bug(misconf): improve false negatives with terraform dynamic blocks #5902

nikpivkin · 2024-01-09T12:03:07Z

Example:

locals {
  cluster_network_policy = [{
    enabled = true
  }]
}

resource "google_container_cluster" "primary" {
  name = "test"

  dynamic "network_policy" {
    for_each = local.cluster_network_policy

    content {
      enabled = network_policy.value.enabled
    }
  }
}

Discussed in #5868

^{Originally posted by pawelmrowka January 4, 2024}

IDs

avd-gcp-0056

Description

Trivy incorrectly detects avd-gcp-0056 when using gke terraform module:
https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master#usage
probably due to the use of dynamic block
We found simillar issue with: https://github.com/terraform-google-modules/terraform-google-sql-db/tree/v18.1.0/modules/mysql and:
AVD-GCP-0015 - dynamic "ip_configuration"
AVD-GCP-0024 - dynamic "backup_configuration"

Reproduction Steps

1. Copy usage example from https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master#usage to main.tf
2. Run trivy fs --skip-dirs .terraform --scanners misconfig . You will find avd-gcp-0056 among the vulnerabilities (that's good)
3. Change in main.tf:
  network_policy             = false
to
  network_policy             = true
4. Rerun trivy fs --skip-dirs .terraform --scanners misconfig . You will find avd-gcp-0056 among the vulnerabilities (that's not good)
...

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

$ trivy fs --skip-dirs .terraform --scanners misconfig . --debug
2024-01-04T09:27:45.522+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-04T09:27:45.522+0100	DEBUG	Ignore statuses	{"statuses": null}
2024-01-04T09:27:45.526+0100	DEBUG	cache dir:  /home/ant/.cache/trivy
2024-01-04T09:27:45.526+0100	INFO	Misconfiguration scanning is enabled
2024-01-04T09:27:45.526+0100	DEBUG	Policies successfully loaded from disk
2024-01-04T09:27:45.526+0100	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-04T09:27:45.534+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-01-04T09:27:45.537+0100	DEBUG	Walk the file tree rooted at '.' in parallel
2024-01-04T09:27:45.537+0100	DEBUG	Skipping directory: .terraform
2024-01-04T09:27:45.537+0100	DEBUG	Scanning Terraform files for misconfigurations...
2024-01-04T09:27:45.537+0100	DEBUG	[misconf] 27:45.537375968 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13933496095977458232 454427664 0x55c676d4ae60} <nil>} {{{0 0} {[] {} 0xc002c2d930} map[main.tf:0xc00292ef80] 0}}}) .}] at '.'...
2024-01-04T09:27:45.538+0100	DEBUG	[misconf] 27:45.538990079 terraform.scanner.rego           Overriding filesystem for policies!
2024-01-04T09:27:45.576+0100	DEBUG	[misconf] 27:45.576125176 terraform.scanner.rego           Loaded 188 policies from disk.
2024-01-04T09:27:45.576+0100	DEBUG	[misconf] 27:45.576481761 terraform.scanner.rego           Overriding filesystem for data!
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929362309 terraform.scanner                Scanning root module '.'...
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929402260 terraform.parser.<root>          Setting project/module root to '.'
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929406269 terraform.parser.<root>          Parsing FS from '.'
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929423586 terraform.parser.<root>          Parsing 'main.tf'...
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929744076 terraform.parser.<root>          Added file main.tf.
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929754445 terraform.parser.<root>          Evaluating module...
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929931256 terraform.parser.<root>          Read 3 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929944857 terraform.parser.<root>          Added 0 variables from tfvars.
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929951238 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-01-04T09:27:45.929+0100	DEBUG	[misconf] 27:45.929978016 terraform.parser.<root>          Working directory for module evaluation is '/home/ant/tmp/trivy-test'
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930016027 terraform.parser.<root>.evaluator Filesystem key is '5cfd7fbf905e60ef985cc7cb06ed1f76cbf8c7283d6227ede0f38226d4cc6fb2'
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930022626 terraform.parser.<root>.evaluator Starting module evaluation...
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930145799 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930155531 terraform.parser.<root>.evaluator locating non-initialised module 'terraform-google-modules/kubernetes-engine/google'...
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930162263 terraform.parser.<root>.evaluator.resolver Resolving module 'module.gke' with source: 'terraform-google-modules/kubernetes-engine/google'...
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930194286 terraform.parser.<root>.evaluator.resolver Trying to resolve: 8956e3d78c99f74ad536984693efa725
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930209483 terraform.parser.<root>.evaluator.resolver Module 'module.gke' resolving via cache...
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930214894 terraform.parser.<root>.evaluator.resolver Module path is .
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930220257 terraform.parser.<root>.evaluator Module 'module.gke' resolved to path '.' in filesystem '/tmp/.aqua/cache/8956e3d78c99f74ad536984693efa725' with prefix 'terraform-google-modules/kubernetes-engine/google'
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930225221 terraform.parser.<gke>           Parsing FS from '.'
2024-01-04T09:27:45.930+0100	DEBUG	[misconf] 27:45.930293747 terraform.parser.<gke>           Parsing 'cluster.tf'...
2024-01-04T09:27:45.934+0100	DEBUG	[misconf] 27:45.934666237 terraform.parser.<gke>           Added file cluster.tf.
2024-01-04T09:27:45.934+0100	DEBUG	[misconf] 27:45.934853574 terraform.parser.<gke>           Parsing 'dns.tf'...
2024-01-04T09:27:45.935+0100	DEBUG	[misconf] 27:45.935385165 terraform.parser.<gke>           Added file dns.tf.
2024-01-04T09:27:45.935+0100	DEBUG	[misconf] 27:45.935477193 terraform.parser.<gke>           Parsing 'firewall.tf'...
2024-01-04T09:27:45.936+0100	DEBUG	[misconf] 27:45.936622152 terraform.parser.<gke>           Added file firewall.tf.
2024-01-04T09:27:45.936+0100	DEBUG	[misconf] 27:45.936641734 terraform.parser.<gke>           Parsing 'main.tf'...
2024-01-04T09:27:45.937+0100	DEBUG	[misconf] 27:45.937610716 terraform.parser.<gke>           Added file main.tf.
2024-01-04T09:27:45.937+0100	DEBUG	[misconf] 27:45.937619887 terraform.parser.<gke>           Parsing 'masq.tf'...
2024-01-04T09:27:45.937+0100	DEBUG	[misconf] 27:45.937744945 terraform.parser.<gke>           Added file masq.tf.
2024-01-04T09:27:45.937+0100	DEBUG	[misconf] 27:45.937750042 terraform.parser.<gke>           Parsing 'networks.tf'...
2024-01-04T09:27:45.937+0100	DEBUG	[misconf] 27:45.937812794 terraform.parser.<gke>           Added file networks.tf.
2024-01-04T09:27:45.937+0100	DEBUG	[misconf] 27:45.937817569 terraform.parser.<gke>           Parsing 'outputs.tf'...
2024-01-04T09:27:45.938+0100	DEBUG	[misconf] 27:45.938258644 terraform.parser.<gke>           Added file outputs.tf.
2024-01-04T09:27:45.938+0100	DEBUG	[misconf] 27:45.938263801 terraform.parser.<gke>           Parsing 'sa.tf'...
2024-01-04T09:27:45.938+0100	DEBUG	[misconf] 27:45.938524427 terraform.parser.<gke>           Added file sa.tf.
2024-01-04T09:27:45.938+0100	DEBUG	[misconf] 27:45.938529033 terraform.parser.<gke>           Parsing 'variables.tf'...
2024-01-04T09:27:45.940+0100	DEBUG	[misconf] 27:45.940644281 terraform.parser.<gke>           Added file variables.tf.
2024-01-04T09:27:45.940+0100	DEBUG	[misconf] 27:45.940652717 terraform.parser.<gke>           Parsing 'variables_defaults.tf'...
2024-01-04T09:27:45.941+0100	DEBUG	[misconf] 27:45.941019810 terraform.parser.<gke>           Added file variables_defaults.tf.
