Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Checkov crashes when parsing kube_config field

See original GitHub issue

Describe the bug Parsing fails when processing a resource or provider related to a Kubernetes cluster and the following notation is used in some field kube_config.0.property notation.

To Reproduce Steps to reproduce the behavior:

  1. Provider defined in a similar way than in this example:
provider "helm" {
  version = "1.1.1"
  kubernetes {
    host                   = module.aks_cluster.kube_config.0.host
    client_certificate     = base64decode(module.aks_cluster.kube_config.0.client_certificate)
    client_key             = base64decode(module.aks_cluster.kube_config.0.client_key)
    cluster_ca_certificate = base64decode(module.aks_cluster.kube_config.0.cluster_ca_certificate)
    load_config_file       = false
  }
}

provider "kubernetes" {
  version                = "1.10.0"
  host                   = module.aks_cluster.kube_config.0.host
  client_certificate     = base64decode(module.aks_cluster.kube_config.0.client_certificate)
  client_key             = base64decode(module.aks_cluster.kube_config.0.client_key)
  cluster_ca_certificate = base64decode(module.aks_cluster.kube_config.0.cluster_ca_certificate)
}
  1. Module defined as
module "new_relic" {
  source                            = "s3::https://s3.amazonaws.com/my-artifacts/new-relic-k8s-0.2.5.zip"
  kubernetes_host                   = module.aks_cluster.kube_config.0.host
  kubernetes_client_certificate     = base64decode(module.aks_cluster.kube_config.0.client_certificate)
  kubernetes_client_key             = base64decode(module.aks_cluster.kube_config.0.client_key)
  kubernetes_cluster_ca_certificate = base64decode(module.aks_cluster.kube_config.0.cluster_ca_certificate)
  cluster_name                      = module.naming_conventions.aks_name
  new_relic_license                 = data.vault_generic_secret.new_relic_license.data["license"]
  cluster_ca_bundle_b64             = module.aks_cluster.kube_config.0.cluster_ca_certificate
  module_depends_on                 = [null_resource.delay_aks_deployments]
}
  1. Run cli command : checkov -d folder
  2. See error
DEBUG:checkov.terraform.parser:failed while parsing file /home/holgiosalos/myterraform/myazuremodule/1-main.tf
Traceback (most recent call last):
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 62, in get_action
    return states[state][token.type]
KeyError: 'DECIMAL'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/checkov/terraform/parser.py", line 42, in hcl2
    tf_definition = self._parse_tf_definitions(tf_file)
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/checkov/terraform/parser.py", line 24, in _parse_tf_definitions
    tf_definition = hcl2.load(file)
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/hcl2/api.py", line 9, in load
    return loads(file.read())
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/hcl2/api.py", line 18, in loads
    return hcl2.parse(text + "\n")
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/lark/lark.py", line 311, in parse
    return self.parser.parse(text, start=start)
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/lark/parser_frontends.py", line 89, in parse
    return self._parse(token_stream, start, *[sps] if sps is not NotImplemented else [])
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/lark/parser_frontends.py", line 54, in _parse
    return self.parser.parse(input, start, *args)
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 36, in parse
    return self.parser.parse(*args)
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 86, in parse
    action, arg = get_action(token)
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 65, in get_action
    raise UnexpectedToken(token, expected, state=state)
lark.exceptions.UnexpectedToken: Unexpected token Token(DECIMAL, '0') at line 30, column 61.
Expected one of: 
	* __ANON_3

2020-06-16 18:58:46,157 [MainThread  ] [DEBUG]  failed while parsing file /home/holgiosalos/myterraform/myazuremodule/1-main.tf
Traceback (most recent call last):
  File "/home/holgiosalos/.local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 62, in get_action
    return states[state][token.type]
KeyError: 'DECIMAL'

Expected behavior Not to crash when provider or module uses a similar kubernetes configuration

Desktop (please complete the following information):

  • OS: Ubuntu 20.04
  • Checkov Version: 1.0.380

Additional context

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
by bridgecrew.io | version: 1.0.380

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:1
  • Comments:9 (5 by maintainers)

github_iconTop GitHub Comments

2reactions
tobypeschelcommented, Jun 25, 2020

Yep, just encountered this problem myself. Took me an embarrassingly long amount of time to realise it was the following two lines to blame:

kubernetes_ca_cert = base64decode(google_container_cluster.primary.master_auth.0.cluster_ca_certificate)

name = kubernetes_service_account.vault-auth.metadata.0.name

But this is definitely a common pattern and found in many examples from the docs and elsewhere.

2reactions
schosterbarakcommented, Jun 21, 2020

@holgiosalos we are looking for a way to solve this. we’ll keep you posted in a day or two

Read more comments on GitHub >

github_iconTop Results From Across the Web

Kustomize reorders yaml and crashes checkov #2457 - GitHub
I am scanning a rook-ceph deployment, that contains a Storage class with a key allowVolumeExpansion . The storage class is included through a ......
Read more >
Receiving a parsing error while using Checkov - Stack Overflow
The parsing error occurs since checkov tries to scan the json plan file assuming it's cloudformation json and fails.
Read more >
The dark side of kubeconfig - Banzai Cloud
The substituted fields are written to the kubeconfig file, ... which is parsed by the Kubernetes client and substituted to the user field....
Read more >
Terraform – Index - Wilson Mar
Checkov is an OSS static scanner of Terraform, AWS Cloud Formation, and Azure ARM templates. Cloudrail from Indeni is a freemium scanner utility ......
Read more >
Organizing Cluster Access Using kubeconfig Files - Kubernetes
Use kubeconfig files to organize information about clusters, users, namespaces, and authentication mechanisms. The kubectl command-line tool ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Change default behavior of the cloud integration: BcPlatformIntegration.get_guidelines()

Next page

Issue with lookup values