question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Output format using TF planfile with for_each

See original GitHub issue

Good day! We faced problem we faced with tool and output. We use Atlantis+Terragrunt+Terraform to deploy infra and wanted to implement checks. But most part of our TF config is based on “for_each” dynamic blocks. So when we make checks checkov -f planfile.json --framework terraform_plan on JSON planfile we cannot understand where (in what lines of planfile) checkov have found problems:

terraform_plan scan results:

Passed checks: 5, Failed checks: 1, Skipped checks: 0

Check: BC_AWS_IAM_44: "Ensure IAM role allows only specific services or principals to assume it"
        PASSED for resource: aws_iam_role.roles
        File: /planfile.json:195-218
        Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_44

Check: BC_AWS_IAM_45: "Ensure IAM role allows only specific principals in account to assume it"
        PASSED for resource: aws_iam_role.roles
        File: /planfile.json:195-218
        Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_45

Check: BC_AWS_IAM_44: "Ensure IAM role allows only specific services or principals to assume it"
        PASSED for resource: aws_iam_role.roles
        File: /planfile.json:195-218
        Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_44

Check: BC_AWS_IAM_45: "Ensure IAM role allows only specific principals in account to assume it"
        PASSED for resource: aws_iam_role.roles
        File: /planfile.json:195-218
        Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_45

Check: BC_AWS_IAM_44: "Ensure IAM role allows only specific services or principals to assume it"
        PASSED for resource: aws_iam_role.roles
        File: /planfile.json:195-218
        Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_44

Check: BC_AWS_IAM_45: "Ensure IAM role allows only specific principals in account to assume it"
        FAILED for resource: aws_iam_role.roles
        File: /planfile.json:195-218
        Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_45

It seems that checkov process all for_each resources like one block, and cannot show in what specifically resorce it found problem. At the same time number of run checks corresponds to number of resources. Can output be tuned someway to see in what resource it found problems?

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
raeder1986commented, Jan 20, 2022

@njgibbon Yeah, of coarse

{
  "format_version": "1.0",
  "terraform_version": "1.1.2",
  "variables": {
    "users": {
      "value": {
        "alex1": {
          "force_destroy": "false",
          "group": [
            "LL2",
            "LL1"
          ],
          "inline_policies": [],
          "managed_policy_arns": [
            "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
            "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
          ],
          "path": "/",
          "tags": {
            "organization": "LL",
            "project": "LL-1"
          }
        },
        "alex4": {
          "force_destroy": "false",
          "group": [
            "aws"
          ],
          "inline_policies": [],
          "managed_policy_arns": [
            "arn:aws:iam::222222222222:policy/test-policy-1"
          ],
          "path": "/",
          "tags": {
            "UserType": "human"
          }
        }
      }
    }
  },
  "planned_values": {
    "root_module": {
      "resources": [
        {
          "address": "aws_iam_user_policy_attachment.user_policy_attachment[\"alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess\"]",
          "mode": "managed",
          "type": "aws_iam_user_policy_attachment",
          "name": "user_policy_attachment",
          "index": "alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 0,
          "values": {
            "id": "alex1-arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
            "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
            "user": "alex1"
          },
          "sensitive_values": {}
        },
        {
          "address": "aws_iam_user_policy_attachment.user_policy_attachment[\"alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\"]",
          "mode": "managed",
          "type": "aws_iam_user_policy_attachment",
          "name": "user_policy_attachment",
          "index": "alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 0,
          "values": {
            "id": "alex1-arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
            "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
            "user": "alex1"
          },
          "sensitive_values": {}
        },
        {
          "address": "aws_iam_user_policy_attachment.user_policy_attachment[\"alex4.arn:aws:iam::222222222222:policy/test-policy-1\"]",
          "mode": "managed",
          "type": "aws_iam_user_policy_attachment",
          "name": "user_policy_attachment",
          "index": "alex4.arn:aws:iam::222222222222:policy/test-policy-1",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 0,
          "values": {
            "policy_arn": "arn:aws:iam::222222222222:policy/test-policy-1",
            "user": "alex4"
          },
          "sensitive_values": {}
        }
      ]
    }
  },
  "resource_changes": [
    {
      "address": "aws_iam_user_policy_attachment.user_policy_attachment[\"alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess\"]",
      "mode": "managed",
      "type": "aws_iam_user_policy_attachment",
      "name": "user_policy_attachment",
      "index": "alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": [
          "no-op"
        ],
        "before": {
          "id": "alex1-arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
          "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
          "user": "alex1"
        },
        "after": {
          "id": "alex1-arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
          "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
          "user": "alex1"
        },
        "after_unknown": {},
        "before_sensitive": {},
        "after_sensitive": {}
      }
    },
    {
      "address": "aws_iam_user_policy_attachment.user_policy_attachment[\"alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\"]",
      "mode": "managed",
      "type": "aws_iam_user_policy_attachment",
      "name": "user_policy_attachment",
      "index": "alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": [
          "no-op"
        ],
        "before": {
          "id": "alex1-arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
          "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
          "user": "alex1"
        },
        "after": {
          "id": "alex1-arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
          "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
          "user": "alex1"
        },
        "after_unknown": {},
        "before_sensitive": {},
        "after_sensitive": {}
      }
    },
    {
      "address": "aws_iam_user_policy_attachment.user_policy_attachment[\"alex4.arn:aws:iam::222222222222:policy/test-policy-1\"]",
      "mode": "managed",
      "type": "aws_iam_user_policy_attachment",
      "name": "user_policy_attachment",
      "index": "alex4.arn:aws:iam::222222222222:policy/test-policy-1",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": [
          "create"
        ],
        "before": null,
        "after": {
          "policy_arn": "arn:aws:iam::222222222222:policy/test-policy-1",
          "user": "alex4"
        },
        "after_unknown": {
          "id": true
        },
        "before_sensitive": false,
        "after_sensitive": {}
      }
    }
  ],
  "prior_state": {
    "format_version": "1.0",
    "terraform_version": "1.1.2",
    "values": {
      "root_module": {
        "resources": [
          {
            "address": "aws_iam_user_policy_attachment.user_policy_attachment[\"alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess\"]",
            "mode": "managed",
            "type": "aws_iam_user_policy_attachment",
            "name": "user_policy_attachment",
            "index": "alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
            "provider_name": "registry.terraform.io/hashicorp/aws",
            "schema_version": 0,
            "values": {
              "id": "alex1-arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
              "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
              "user": "alex1"
            },
            "sensitive_values": {}
          },
          {
            "address": "aws_iam_user_policy_attachment.user_policy_attachment[\"alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\"]",
            "mode": "managed",
            "type": "aws_iam_user_policy_attachment",
            "name": "user_policy_attachment",
            "index": "alex1.arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
            "provider_name": "registry.terraform.io/hashicorp/aws",
            "schema_version": 0,
            "values": {
              "id": "alex1-arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
              "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
              "user": "alex1"
            },
            "sensitive_values": {}
          }
        ]
      }
    }
  },
  "configuration": {
    "provider_config": {
      "aws": {
        "name": "aws",
        "version_constraint": "> 3.50.0",
        "expressions": {
          "region": {
            "constant_value": "us-central-1"
          }
        }
      }
    },
    "root_module": {
      "resources": [
        {
          "address": "aws_iam_user_policy_attachment.user_policy_attachment",
          "mode": "managed",
          "type": "aws_iam_user_policy_attachment",
          "name": "user_policy_attachment",
          "provider_config_key": "aws",
          "expressions": {
            "policy_arn": {
              "references": [
                "each.value.managed_policy_arn",
                "each.value"
              ]
            },
            "user": {
              "references": [
                "each.value.user_name",
                "each.value"
              ]
            }
          },
          "schema_version": 0,
          "for_each_expression": {
            "references": [
              "local.users"
            ]
          }
        }
      ],
      "variables": {
        "users": {}
      }
    }
  }
}
0reactions
stale[bot]commented, Sep 14, 2022

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Terraform For Each Examples - How to use for_each
Let's look at below simple example of Terraform for each. Here we have used terraform null_resource. Create main.tf file with below contents.
Read more >
The for_each Meta-Argument - Configuration Language
The value used in for_each is used to identify the resource instance and will always be disclosed in UI output, which is why...
Read more >
Terraform Output Values with for_each and for loop
We need to use regular for loop in output values to get the values of a specific attribute or argument from a Resource...
Read more >
Building Dynamic Outputs with Terraform Expressions and ...
We know we can define a Terraform module that produces output for another module to use as input. But how can we build...
Read more >
Terraform tips & tricks: loops, if-statements, and gotchas
Instead of just deleting the “trinity” IAM user, the plan output is indicating that Terraform wants to rename the “trinity” IAM user to...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found