2024-01-04T09:27:45.941+0100	DEBUG	[misconf] 27:45.941027180 terraform.parser.<gke>           Parsing 'versions.tf'...
2024-01-04T09:27:45.941+0100	DEBUG	[misconf] 27:45.941134168 terraform.parser.<gke>           Added file versions.tf.
2024-01-04T09:27:45.941+0100	DEBUG	[misconf] 27:45.941140685 terraform.parser.<root>.evaluator Loaded module 'gke' from '.'.
2024-01-04T09:27:45.941+0100	DEBUG	[misconf] 27:45.941144713 terraform.parser.<gke>           Evaluating module...
2024-01-04T09:27:45.948+0100	DEBUG	[misconf] 27:45.948504016 terraform.parser.<gke>           Read 147 block(s) and 0 ignore(s) for module 'gke' (11 file[s])...
2024-01-04T09:27:45.948+0100	DEBUG	[misconf] 27:45.948601872 terraform.parser.<gke>           Added 20 input variables from module definition.
2024-01-04T09:27:45.948+0100	DEBUG	[misconf] 27:45.948625918 terraform.parser.<gke>           Error loading module metadata: open .terraform/modules/modules.json: no such file or directory.
2024-01-04T09:27:45.948+0100	DEBUG	[misconf] 27:45.948637309 terraform.parser.<gke>           Working directory for module evaluation is '/home/ant/tmp/trivy-test'
2024-01-04T09:27:45.948+0100	DEBUG	[misconf] 27:45.948738617 terraform.parser.<gke>.evaluator Filesystem key is '68c564a2c81e99e8adfd4aeffc0ccd21b8e8a0155d140e7bc0d5805478113aca'
2024-01-04T09:27:45.948+0100	DEBUG	[misconf] 27:45.948743646 terraform.parser.<gke>.evaluator Starting module evaluation...
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957527024 terraform.parser.<gke>.evaluator Expanded block 'data.google_compute_subnetwork.gke_subnetwork' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957567099 terraform.parser.<gke>.evaluator Expanded block 'data.google_compute_zones.available' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957595522 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.intra_egress' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957610409 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.master_webhooks' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957622133 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_allow_inkubelet' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957633288 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_allow_master' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957644178 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_allow_nodes' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957654464 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_allow_pods' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957664719 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_deny_exkubelet' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957741860 terraform.parser.<gke>.evaluator Expanded block 'google_project_iam_member.cluster_service_account-nodeService_account' into 1 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957792050 terraform.parser.<gke>.evaluator Expanded block 'google_service_account.cluster_service_account' into 1 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957800870 terraform.parser.<gke>.evaluator Expanded block 'kubernetes_config_map.ip-masq-agent' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957814441 terraform.parser.<gke>.evaluator Expanded block 'kubernetes_config_map_v1_data.kube-dns' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957826348 terraform.parser.<gke>.evaluator Expanded block 'kubernetes_config_map_v1_data.kube-dns-upstream-nameservers-and-stub-domains' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957840649 terraform.parser.<gke>.evaluator Expanded block 'kubernetes_config_map_v1_data.kube-dns-upstream-namservers' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100	DEBUG	[misconf] 27:45.957852263 terraform.parser.<gke>.evaluator Expanded block 'random_shuffle.available_zones' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958256665 terraform.parser.<gke>.evaluator Expanded block 'google_container_node_pool.pools' into 1 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958267846 terraform.parser.<gke>.evaluator Expanded block 'google_container_node_pool.windows_pools' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958317380 terraform.parser.<gke>.evaluator Expanded block 'google_project_iam_member.cluster_service_account-artifact-registry' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958339932 terraform.parser.<gke>.evaluator Expanded block 'google_project_iam_member.cluster_service_account-gcr' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958355804 terraform.parser.<gke>.evaluator Expanded block 'dynamic.auto_provisioning_defaults' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958364902 terraform.parser.<gke>.evaluator Expanded block 'dynamic.resource_limits' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958394488 terraform.parser.<gke>.evaluator "for_each" argument is invalid: arg is null
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958401834 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958408833 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958418495 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcs_fuse_csi_driver_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958435166 terraform.parser.<gke>.evaluator Expanded block 'dynamic.additional_pod_ranges_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958473238 terraform.parser.<gke>.evaluator "for_each" argument is invalid: arg is null
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958482463 terraform.parser.<gke>.evaluator Expanded block 'dynamic.recurring_window' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958488117 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of number type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958497472 terraform.parser.<gke>.evaluator Expanded block 'dynamic.maintenance_exclusion' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958525312 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcfs_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958550850 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gvnic' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958555955 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958563262 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958569395 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958583364 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gateway_api_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958598923 terraform.parser.<gke>.evaluator Expanded block 'dynamic.cost_management_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958618725 terraform.parser.<gke>.evaluator Expanded block 'dynamic.logging_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958637837 terraform.parser.<gke>.evaluator Expanded block 'dynamic.monitoring_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958657585 terraform.parser.<gke>.evaluator Expanded block 'dynamic.binary_authorization' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958673468 terraform.parser.<gke>.evaluator Expanded block 'dynamic.master_authorized_networks_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958692602 terraform.parser.<gke>.evaluator Expanded block 'dynamic.service_external_ips_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958732162 terraform.parser.<gke>.evaluator Expanded block 'dynamic.dns_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958769034 terraform.parser.<gke>.evaluator Expanded block 'dynamic.resource_usage_export_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958774382 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958780190 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958786995 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958805804 terraform.parser.<gke>.evaluator Expanded block 'dynamic.authenticator_groups_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958844878 terraform.parser.<gke>.evaluator Expanded block 'dynamic.blue_green_settings' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958880261 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gpu_driver_installation_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958917447 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcfs_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958951904 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gvnic' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100	DEBUG	[misconf] 27:45.958968124 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959008295 terraform.parser.<gke>.evaluator Expanded block 'dynamic.guest_accelerator' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959013366 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959050252 terraform.parser.<gke>.evaluator Expanded block 'dynamic.linux_node_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959067132 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of map of string type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959104632 terraform.parser.<gke>.evaluator Expanded block 'dynamic.auto_provisioning_defaults' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959124879 terraform.parser.<gke>.evaluator Expanded block 'dynamic.resource_limits' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959153586 terraform.parser.<gke>.evaluator "for_each" argument is invalid: arg is null
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959159653 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959163896 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959183763 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcs_fuse_csi_driver_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959210958 terraform.parser.<gke>.evaluator Expanded block 'dynamic.additional_pod_ranges_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959249004 terraform.parser.<gke>.evaluator "for_each" argument is invalid: arg is null
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959269774 terraform.parser.<gke>.evaluator Expanded block 'dynamic.recurring_window' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959274831 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of number type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959296310 terraform.parser.<gke>.evaluator Expanded block 'dynamic.maintenance_exclusion' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959332379 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcfs_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959368078 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gvnic' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959372750 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959378572 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959383458 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959402447 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gateway_api_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959426601 terraform.parser.<gke>.evaluator Expanded block 'dynamic.cost_management_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959453045 terraform.parser.<gke>.evaluator Expanded block 'dynamic.logging_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959477963 terraform.parser.<gke>.evaluator Expanded block 'dynamic.monitoring_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959501315 terraform.parser.<gke>.evaluator Expanded block 'dynamic.binary_authorization' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959530594 terraform.parser.<gke>.evaluator Expanded block 'dynamic.master_authorized_networks_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959553456 terraform.parser.<gke>.evaluator Expanded block 'dynamic.service_external_ips_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959579794 terraform.parser.<gke>.evaluator Expanded block 'dynamic.dns_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959615992 terraform.parser.<gke>.evaluator Expanded block 'dynamic.resource_usage_export_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959620995 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959626944 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959631381 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959651651 terraform.parser.<gke>.evaluator Expanded block 'dynamic.authenticator_groups_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959689410 terraform.parser.<gke>.evaluator Expanded block 'dynamic.blue_green_settings' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100	DEBUG	[misconf] 27:45.959725819 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gpu_driver_installation_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962670231 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcfs_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962721580 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gvnic' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962743074 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962796711 terraform.parser.<gke>.evaluator Expanded block 'dynamic.guest_accelerator' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962803415 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962843477 terraform.parser.<gke>.evaluator Expanded block 'dynamic.linux_node_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962861463 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of map of string type is not supported: arg is not set or map
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962866678 terraform.parser.<gke>.evaluator Starting submodule evaluation...
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962875480 terraform.parser.<gke>.evaluator Finished processing 0 submodule(s).
2024-01-04T09:27:45.962+0100	DEBUG	[misconf] 27:45.962879947 terraform.parser.<gke>.evaluator Starting post-submodule evaluation...
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968110877 terraform.parser.<gke>.evaluator Module evaluation complete.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968147091 terraform.parser.<gke>           Finished parsing module 'gke'.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968154305 terraform.parser.<gke>.evaluator Added module output ca_certificate=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968159419 terraform.parser.<gke>.evaluator Added module output cluster_id=cty.StringVal("4898783e-589a-4173-94f7-b10c2f9e5944").
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968163469 terraform.parser.<gke>.evaluator Added module output endpoint=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968184943 terraform.parser.<gke>.evaluator Added module output gateway_api_channel=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968189081 terraform.parser.<gke>.evaluator Added module output horizontal_pod_autoscaling_enabled=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968193984 terraform.parser.<gke>.evaluator Added module output http_load_balancing_enabled=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968209331 terraform.parser.<gke>.evaluator Added module output identity_namespace=cty.StringVal("<PROJECT ID>.svc.id.goog").
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968219467 terraform.parser.<gke>.evaluator Added module output instance_group_urls=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968224491 terraform.parser.<gke>.evaluator Added module output location=cty.StringVal("us-central1").
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968228909 terraform.parser.<gke>.evaluator Added module output logging_service=cty.StringVal("logging.googleapis.com/kubernetes").
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968235215 terraform.parser.<gke>.evaluator Added module output master_authorized_networks_config=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968245298 terraform.parser.<gke>.evaluator Added module output master_version=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968276067 terraform.parser.<gke>.evaluator Added module output mesh_certificates_config=cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"enable_certificates":cty.False})}).
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968281158 terraform.parser.<gke>.evaluator Added module output min_master_version=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968286510 terraform.parser.<gke>.evaluator Added module output monitoring_service=cty.StringVal("monitoring.googleapis.com/kubernetes").
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968291995 terraform.parser.<gke>.evaluator Added module output name=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968296564 terraform.parser.<gke>.evaluator Added module output network_policy_enabled=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968303244 terraform.parser.<gke>.evaluator Added module output node_pools_names=cty.TupleVal([]cty.Value{cty.StringVal("default-node-pool"), cty.StringVal(""), cty.StringVal("")}).
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968310225 terraform.parser.<gke>.evaluator Added module output node_pools_versions=cty.ObjectVal(map[string]cty.Value{"default-node-pool":cty.StringVal("")}).
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968315902 terraform.parser.<gke>.evaluator Added module output region=cty.StringVal("us-central1").
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968320673 terraform.parser.<gke>.evaluator Added module output release_channel=cty.StringVal("REGULAR").
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968325345 terraform.parser.<gke>.evaluator Added module output service_account=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968330369 terraform.parser.<gke>.evaluator Added module output type=cty.StringVal("regional").
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968335212 terraform.parser.<gke>.evaluator Added module output vertical_pod_autoscaling_enabled=cty.NilVal.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968342589 terraform.parser.<gke>.evaluator Added module output zones=cty.ListVal([]cty.Value{cty.StringVal("us-central1-a"), cty.StringVal("us-central1-b"), cty.StringVal("us-central1-f")}).
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968355319 terraform.parser.<root>.evaluator Finished processing 1 submodule(s).
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968359018 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968421341 terraform.parser.<root>.evaluator Module evaluation complete.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968426201 terraform.parser.<root>          Finished parsing module 'root'.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968433554 terraform.executor               Adapting modules...
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968797011 terraform.executor               Adapted 2 module(s) into defsec state data.
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968806766 terraform.executor               Using max routines of 7
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968810268 terraform.executor               Applying state modifier functions...
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968875483 terraform.executor               Initialised 484 rule(s).
2024-01-04T09:27:45.968+0100	DEBUG	[misconf] 27:45.968879578 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-01-04T09:27:45.969+0100	DEBUG	[misconf] 27:45.969859471 terraform.scanner.rego           Scanning 1 inputs...
2024-01-04T09:27:45.981+0100	DEBUG	[misconf] 27:45.981384167 terraform.executor               Finished applying rules.
2024-01-04T09:27:45.981+0100	DEBUG	[misconf] 27:45.981413156 terraform.executor               Applying ignores...
2024-01-04T09:27:46.024+0100	DEBUG	OS is not detected.
2024-01-04T09:27:46.024+0100	INFO	Detected config files: 3
2024-01-04T09:27:46.024+0100	DEBUG	Scanned config file: .
2024-01-04T09:27:46.024+0100	DEBUG	Scanned config file: terraform-google-modules/kubernetes-engine/google/cluster.tf
2024-01-04T09:27:46.024+0100	DEBUG	Scanned config file: terraform-google-modules/kubernetes-engine/google/sa.tf

terraform-google-modules/kubernetes-engine/google/cluster.tf (terraform)

Tests: 18 (SUCCESSES: 12, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 3, CRITICAL: 0)

LOW: Cluster does not use GCE resource labels.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Labels make it easier to manage assets and differentiate between clusters and environments, allowing the mapping of computational resources to the wider organisational structure.

See https://avd.aquasec.com/misconfig/avd-gcp-0051
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/cluster.tf:28
   via terraform-google-modules/kubernetes-engine/google/cluster.tf:22-393 (google_container_cluster.primary)
    via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22   resource "google_container_cluster" "primary" {
  ..   
  28 [   resource_labels = var.cluster_resource_labels
 ...   
 393   }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Cluster does not have a network policy enabled.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling a network policy allows the segregation of network traffic by namespace

See https://avd.aquasec.com/misconfig/avd-gcp-0056
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/cluster.tf:22-393
   via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22 ┌ resource "google_container_cluster" "primary" {
  23 │   provider = google
  24 │ 
  25 │   name            = var.name
  26 │   description     = var.description
  27 │   project         = var.project_id
  28 │   resource_labels = var.cluster_resource_labels
  29 │ 
  30 └   location            = local.location
  ..   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Cluster exposes node metadata of pools by default.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
If the <code>workload_metadata_config</code> block within <code>node_config</code> is included, the <code>node_metadata</code> attribute should be configured securely.

The attribute should be set to <code>SECURE</code> to use metadata concealment, or <code>GKE_METADATA_SERVER</code> if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.

See https://avd.aquasec.com/misconfig/avd-gcp-0057
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/cluster.tf:460-578
   via terraform-google-modules/kubernetes-engine/google/cluster.tf:397-591 (google_container_node_pool.pools["default-node-pool"])
    via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 397   resource "google_container_node_pool" "pools" {
 ...   
 460 ┌   node_config {
 461 │     image_type       = lookup(each.value, "image_type", "COS_CONTAINERD")
 462 │     machine_type     = lookup(each.value, "machine_type", "e2-medium")
 463 │     min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
 464 │     dynamic "gcfs_config" {
 465 │       for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
 466 └       content {
 ...   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Node pool exposes node metadata.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
If the <code>workload_metadata_config</code> block within <code>node_config</code> is included, the <code>node_metadata</code> attribute should be configured securely.

The attribute should be set to <code>SECURE</code> to use metadata concealment, or <code>GKE_METADATA_SERVER</code> if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.

See https://avd.aquasec.com/misconfig/avd-gcp-0057
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/cluster.tf:460-578
   via terraform-google-modules/kubernetes-engine/google/cluster.tf:397-591 (google_container_node_pool.pools["default-node-pool"])
    via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 397   resource "google_container_node_pool" "pools" {
 ...   
 460 ┌   node_config {
 461 │     image_type       = lookup(each.value, "image_type", "COS_CONTAINERD")
 462 │     machine_type     = lookup(each.value, "machine_type", "e2-medium")
 463 │     min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
 464 │     dynamic "gcfs_config" {
 465 │       for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
 466 └       content {
 ...   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Cluster does not have private nodes.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling private nodes on a cluster ensures the nodes are only available internally as they will only be assigned internal addresses.

See https://avd.aquasec.com/misconfig/avd-gcp-0059
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/cluster.tf:22-393
   via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22 ┌ resource "google_container_cluster" "primary" {
  23 │   provider = google
  24 │ 
  25 │   name            = var.name
  26 │   description     = var.description
  27 │   project         = var.project_id
  28 │   resource_labels = var.cluster_resource_labels
  29 │ 
  30 └   location            = local.location
  ..   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Cluster does not have master authorized networks enabled.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling authorized networks means you can restrict master access to a fixed set of CIDR ranges

See https://avd.aquasec.com/misconfig/avd-gcp-0061
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/cluster.tf:22-393
   via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22 ┌ resource "google_container_cluster" "primary" {
  23 │   provider = google
  24 │ 
  25 │   name            = var.name
  26 │   description     = var.description
  27 │   project         = var.project_id
  28 │   resource_labels = var.cluster_resource_labels
  29 │ 
  30 └   location            = local.location
  ..   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

$ trivy --version
Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-04 06:12:51.526611719 +0000 UTC
  NextUpdate: 2024-01-04 12:12:51.526611448 +0000 UTC
  DownloadedAt: 2024-01-04 07:57:12.926444486 +0000 UTC
Policy Bundle:
  Digest: sha256:8bfc31f3e4301ef758b6793a07e0b12b4306e0b54d03a640efb2ff5e5ef29b9e
  DownloadedAt: 2024-01-03 11:44:59.83336388 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

The text was updated successfully, but these errors were encountered:

nikpivkin added the scan/misconfiguration Issues relating to misconfiguration scanning label Jan 9, 2024

nikpivkin mentioned this issue Jan 24, 2024

fix(terraform): do not re-expand dynamic blocks aquasecurity/trivy-iac#88

Closed

1 task

nikpivkin mentioned this issue Feb 16, 2024

fix(terraform): do not re-expand dynamic blocks #6151

Merged

6 tasks

nikpivkin self-assigned this Feb 16, 2024

simar7 added this to the v0.50.0 milestone Feb 23, 2024

simar7 changed the title ~~bug(misconf): false negative avd-gcp-0056 with terraform dynamic blocks~~ bug(misconf): improve false negatives with terraform dynamic blocks Feb 27, 2024

simar7 closed this as completed in #6151 Feb 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug(misconf): improve false negatives with terraform dynamic blocks #5902

bug(misconf): improve false negatives with terraform dynamic blocks #5902

nikpivkin commented Jan 9, 2024 •

edited

Loading

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

bug(misconf): improve false negatives with terraform dynamic blocks #5902

bug(misconf): improve false negatives with terraform dynamic blocks #5902

Comments

nikpivkin commented Jan 9, 2024 • edited Loading

Discussed in #5868

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

nikpivkin commented Jan 9, 2024 •

edited

Loading