Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CKV_GCP_5 Fails even if encryption is enabled

See original GitHub issue

Describe the bug Not sure how the check works but on the example from the link in the output shows

resource "google_storage_bucket" "auto-expire" {
  name          = "auto-expiring-bucket"
  location      = "US"
  force_destroy = true
+ encryption = default_kms_key_name

However, encryption is a struct and it should be

resource "google_storage_bucket" "auto-expire" {
  name          = "auto-expiring-bucket"
  location      = "US"
  force_destroy = true
+ encryption {
+    default_kms_key_name = <key name>
   }

Expected behavior When the encryption block is present the check should pass.

Output

Step #3 - "checkov": Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
Step #3 - "checkov":    FAILED for resource: google_storage_bucket.tfplans
Step #3 - "checkov":    File: /storage__tfplans.tf:14-50
Step #3 - "checkov":    Guide: https://docs.bridgecrew.io/docs/bc_gcp_gcs_2
Step #3 - "checkov": 
Step #3 - "checkov":            14 | resource "google_storage_bucket" "tfplans" {
Step #3 - "checkov":            15 |   name = "company-tfplans"
Step #3 - "checkov":            16 |   storage_class = "STANDARD"
Step #3 - "checkov":            17 |   labels = merge(local.labels, {
Step #3 - "checkov":            18 |     service-name = "terraform"
Step #3 - "checkov":            19 |     service-visibility = "admin"
Step #3 - "checkov":            20 |   })
Step #3 - "checkov":            21 | 
Step #3 - "checkov":            22 |   encryption {
Step #3 - "checkov":            23 |     default_kms_key_name = local.kms__terraform-plans
Step #3 - "checkov":            24 |   }
Step #3 - "checkov":            25 |   logging {
Step #3 - "checkov":            26 |     log_bucket = "company-logs"
Step #3 - "checkov":            27 |     log_object_prefix = "storage/company-tfplan/"
Step #3 - "checkov":            28 |   }
Step #3 - "checkov":            29 |   versioning {
Step #3 - "checkov":            30 |     enabled = true
Step #3 - "checkov":            31 |   }
Step #3 - "checkov":            32 |   lifecycle_rule {
Step #3 - "checkov":            33 |     action {
Step #3 - "checkov":            34 |       type = "Delete"
Step #3 - "checkov":            35 |     }
Step #3 - "checkov":            36 |     condition {
Step #3 - "checkov":            37 |       num_newer_versions = 5
Step #3 - "checkov":            38 |     }
Step #3 - "checkov":            39 |   }
Step #3 - "checkov":            40 |   lifecycle_rule {
Step #3 - "checkov":            41 |     action {
Step #3 - "checkov":            42 |       type = "Delete"
Step #3 - "checkov":            43 |     }
Step #3 - "checkov":            44 |     condition {
Step #3 - "checkov":            45 |       age = 14
Step #3 - "checkov":            46 |     }
Step #3 - "checkov":            47 |   }
Step #3 - "checkov":            48 | 
Step #3 - "checkov":            49 | 
Step #3 - "checkov":            50 | }
Finished Step #3 - "checkov"

Desktop (please complete the following information):

  • OS: ubuntu & Docker: gcr.io/cloud-builders/gcloud
  • Checkov Version 1.0.564

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
brucearctorcommented, Nov 24, 2020

@btilford , @schosterbarak – is CKV_GCP_5 relevant anymore? https://cloud.google.com/security/encryption-at-rest#:~:text=Google Cloud Platform encrypts customer,options to meet your needs ? Encryption at rest is standard? So, does that really need to be enforced (assuming OK with Google Managed Keys)?

0reactions
brucearctorcommented, Feb 19, 2021

👍

Read more comments on GitHub >

github_iconTop Results From Across the Web

BitLocker cannot encrypt a drive: known issues - Windows Client
When BitLocker Drive Encryption is turned on a computer that is running Windows 10 Professional or Windows 11, the following message may appear:....
Read more >
Articles Why is my Android device showing as unencrypted in ...
An Android device is showing as unencrypted in Device Insight even when it is fully updated and encrypted. Resolution. Password, pin, or pattern...
Read more >
Encrypt Mac data with FileVault - Apple Support
Click Enable Users, select a user, enter the login password, click OK, then click Continue. Note: If you get an alert message that...
Read more >
Troubleshooting a custom key store - AWS Documentation
All requests to encrypt, decrypt, re-encrypt, or generate data keys return ... might fail even when its key state is Enabled and the...
Read more >
Six Reasons why Encryption isn't working - Guardtime
The status quo for forensics is still for an investigator to use imaging ... Encryption as security is only as good as the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Pre-commit should scan non-Terraform files

Next page

Crash when a custom check on a Terraform module returns CheckResult.SKIPPED