Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False positive for CKV_AZURE_43: check storage account name

See original GitHub issue

I’m building my Storage Account names like this

name                = "${local.saname_prefix}diagnostics${module.tf-var-project.random_id}

With https://github.com/bridgecrewio/checkov/pull/429 merged I now get a Check failure on the SA name:

Check: CKV_AZURE_43: "Ensure the Storage Account naming rules"
	FAILED for resource: azurerm_storage_account.diagnostics
	File: /az_diag_sa.tf:8-22

		8  | resource "azurerm_storage_account" "diagnostics" {
		9  |   #checkov:skip=CKV_AZURE_35:Public access is allowed
		10 |   name                = "${local.saname_prefix}diagnostics${module.tf-var-project.random_id}"

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:13 (4 by maintainers)

Top GitHub Comments

3reactions

daviddobcommented, Apr 28, 2021

Can confirm the same behavior with the false positive. I have the following variable for name which ensures the same regex validation

variable "name" {
  description = "Storage account name"
  type = string
  validation {
    condition     = can(regex("^[a-z0-9]{3,24}$", var.name))
    error_message = "Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only and must be globally unique."
  }
}

however when passing it in as follows, CKV_AZURE_43 is raised

resource "azurerm_storage_account" "stg" {
  name                      = var.name
...
}

though hardcoding it to something that passes the regex satisfies the condition.

resource "azurerm_storage_account" "stg" {
  name                      = "foo"
 ...
 }

It is likely validating the literal var.name instead of a potential variable and as such because var.name the literal has a . it will fail to satisfy the regex and raise the error. Ideally the check would have to evaluate variables (and determine what do if no default exists) and see if they satisfy the constraint, however that may be a bit much to ask.

1reaction

JamesWoolfendencommented, Feb 16, 2021

i can replicate this one @metahertz ill show u test code tomox

Top Results From Across the Web

Resolve errors for storage account names - Azure

An invalid storage account name causes an error code during deployment. The following are some examples of errors for storage account names.

Manage Azure storage accounts - Ansible Documentation

To check whether it is installed, run ansible-galaxy collection list . ... If set to false, no containers in this account will be...

Checking if a blob exists in Azure Storage - Stack Overflow

- I just want to find out if a blob (with a name I've defined) exists in a particular container. I'll be downloading...

Azurerm_storage_account incorrectly flags log configuration

A diagnostic setting for a storage account which would log ... tweak the functioning of this check because it is a false positive...

azure-native.storage.StorageAccount - Pulumi

StorageAccount resource with examples, input properties, output properties, ... { accountName: "sto4445", enableHttpsTrafficOnly: false, enableNfsV3: true, ...