Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support multiple instances of same terraform resource #4627

Closed
simar7 opened this issue Jun 13, 2023 Discussed in #4317 · 1 comment
Closed

feat: Support multiple instances of same terraform resource #4627

simar7 opened this issue Jun 13, 2023 Discussed in #4317 · 1 comment
Assignees
@simar7 @nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.44.0

Comments

@simar7
Copy link
Member

simar7 commented Jun 13, 2023

Discussed in #4317

Originally posted by ohad83 December 21, 2022

Description

I'm not exactly sure what's the root problem here, but it seems to be a problem with trivy/defsec/tfsec when I use a module twice and it has a dynamic block which is different for each instance. It might be connected to this issue.
This is a minimal example:

resource "aws_kms_key" "key1" {
  description = "Key #1"
  enable_key_rotation = true
}

resource "aws_kms_key" "key2" {
  description = "Key #2"
  enable_key_rotation = true
}


module "bucket1" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.5.0"

  bucket_prefix           = "bucket1"
  acl                     = "private"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  versioning = {
    enabled = true
  }

  logging = {
    target_bucket = "logging-bucket"
    target_prefix = "log/"
  }

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = aws_kms_key.key1.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}


module "bucket2" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.5.0"

  bucket_prefix           = "bucket2"
  acl                     = "private"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  versioning = {
    enabled = true
  }

  logging = {
    target_bucket = "logging-bucket"
    target_prefix = "log/"
  }

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = aws_kms_key.key2.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

I have 2 buckets, each encrypted with its own key.

What did you expect to happen?

I expect trivy checks about S3 bucket encryption to pass as the buckets are encrypted.

What happened instead?

trivy says the S3 bucket isn't encrypted - only the first bucket.
This has something to do with the fact there are 2 keys and 2 buckets. If I use key2 for both of them, trivy is happy. If I use key1 for both, they're both labeled as unencrypted.

Output of run with -debug:

2022-12-21T16:02:06.296+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-12-21T16:02:06.336+0200	DEBUG	cache dir:  /Users/ohad/Library/Caches/trivy
2022-12-21T16:02:06.336+0200	INFO	Misconfiguration scanning is enabled
2022-12-21T16:02:06.336+0200	DEBUG	Walk the file tree rooted at '.' in parallel
2022-12-21T16:02:06.676+0200	DEBUG	OS is not detected.
2022-12-21T16:02:06.676+0200	INFO	Detected config files: 3
2022-12-21T16:02:06.676+0200	DEBUG	Scanned config file: .
2022-12-21T16:02:06.676+0200	DEBUG	Scanned config file: a.tf
2022-12-21T16:02:06.676+0200	DEBUG	Scanned config file: terraform-aws-modules/s3-bucket/aws/main.tf

terraform-aws-modules/s3-bucket/aws/main.tf (terraform)

Tests: 12 (SUCCESSES: 10, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:143-165
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 143 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 144 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 145 │
 146 │   bucket                = aws_s3_bucket.this[0].id
 147 │   expected_bucket_owner = var.expected_bucket_owner
 148 │
 149 │   dynamic "rule" {
 150 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 151 └
 ...
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:143-165
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 143 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 144 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 145 │
 146 │   bucket                = aws_s3_bucket.this[0].id
 147 │   expected_bucket_owner = var.expected_bucket_owner
 148 │
 149 │   dynamic "rule" {
 150 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 151 └
 ...
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

I also ran defsec, which has a better debug output for this I believe:

03:11.877042000 terraform.scanner                Scanning [&{/tmp/tfsec-check /tmp/tfsec-check}] at '.'...
03:11.879100000 terraform.scanner.rego           Loaded 3 embedded libraries.
03:11.895932000 terraform.scanner.rego           Loaded 123 embedded policies.
03:12.010416000 terraform.scanner                Scanning root module '.'...
03:12.010442000 terraform.parser.<root>          Setting project/module root to '.'
03:12.010448000 terraform.parser.<root>          Parsing FS from '.'
03:12.010537000 terraform.parser.<root>          Parsing 'a.tf'...
03:12.010813000 terraform.parser.<root>          Added file a.tf.
03:12.010824000 terraform.parser.<root>          Evaluating module...
03:12.010946000 terraform.parser.<root>          Read 4 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
03:12.010960000 terraform.parser.<root>          Added 0 variables from tfvars.
03:12.011020000 terraform.parser.<root>          Loaded module metadata for 3 module(s) from '.terraform/modules/modules.json'.
03:12.011031000 terraform.parser.<root>          Working directory for module evaluation is '/tmp/tfsec-check'
03:12.011062000 terraform.parser.<root>.evaluator Filesystem key is 'fcc4b050a2da87c154295ae67ffe9359e8db06d0d23a4e9305997ac263f01de9'
03:12.011064000 terraform.parser.<root>.evaluator Starting module evaluation...
03:12.011107000 terraform.parser.<root>.evaluator Starting submodule evaluation...
03:12.011115000 terraform.parser.<root>.evaluator Module 'module.bucket1' resolved to path '.terraform/modules/bucket1' in filesystem '&{/tmp/tfsec-check /tmp/tfsec-check}' using modules.json
03:12.011117000 terraform.parser.<bucket1>       Parsing FS from '.terraform/modules/bucket1'
03:12.011160000 terraform.parser.<bucket1>       Parsing '.terraform/modules/bucket1/main.tf'...
03:12.014970000 terraform.parser.<bucket1>       Added file .terraform/modules/bucket1/main.tf.
03:12.014989000 terraform.parser.<bucket1>       Parsing '.terraform/modules/bucket1/outputs.tf'...
03:12.015245000 terraform.parser.<bucket1>       Added file .terraform/modules/bucket1/outputs.tf.
03:12.015251000 terraform.parser.<bucket1>       Parsing '.terraform/modules/bucket1/variables.tf'...
03:12.016086000 terraform.parser.<bucket1>       Added file .terraform/modules/bucket1/variables.tf.
03:12.016091000 terraform.parser.<bucket1>       Parsing '.terraform/modules/bucket1/versions.tf'...
03:12.016127000 terraform.parser.<bucket1>       Added file .terraform/modules/bucket1/versions.tf.
03:12.016129000 terraform.parser.<root>.evaluator found module 'terraform-aws-modules/s3-bucket/aws' in .terraform/modules
03:12.016131000 terraform.parser.<root>.evaluator Loaded module 'bucket1' from '.terraform/modules/bucket1'.
03:12.016141000 terraform.parser.<root>.evaluator Module 'module.bucket2' resolved to path '.terraform/modules/bucket2' in filesystem '&{/tmp/tfsec-check /tmp/tfsec-check}' using modules.json
03:12.016144000 terraform.parser.<bucket2>       Parsing FS from '.terraform/modules/bucket2'
03:12.016192000 terraform.parser.<bucket2>       Parsing '.terraform/modules/bucket2/main.tf'...
03:12.018954000 terraform.parser.<bucket2>       Added file .terraform/modules/bucket2/main.tf.
03:12.018968000 terraform.parser.<bucket2>       Parsing '.terraform/modules/bucket2/outputs.tf'...
03:12.019217000 terraform.parser.<bucket2>       Added file .terraform/modules/bucket2/outputs.tf.
03:12.019225000 terraform.parser.<bucket2>       Parsing '.terraform/modules/bucket2/variables.tf'...
03:12.020030000 terraform.parser.<bucket2>       Added file .terraform/modules/bucket2/variables.tf.
03:12.020034000 terraform.parser.<bucket2>       Parsing '.terraform/modules/bucket2/versions.tf'...
03:12.020065000 terraform.parser.<bucket2>       Added file .terraform/modules/bucket2/versions.tf.
03:12.020071000 terraform.parser.<root>.evaluator found module 'terraform-aws-modules/s3-bucket/aws' in .terraform/modules
03:12.020073000 terraform.parser.<root>.evaluator Loaded module 'bucket2' from '.terraform/modules/bucket2'.
03:12.020074000 terraform.parser.<bucket1>       Evaluating module...
03:12.024178000 terraform.parser.<bucket1>       Read 78 block(s) and 0 ignore(s) for module 'bucket1' (4 file[s])...
03:12.024228000 terraform.parser.<bucket1>       Added 12 input variables from module definition.
03:12.024298000 terraform.parser.<bucket1>       Loaded module metadata for 3 module(s) from '.terraform/modules/modules.json'.
03:12.024308000 terraform.parser.<bucket1>       Working directory for module evaluation is '/tmp/tfsec-check'
03:12.024362000 terraform.parser.<bucket1>.evaluator Filesystem key is 'fcc4b050a2da87c154295ae67ffe9359e8db06d0d23a4e9305997ac263f01de9'
03:12.024365000 terraform.parser.<bucket1>.evaluator Starting module evaluation...
03:12.025572000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket.this' into 1 clones via 'count' attribute.
03:12.025583000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_accelerate_configuration.this' into 0 clones via 'count' attribute.
03:12.025668000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_acl.this' into 1 clones via 'count' attribute.
03:12.025680000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_cors_configuration.this' into 0 clones via 'count' attribute.
03:12.025689000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_lifecycle_configuration.this' into 0 clones via 'count' attribute.
03:12.025735000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_logging.this' into 1 clones via 'count' attribute.
03:12.025759000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_object_lock_configuration.this' into 0 clones via 'count' attribute.
03:12.025766000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_ownership_controls.this' into 0 clones via 'count' attribute.
03:12.025775000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_policy.this' into 0 clones via 'count' attribute.
03:12.025809000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_public_access_block.this' into 1 clones via 'count' attribute.
03:12.025828000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_replication_configuration.this' into 0 clones via 'count' attribute.
03:12.025838000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_request_payment_configuration.this' into 0 clones via 'count' attribute.
03:12.025894000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.this' into 1 clones via 'count' attribute.
03:12.025943000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_versioning.this' into 1 clones via 'count' attribute.
03:12.025954000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_website_configuration.this' into 0 clones via 'count' attribute.
03:12.025965000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_intelligent_tiering_configuration.this' into 0 clones via 'for_each' attribute.
03:12.025973000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_inventory.this' into 0 clones via 'for_each' attribute.
03:12.025982000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_metric.this' into 0 clones via 'for_each' attribute.
03:12.025988000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.grant' into 0 clones via 'for_each' attribute.
03:12.026002000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.access_control_policy' into 0 clones via 'for_each' attribute.
03:12.026450000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 0 clones via 'for_each' attribute.
03:12.026466000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.grant' into 0 clones via 'for_each' attribute.
03:12.026481000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.access_control_policy' into 0 clones via 'for_each' attribute.
03:12.026928000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 0 clones via 'for_each' attribute.
03:12.026933000 terraform.parser.<bucket1>.evaluator Starting submodule evaluation...
03:12.026935000 terraform.parser.<bucket1>.evaluator Finished processing 0 submodule(s).
03:12.026936000 terraform.parser.<bucket1>.evaluator Starting post-submodule evaluation...
03:12.029680000 terraform.parser.<bucket1>.evaluator Module evaluation complete.
03:12.030011000 terraform.parser.<bucket1>       Finished parsing module 'bucket1'.
03:12.030046000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_arn=cty.StringVal("e1ba6af9-455b-479a-b487-3573e0ccfad0").
03:12.030061000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_bucket_domain_name=cty.StringVal("").
03:12.030071000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_bucket_regional_domain_name=cty.StringVal("").
03:12.030083000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_hosted_zone_id=cty.StringVal("").
03:12.030098000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_id=cty.NilVal.
03:12.030109000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_region=cty.StringVal("").
03:12.030119000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_website_domain=cty.StringVal("").
03:12.030126000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_website_endpoint=cty.StringVal("").
03:12.030191000 terraform.parser.<bucket2>       Evaluating module...
03:12.034371000 terraform.parser.<bucket2>       Read 78 block(s) and 0 ignore(s) for module 'bucket2' (4 file[s])...
03:12.034403000 terraform.parser.<bucket2>       Added 12 input variables from module definition.
03:12.034489000 terraform.parser.<bucket2>       Loaded module metadata for 3 module(s) from '.terraform/modules/modules.json'.
03:12.034502000 terraform.parser.<bucket2>       Working directory for module evaluation is '/tmp/tfsec-check'
03:12.034550000 terraform.parser.<bucket2>.evaluator Filesystem key is 'fcc4b050a2da87c154295ae67ffe9359e8db06d0d23a4e9305997ac263f01de9'
03:12.034554000 terraform.parser.<bucket2>.evaluator Starting module evaluation...
03:12.035779000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket.this' into 1 clones via 'count' attribute.
03:12.035793000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_accelerate_configuration.this' into 0 clones via 'count' attribute.
03:12.035870000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_acl.this' into 1 clones via 'count' attribute.
03:12.035881000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_cors_configuration.this' into 0 clones via 'count' attribute.
03:12.035889000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_lifecycle_configuration.this' into 0 clones via 'count' attribute.
03:12.035933000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_logging.this' into 1 clones via 'count' attribute.
03:12.035957000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_object_lock_configuration.this' into 0 clones via 'count' attribute.
03:12.035964000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_ownership_controls.this' into 0 clones via 'count' attribute.
03:12.035970000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_policy.this' into 0 clones via 'count' attribute.
03:12.036241000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_public_access_block.this' into 1 clones via 'count' attribute.
03:12.036257000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_replication_configuration.this' into 0 clones via 'count' attribute.
03:12.036269000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_request_payment_configuration.this' into 0 clones via 'count' attribute.
