Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

using data google_iam_policy results in no checks perfomed #2957

Closed
jezzirolk opened this issue May 11, 2022 · 5 comments
Closed

using data google_iam_policy results in no checks perfomed #2957

jezzirolk opened this issue May 11, 2022 · 5 comments
Labels
checks Check additions or changes good first issue Good for newcomers stale terraform

Comments

@jezzirolk
Copy link

jezzirolk commented May 11, 2022
edited

Describe the issue
On GCP if you apply a role via a policy that is applied none of the checks are performed. The example below should pass CKV_GCP_48 and fail CKV_GCP_44 (with my variables) but when checkov is run, no checks are run, pass or fail.

Examples\

 data "google_iam_policy" "folder" {
   binding {
     role = "roles/owner"

     members = var.admins
  }

  binding {
    role = "roles/viewer"

    members = var.viewers
  }
}

resource "google_folder_iam_policy" "folder" {
  folder      = resource.google_folder.folder.name
  policy_data = data.google_iam_policy.folder.policy_data
}

Version (please complete the following information):
Checkov Version 2.0.1136
@jezzirolk jezzirolk added the checks Check additions or changes label May 11, 2022
@gruebel
Copy link
Contributor

gruebel commented May 13, 2022

hi @jezzirolk this correct. We differentiate between resource and data blocks and the mentioned checks only support resources. We welcome contributions to add those checks also for data blocks.

@gruebel gruebel added good first issue Good for newcomers terraform labels May 13, 2022
@hek23
Copy link

hek23 commented May 13, 2022

But, in this example is assumed that the folder from which you extract the policy (used in data object) is different to the used on th resource object?. Because if it's different makes sense that is a bug, if not, it's just a getIam action (no modification)

@jezzirolk
Copy link
Author

so the thing to note here is that while this is a data object it is not reading any data, to apply a policy as a whole you define a data object and then apply said object with the google_folder_iam_policy resource. I understand that you don't check data normal data objects because they aren't being managed, but in this case I'm not reading the data from anywhere I'm defining it to be applied elsewhere. This issue follows to anything I define in a policy like this and fails in both when I check the terraform and when I check the plan file(which at that point it is in a resource definition and should definitely fail)

documentation about how these resources are used below

https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam#google_folder_iam_policy

but this also applies to google_organization_iam_policy , google_project_iam_policy , and probably others(these are so far the 3 that I'm using)

@stale
Copy link

stale bot commented Nov 22, 2022

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

@stale stale bot added the stale label Nov 22, 2022
@stale
Copy link

stale bot commented Dec 8, 2022

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

@stale stale bot closed this as completed Dec 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes good first issue Good for newcomers stale terraform
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jezzirolk @hek23 @gruebel