Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug(terraform): module output values are not passed into the context of other modules #6274

Closed
2 tasks done
nikpivkin opened this issue Mar 5, 2024 Discussed in #5262 · 2 comments · Fixed by #6411
Closed
2 tasks done

bug(terraform): module output values are not passed into the context of other modules #6274

nikpivkin opened this issue Mar 5, 2024 Discussed in #5262 · 2 comments · Fixed by #6411
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone

Comments

@nikpivkin
Copy link
Contributor

nikpivkin commented Mar 5, 2024

I found the following problem:
Currently, module results are only propagated to the context of the parent module (i.e., the one that calls), and are not propagated to the context of other modules. In the example below, the module.artifactory_key.key_arn output value of the artifactory_key module is missing in the context of the artifactory_bucket module.

UPD: output variables of one module are not present in the context of another module only during module evaluation and block expanding (dynamic, for-each).

Discussed in #5262

Originally posted by natebowang September 28, 2023

IDs

AVD-AWS-0088

Description

Hi, We use terraform KMS module terraform-aws-modules/kms/aws v2.0.1 and S3 module terraform-aws-modules/s3-bucket/aws v3.15.1 in our configuration, but Trivy scan fails with the error we don't expect to see

Reproduction Steps

module "artifactory_key" {
  source  = "terraform-aws-modules/kms/aws"
  version = "2.0.1"

  deletion_window_in_days = 7
  enable_key_rotation     = true
  enable_default_policy   = true
}

module "artifactory_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.15.1"

  bucket = "artifactory-sdfsgemekg"

  versioning    = {
    status     = true
    mfa_delete = false
  }
  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = module.artifactory_key.key_arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

Target

Filesystem

Scanner

Misconfiguration

Target OS

5.4.254-1-MANJARO

Debug Output

2023-09-27T21:05:28.825Z	DEBUG	Severities: ["CRITICAL" "HIGH" "MEDIUM"]
2023-09-27T21:05:28.826Z	DEBUG	Ignore statuses	{"statuses": null}
2023-09-27T21:05:28.832Z	DEBUG	cache dir:  /root/.cache/trivy
2023-09-27T21:05:28.832Z	INFO	Misconfiguration scanning is enabled
2023-09-27T21:05:28.832Z	DEBUG	Policies successfully loaded from disk
2023-09-27T21:05:28.870Z	DEBUG	Walk the file tree rooted at '.' in parallel
2023-09-27T21:05:28.871Z	DEBUG	Skipping directory: .terraform
2023-09-27T21:05:28.871Z	DEBUG	Scanning Terraform files for misconfigurations...
2023-09-27T21:05:41.587Z	DEBUG	OS is not detected.
2023-09-27T21:05:41.587Z	INFO	Detected config files: 10
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: iam-github.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/apigateway-v2/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/ecr/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/kms/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/lambda/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/s3-bucket/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/sns/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: .
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-cloudwatch?ref=v4.3.0/modules/log-group/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.30.0/modules/iam-user/main.tf

terraform-aws-modules/s3-bucket/aws/main.tf (terraform)

Tests: 15 (SUCCESSES: 13, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:155-177
   via s3-artifact.tf:102-133 (module.artifactory)
────────────────────────────────────────────────────────────────────────────────
 155 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 156 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 157 │ 
 158 │   bucket                = aws_s3_bucket.this[0].id
 159 │   expected_bucket_owner = var.expected_bucket_owner
 160 │ 
 161 │   dynamic "rule" {
 162 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 163 └ 
 ...   
────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:155-177
   via s3-artifact.tf:102-133 (module.artifactory)
────────────────────────────────────────────────────────────────────────────────
 155 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 156 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 157 │ 
 158 │   bucket                = aws_s3_bucket.this[0].id
 159 │   expected_bucket_owner = var.expected_bucket_owner
 160 │ 
 161 │   dynamic "rule" {
 162 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 163 └ 
 ...   
────────────────────────────────────────────────────────────────────────────────

Version

0.45.1

Checklist

@nikpivkin nikpivkin added bug scan/misconfiguration Issues relating to misconfiguration scanning labels Mar 5, 2024
@nikpivkin nikpivkin changed the title bug(terraform): False detection for S3 encryption (AVD-AWS-0088) bug(terraform): module output values are not passed into the context of other modules Mar 5, 2024
@heathsnow
Copy link

Yeah, this issue is affecting a few of my builds as well. I've tried outputting my terraform plan as json and referencing it with the scan-ref option but no luck (the action doesn't look in the correct directory....it doesn't honor the working-directory workflow attribute).

@nikpivkin
Copy link
Contributor Author

nikpivkin commented Mar 11, 2024

@simar7 I found another problem. Modules are parsed in alphabetical order of their names. This can cause a module to not have access to the output variables of another module if it is parsed first. Because of this, the for_each and count meta-arguments will not be evaluated, and the dynamic block will not be expanded if those variables are used.

Here's an example:
main.tf

module "module1" {
  source = "./modules/module1"
}
module "module2" {
  source   = "./modules/module2"
  test_var = module.module1.test_out
}

./modules/module2

variable "test_var" {}
resource "test_resource" "this" {
  dynamic "dynamic_block" {
    for_each = [var.test_var]
    content {
      some_attr = dynamic_block.value
    }
  }
}

Block dynamic will be expanded in this case.

But if I rename module2 to module1 and module1 to module2, then the block is not expanded.

module "module2" {
  source = "./modules/module1"
}
module "module1" {
  source   = "./modules/module2"
  test_var = module.module2.test_out
}

@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. and removed bug labels Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Archived in project
3 participants