03:12.036339000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.this' into 1 clones via 'count' attribute.
03:12.036387000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_versioning.this' into 1 clones via 'count' attribute.
03:12.036402000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_website_configuration.this' into 0 clones via 'count' attribute.
03:12.036412000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_intelligent_tiering_configuration.this' into 0 clones via 'for_each' attribute.
03:12.036421000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_inventory.this' into 0 clones via 'for_each' attribute.
03:12.036434000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_metric.this' into 0 clones via 'for_each' attribute.
03:12.036440000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.grant' into 0 clones via 'for_each' attribute.
03:12.036456000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.access_control_policy' into 0 clones via 'for_each' attribute.
03:12.036910000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 0 clones via 'for_each' attribute.
03:12.037051000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.rule' into 1 clones via 'for_each' attribute.
03:12.037118000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 1 clones via 'for_each' attribute.
03:12.037148000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.grant' into 0 clones via 'for_each' attribute.
03:12.037163000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.access_control_policy' into 0 clones via 'for_each' attribute.
03:12.037612000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 0 clones via 'for_each' attribute.
03:12.037681000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 1 clones via 'for_each' attribute.
03:12.037828000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.rule' into 1 clones via 'for_each' attribute.
03:12.037894000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 1 clones via 'for_each' attribute.
03:12.037913000 terraform.parser.<bucket2>.evaluator Starting submodule evaluation...
03:12.037918000 terraform.parser.<bucket2>.evaluator Finished processing 0 submodule(s).
03:12.037919000 terraform.parser.<bucket2>.evaluator Starting post-submodule evaluation...
03:12.038581000 terraform.parser.<bucket2>.evaluator Module evaluation complete.
03:12.038589000 terraform.parser.<bucket2>       Finished parsing module 'bucket2'.
03:12.038598000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_arn=cty.StringVal("47678655-779b-473c-8ded-06aa61f99e48").
03:12.038608000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_bucket_domain_name=cty.StringVal("").
03:12.038619000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_bucket_regional_domain_name=cty.StringVal("").
03:12.038632000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_hosted_zone_id=cty.StringVal("").
03:12.038646000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_id=cty.NilVal.
03:12.038655000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_region=cty.StringVal("").
03:12.038662000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_website_domain=cty.StringVal("").
03:12.038672000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_website_endpoint=cty.StringVal("").
03:12.038678000 terraform.parser.<root>.evaluator Finished processing 2 submodule(s).
03:12.038680000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
03:12.038709000 terraform.parser.<root>.evaluator Module evaluation complete.
03:12.038711000 terraform.parser.<root>          Finished parsing module 'root'.
03:12.038713000 terraform.executor               Adapting modules...
03:12.039334000 terraform.executor               Adapted 3 module(s) into defsec state data.
03:12.039339000 terraform.executor               Using max routines of 9
03:12.039340000 terraform.executor               Applying state modifier functions...
03:12.039397000 terraform.executor               Initialised 398 rule(s).
03:12.039399000 terraform.executor               Created pool with 9 worker(s) to apply rules.
03:12.039693000 terraform.scanner.rego           Scanning 1 inputs...
03:12.043835000 terraform.executor               Finished applying rules.
03:12.043846000 terraform.executor               Applying ignores...
03:12.292278000 json.scanner.rego                Loaded 3 embedded libraries.
03:12.306658000 json.scanner.rego                Loaded 123 embedded policies.
03:12.391930000 json.scanner.rego                Scanning 3 inputs...
03:12.393755000 yaml.scanner.rego                Loaded 3 embedded libraries.
03:12.407540000 yaml.scanner.rego                Loaded 123 embedded policies.
03:12.492144000 yaml.scanner.rego                Scanning 6 inputs...
03:12.496653000 azure.arm.rego                   Loaded 3 embedded libraries.
03:12.510641000 azure.arm.rego                   Loaded 123 embedded policies.
AVD-AWS-0088 aws-s3-enable-bucket-encryption terraform-aws-modules/s3-bucket/aws/.terraform/modules/bucket1/main.tf:145-167
AVD-AWS-0132 aws-s3-encryption-customer-key terraform-aws-modules/s3-bucket/aws/.terraform/modules/bucket1/main.tf:145-167

Output of trivy -v:

Version: 0.35.0
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jun 13, 2023
@nikpivkin nikpivkin mentioned this issue Jul 7, 2023
Merged
@simar7 simar7 added this to the v0.44.0 milestone Aug 1, 2023
@simar7
Copy link
Member Author

simar7 commented Aug 1, 2023

Closed via aquasecurity/defsec#1374

@simar7 simar7 closed this as completed Aug 1, 2023
@itaysk itaysk added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
None yet
Milestone
v0.44.0
Development

No branches or pull requests
3 participants
@itaysk @simar7 @nikpivkin