

Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:12-95
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:12-95
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-206

Scan result with 3.2.303:

# docker run -v $PWD:/data --rm -it docker.io/bridgecrew/checkov:3.2.303 -d /data --quiet --compact
2024-11-21 08:07:24,064 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-21 08:07:24,064 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
2024-11-21 08:07:24,345 [MainThread  ] [WARNI]  Failed updating attribute for key: dynamic.1.rule and value {'for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}'} forvertex attributes {'__end_line__': 158, '__start_line__': 97, 'count': ['${local.storage_management_policy_required ? 1 : 0}'], 'dynamic': [{'rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'name': 'insights-logs-rule'}, 'for_each': '${var.automatically_delete_aks_insights_logs ? [1] : []}'}}, {'rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'name': '${rule.key}-rule'}, 'for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}'}}, {'rule': {'content': {'actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'enabled': '${var.blob_versioning.enabled}', 'filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'name': 'delete-previous-versions-rule'}, 'for_each': '${var.blob_versioning.enabled && var.blob_versioning.lifecycle_policy.enabled ? [1] : []}'}}], 'storage_account_id': ['${azurerm_storage_account.this.id}'], 'rule': [{'actions': [{'base_blob': [{'delete_after_days_since_modification_greater_than': [30]}]}], 'enabled': [True], 'filters': [{'blob_types': [['appendBlob']], 'prefix_match': [['insights-logs-']]}], 'name': ['insights-logs-rule']}, {'actions': [{'base_blob': [{'delete_after_days_since_modification_greater_than': ['${rule.value}']}]}], 'enabled': [True], 'filters': [{'blob_types': [['appendBlob', 'blockBlob']], 'prefix_match': [['${rule.key}/']]}], 'name': ['${rule.key}-rule']}, {'actions': [{'version': [{'delete_after_days_since_creation': ['${var.blob_versioning.lifecycle_policy.delete_version_after_days}']}]}], 'enabled': ['${var.blob_versioning.enabled}'], 'filters': [{'blob_types': [['appendBlob', 'blockBlob']]}], 'name': ['delete-previous-versions-rule']}], 'resource_type': ['azurerm_storage_management_policy'], 'dynamic.0': {'rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'name': 'insights-logs-rule'}, 'for_each': '${var.automatically_delete_aks_insights_logs ? [1] : []}'}}, 'dynamic.0.rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'name': 'insights-logs-rule'}, 'for_each': '${var.automatically_delete_aks_insights_logs ? [1] : []}'}, 'dynamic.0.rule.content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'name': 'insights-logs-rule'}, 'dynamic.0.rule.content.actions': {'base_blob': {'delete_after_days_since_modification_greater_than': 30}}, 'dynamic.0.rule.content.actions.base_blob': {'delete_after_days_since_modification_greater_than': 30}, 'dynamic.0.rule.content.actions.base_blob.delete_after_days_since_modification_greater_than': 30, 'dynamic.0.rule.content.enabled': True, 'dynamic.0.rule.content.filters': {'blob_types': ['appendBlob'], 'prefix_match': ['insights-logs-']}, 'dynamic.0.rule.content.filters.blob_types': ['appendBlob'], 'dynamic.0.rule.content.filters.blob_types.0': 'appendBlob', 'dynamic.0.rule.content.filters.prefix_match': ['insights-logs-'], 'dynamic.0.rule.content.filters.prefix_match.0': 'insights-logs-', 'dynamic.0.rule.content.name': 'insights-logs-rule', 'dynamic.0.rule.for_each': '${var.automatically_delete_aks_insights_logs ? [1] : []}', 'dynamic.1': {'rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'name': '${rule.key}-rule'}, 'for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}'}}, 'dynamic.1.rule': {'content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'name': '${rule.key}-rule'}, 'for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}'}, 'dynamic.1.rule.content': {'actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'enabled': True, 'filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'name': '${rule.key}-rule'}, 'dynamic.1.rule.content.actions': {'base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}}, 'dynamic.1.rule.content.actions.base_blob': {'delete_after_days_since_modification_greater_than': '${rule.value}'}, 'dynamic.1.rule.content.actions.base_blob.delete_after_days_since_modification_greater_than': '${rule.value}', 'dynamic.1.rule.content.enabled': True, 'dynamic.1.rule.content.filters': {'blob_types': ['appendBlob', 'blockBlob'], 'prefix_match': ['${rule.key}/']}, 'dynamic.1.rule.content.filters.blob_types': ['appendBlob', 'blockBlob'], 'dynamic.1.rule.content.filters.blob_types.0': 'appendBlob', 'dynamic.1.rule.content.filters.blob_types.1': 'blockBlob', 'dynamic.1.rule.content.filters.prefix_match': ['${rule.key}/'], 'dynamic.1.rule.content.filters.prefix_match.0': '${rule.key}/', 'dynamic.1.rule.content.name': '${rule.key}-rule', 'dynamic.1.rule.for_each': '{for key , value in {} : key :> value.delete_blob_after_days if value.delete_blob_after_days > 0}', 'dynamic.2': {'rule': {'content': {'actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'enabled': '${var.blob_versioning.enabled}', 'filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'name': 'delete-previous-versions-rule'}, 'for_each': '${var.blob_versioning.enabled && var.blob_versioning.lifecycle_policy.enabled ? [1] : []}'}}, 'dynamic.2.rule': {'content': {'actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'enabled': '${var.blob_versioning.enabled}', 'filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'name': 'delete-previous-versions-rule'}, 'for_each': '${var.blob_versioning.enabled && var.blob_versioning.lifecycle_policy.enabled ? [1] : []}'}, 'dynamic.2.rule.content': {'actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'enabled': '${var.blob_versioning.enabled}', 'filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'name': 'delete-previous-versions-rule'}, 'dynamic.2.rule.content.actions': {'version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}}, 'dynamic.2.rule.content.actions.version': {'delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}'}, 'dynamic.2.rule.content.actions.version.delete_after_days_since_creation': '${var.blob_versioning.lifecycle_policy.delete_version_after_days}', 'dynamic.2.rule.content.enabled': '${var.blob_versioning.enabled}', 'dynamic.2.rule.content.filters': {'blob_types': ['appendBlob', 'blockBlob']}, 'dynamic.2.rule.content.filters.blob_types': ['appendBlob', 'blockBlob'], 'dynamic.2.rule.content.filters.blob_types.0': 'appendBlob', 'dynamic.2.rule.content.filters.blob_types.1': 'blockBlob', 'dynamic.2.rule.content.name': 'delete-previous-versions-rule', 'dynamic.2.rule.for_each': '${var.blob_versioning.enabled && var.blob_versioning.lifecycle_policy.enabled ? [1] : []}'}. Falling back to explicitly setting it.Exception - Parse error at 1:12 near token rule (ID)

[...]

terraform scan results:

Passed checks: 7, Failed checks: 2, Skipped checks: 10

Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:12-95
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:12-95
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-206

Version (please complete the following information):

  • Checkov Version 3.2.303+

Additional context
#6852

@tberreis tberreis added the noise label Nov 21, 2024
@andresionek91
Copy link

I think this relates to #6855

@tsmithv11
Copy link
Collaborator

@tberreis can you update to the latest version and try again?

@tberreis
Copy link
Author

Hi @tsmithv11, I can confirm this is fixed with 3.2.317.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants