Skip to content

Sometimes provsioners are passed in a mangled form to scan_resource_conf #7317

@UgniusV

Description

@UgniusV

Describe the issue
Terraform provisioners are sometimes passed in a "mangled" form to the scan_resource_conf method.

Examples
Try running the following policy:

from typing import Dict, Any

from checkov.common.typing import _SkippedCheck, _CheckResult
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories

CHECK_ID = "NO_LOCAL_EXEC_PROVISIONERS"


class ForbidLocalExecProvisioners(BaseResourceCheck):
    def __init__(self):
        id = CHECK_ID
        name = "Forbid all local-exec provisioners"

        supported_resources = ['*']
        categories = [CheckCategories.SUPPLY_CHAIN, CheckCategories.GENERAL_SECURITY]
        guideline = "https://some-docuementation.com/wiki/spaces/DE/pages/5409898650/Checkov#Forbid-all-local-exec-provisioners"
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline)

    def scan_resource_conf(self, conf):
        if 'provisioner' not in conf:
            return CheckResult.PASSED

        if not any('local-exec' in p for p in conf['provisioner']):
            return CheckResult.PASSED

        return CheckResult.FAILED

check = ForbidLocalExecProvisioners()

against the resource below.

terraform {
  required_providers {
    okta = {
      source  = "okta/okta"
      version = "~> 4.0"
    }
  }
}

resource "okta_group_rule" "service_accounts" {
  name              = "Service Accounts"
  status            = "ACTIVE"
  expression_type   = "urn:okta:expression:1.0"
  expression_value  = "user.firstName == \"svc\""
  group_assignments = [ 1234 ]
  provisioner "local-exec" {
    program = ["ls"]
  }
}

The policy passes, when it should fail. Normally, we should be able to retrieve the provisioner with conf['provisoner'] but in this case it will be under the conf['provisioner/local-exec'] key.

Version (please complete the following information):

  • Checkov Version: 3.2.471

Metadata

Metadata

Assignees

No one assigned

    Labels

    checksCheck additions or changes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions