Inconsistent in the issue count between terraform and terraformplan-snapshot scanner #7178

cybersa · 2024-07-17T07:58:15Z

cybersa
Jul 17, 2024

Description

Consider this terraform file and terraform vars file:

s3.tf:

#TF Providers
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.33.0"
    }
  }
}

# Variables
variable "env" {
  type = string
  description = "Environment name"
}

# Bucket
resource "aws_s3_bucket" "bucket" {
  count = var.env == "test" ? 1 : 0

  bucket = "test-env"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
  count = var.env == "test" ? 1 : 0

  bucket = aws_s3_bucket.bucket[0].bucket

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "bucket" {
  count = var.env == "test" ? 1 : 0

  bucket                  = aws_s3_bucket.bucket[0].id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

vars.tf

env = "test1"

I ran these command one by one:
trivy config --tf-vars vars.tfvars --misconfig-scanners "terraform" s3.tf
Not any issues. (Because condition count validated to false)
Then I used this command to generate terraform plan as a snapshot
terraform plan --var-file vars.tfvars --out tfplan
Then I ran trivy command against terraform snapshot:
trivy config --misconfig-scanners "terraformplan-snapshot" tfplan
3 open issues.

Then I ran trivy command against terraform snapshot but this time with tfvars file.
trivy config --tf-vars vars.tfvars --misconfig-scanners "terraformplan-snapshot" tfplan
No open issues this time.

Important thing is I can run terraform apply command against tfplan without passing tfvars file and it is working as excepted But it is not the case with trivy.
terraform apply tfplan

Desired Behavior

There should not be any open issues.

Actual Behavior

Inconsistent in the issue count between terraform and terraformplan-snapshot scanner

Reproduction Steps

Reproduction steps are in the descriptions.

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

trivy config --tf-vars vars.tfvars --misconfig-scanners "terraform" s3.tf --debug

2024-07-17T13:25:01+05:30	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-17T13:25:01+05:30	INFO	Misconfiguration scanning is enabled
2024-07-17T13:25:01+05:30	DEBUG	Policies successfully loaded from disk
2024-07-17T13:25:01+05:30	DEBUG	Enabling misconfiguration scanners	scanners=[terraform]
2024-07-17T13:25:01+05:30	DEBUG	Initializing scan cache...	type="memory"
2024-07-17T13:25:01+05:30	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-17T13:25:01+05:30	DEBUG	Scanning files for misconfigurations...	scanner="Terraform"
2024-07-17T13:25:01+05:30	DEBUG	[misconf] 25:01.958515311 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13951584389820366646 449715111 0x794e200} <nil>} {{{0 0} {[] {} 0xc00222c730} map[s3.tf:0xc002876160] 0}}}) }] at '.'...
2024-07-17T13:25:01+05:30	DEBUG	[misconf] 25:01.961744044 terraform.scanner.rego           Overriding filesystem for checks!
2024-07-17T13:25:01+05:30	DEBUG	[misconf] 25:01.962682374 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.015683300 terraform.scanner.rego           Loaded 192 embedded policies.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.078636752 terraform.scanner.rego           Loaded 195 checks from disk.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.079173674 terraform.scanner.rego           Overriding filesystem for data!
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.411430132 terraform.parser.<root>          Setting project/module root to '.'
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.411467069 terraform.parser.<root>          Parsing FS from '.'
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.411488343 terraform.parser.<root>          Parsing 's3.tf'...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.411731693 terraform.parser.<root>          Added file s3.tf.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.411942245 terraform.scanner                Scanning root module '.'...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.411954228 terraform.parser.<root>          Setting project/module root to '.'
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.411959368 terraform.parser.<root>          Parsing FS from '.'
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.411967952 terraform.parser.<root>          Parsing 's3.tf'...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412129070 terraform.parser.<root>          Added file s3.tf.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412143822 terraform.parser.<root>          Evaluating module...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412298165 terraform.parser.<root>          Read 5 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412356122 terraform.parser.<root>          Added 1 variables from tfvars.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412374139 terraform.parser.<root>          Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412422902 terraform.parser.<root>.evaluator Filesystem key is '0a7e25e5e4735afc4368d2be0973e1efe7e7f6120962d2c3ed517ef7700ce8f6'
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412431293 terraform.parser.<root>.evaluator Starting module evaluation...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412614002 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket.bucket' into 0 clones via 'count' attribute.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412634681 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 0 clones via 'count' attribute.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412652716 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 0 clones via 'count' attribute.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412659949 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412667126 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412672474 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412702763 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412708757 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412714368 terraform.parser.<root>          Finished parsing module 'root'.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412720946 terraform.executor               Adapting modules...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412802955 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412811490 terraform.executor               Using max routines of 7
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412896550 terraform.executor               Initialized 487 rule(s).
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.412904475 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.413159165 terraform.scanner.rego           Scanning 1 inputs...
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.415645442 terraform.executor               Finished applying rules.
2024-07-17T13:25:02+05:30	DEBUG	[misconf] 25:02.415679151 terraform.executor               Applying ignores...
2024-07-17T13:25:02+05:30	DEBUG	OS is not detected.
2024-07-17T13:25:02+05:30	INFO	Detected config files	num=1
2024-07-17T13:25:02+05:30	DEBUG	Scanned config file	path="."
----
----
trivy config --misconfig-scanners "terraformplan-snapshot" tfplan --debug
2024-07-17T13:26:00+05:30	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-17T13:26:00+05:30	INFO	Misconfiguration scanning is enabled
2024-07-17T13:26:00+05:30	DEBUG	Policies successfully loaded from disk
2024-07-17T13:26:00+05:30	DEBUG	Enabling misconfiguration scanners	scanners=[terraformplan-snapshot]
2024-07-17T13:26:00+05:30	DEBUG	Initializing scan cache...	type="memory"
2024-07-17T13:26:00+05:30	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-17T13:26:00+05:30	DEBUG	Scanning files for misconfigurations...	scanner="Terraform Plan Snapshot"
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.392926642 terraform.scanner                Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13951584452605597109 508654165 0x794e200} 2147484096 <nil>} map[] map[s3.tf:0xc001298880]})}] at '.'...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.395630194 terraform.scanner.rego           Overriding filesystem for checks!
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.396591784 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.448536894 terraform.scanner.rego           Loaded 192 embedded policies.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.505785493 terraform.scanner.rego           Loaded 195 checks from disk.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.506184181 terraform.scanner.rego           Overriding filesystem for data!
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.849516557 terraform.parser.<root>          Setting project/module root to '.'
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.849544337 terraform.parser.<root>          Parsing FS from '.'
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.849555093 terraform.parser.<root>          Parsing 's3.tf'...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.849729368 terraform.parser.<root>          Added file s3.tf.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.849964997 terraform.scanner                Scanning root module '.'...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.849978541 terraform.parser.<root>          Setting project/module root to '.'
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.849983910 terraform.parser.<root>          Parsing FS from '.'
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.849991049 terraform.parser.<root>          Parsing 's3.tf'...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850140421 terraform.parser.<root>          Added file s3.tf.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850149803 terraform.parser.<root>          Evaluating module...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850312805 terraform.parser.<root>          Read 5 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850329021 terraform.parser.<root>          Added 0 variables from tfvars.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850349889 terraform.parser.<root>          Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850394467 terraform.parser.<root>.evaluator Filesystem key is '633a94f89efe375a2800bb3a0aab1e18309dcb26132032eac7208a5f3bb3fe7d'
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850402388 terraform.parser.<root>.evaluator Starting module evaluation...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850622200 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket.bucket' into 1 clones via 'count' attribute.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850701527 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 1 clones via 'count' attribute.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850771823 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 1 clones via 'count' attribute.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850782054 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850789140 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850794626 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850954831 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850963304 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850970615 terraform.parser.<root>          Finished parsing module 'root'.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.850977980 terraform.executor               Adapting modules...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.851085558 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.851096021 terraform.executor               Using max routines of 7
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.851180665 terraform.executor               Initialized 487 rule(s).
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.851188365 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.851736168 terraform.scanner.rego           Scanning 1 inputs...
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.854815591 terraform.executor               Finished applying rules.
2024-07-17T13:26:00+05:30	DEBUG	[misconf] 26:00.854839154 terraform.executor               Applying ignores...
2024-07-17T13:26:00+05:30	DEBUG	OS is not detected.
2024-07-17T13:26:00+05:30	INFO	Detected config files	num=2
2024-07-17T13:26:00+05:30	DEBUG	Scanned config file	path="."
2024-07-17T13:26:00+05:30	DEBUG	Scanned config file	path="s3.tf"

s3.tf (terraformplan-snapshot)

Tests: 10 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

LOW: Bucket has logging disabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets

See https://avd.aquasec.com/misconfig/s3-bucket-logging
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 s3.tf:18-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  18 ┌ resource "aws_s3_bucket" "bucket" {
  19 │   count = var.env == "test" ? 1 : 0
  20 │ 
  21 │   bucket = "test-env"
  22 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Bucket does not have versioning enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. 
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. 
With versioning you can recover more easily from both unintended user actions and application failures.


See https://avd.aquasec.com/misconfig/avd-aws-0090
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 s3.tf:18-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  18 ┌ resource "aws_s3_bucket" "bucket" {
  19 │   count = var.env == "test" ? 1 : 0
  20 │ 
  21 │   bucket = "test-env"
  22 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 s3.tf:24-34
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  24 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
  25 │   count = var.env == "test" ? 1 : 0
  26 │ 
  27 │   bucket = aws_s3_bucket.bucket[0].bucket
  28 │ 
  29 │   rule {
  30 │     apply_server_side_encryption_by_default {
  31 │       sse_algorithm = "aws:kms"
  32 └     }
  ..   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


----
----
trivy config --tf-vars vars.tfvars --misconfig-scanners "terraformplan-snapshot" tfplan --debug
2024-07-17T13:25:50+05:30	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-17T13:25:50+05:30	INFO	Misconfiguration scanning is enabled
2024-07-17T13:25:50+05:30	DEBUG	Policies successfully loaded from disk
2024-07-17T13:25:50+05:30	DEBUG	Enabling misconfiguration scanners	scanners=[terraformplan-snapshot]
2024-07-17T13:25:50+05:30	DEBUG	Initializing scan cache...	type="memory"
2024-07-17T13:25:50+05:30	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-17T13:25:50+05:30	DEBUG	Scanning files for misconfigurations...	scanner="Terraform Plan Snapshot"
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.319811872 terraform.scanner                Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13951584441795061130 497516540 0x794e200} 2147484096 <nil>} map[] map[s3.tf:0xc002b23c00]})}] at '.'...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.322588615 terraform.scanner.rego           Overriding filesystem for checks!
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.323639105 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.373769353 terraform.scanner.rego           Loaded 192 embedded policies.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.429047570 terraform.scanner.rego           Loaded 195 checks from disk.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.429453125 terraform.scanner.rego           Overriding filesystem for data!
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747232011 terraform.parser.<root>          Setting project/module root to '.'
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747275749 terraform.parser.<root>          Parsing FS from '.'
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747287680 terraform.parser.<root>          Parsing 's3.tf'...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747470173 terraform.parser.<root>          Added file s3.tf.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747660875 terraform.scanner                Scanning root module '.'...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747670939 terraform.parser.<root>          Setting project/module root to '.'
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747676072 terraform.parser.<root>          Parsing FS from '.'
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747682739 terraform.parser.<root>          Parsing 's3.tf'...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747815722 terraform.parser.<root>          Added file s3.tf.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747823362 terraform.parser.<root>          Evaluating module...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.747975141 terraform.parser.<root>          Read 5 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748066405 terraform.parser.<root>          Added 1 variables from tfvars.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748087432 terraform.parser.<root>          Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748128097 terraform.parser.<root>.evaluator Filesystem key is '9b8314b591fc9ac86c4ef3341908d9076453b7725329932452e7adedb3ced100'
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748134791 terraform.parser.<root>.evaluator Starting module evaluation...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748320757 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket.bucket' into 0 clones via 'count' attribute.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748342046 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 0 clones via 'count' attribute.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748358802 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 0 clones via 'count' attribute.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748365385 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748372905 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748377755 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748407774 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748413403 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748418314 terraform.parser.<root>          Finished parsing module 'root'.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748423902 terraform.executor               Adapting modules...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748503605 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748511621 terraform.executor               Using max routines of 7
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748595595 terraform.executor               Initialized 487 rule(s).
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748602346 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.748875413 terraform.scanner.rego           Scanning 1 inputs...
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.750849882 terraform.executor               Finished applying rules.
2024-07-17T13:25:50+05:30	DEBUG	[misconf] 25:50.750876224 terraform.executor               Applying ignores...
2024-07-17T13:25:50+05:30	DEBUG	OS is not detected.
2024-07-17T13:25:50+05:30	INFO	Detected config files	num=1
2024-07-17T13:25:50+05:30	DEBUG	Scanned config file	path="."

Operating System

Ubuntu 20.04

Version

Version: 0.53.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-11 06:16:57.742189926 +0000 UTC
  NextUpdate: 2023-09-11 12:16:57.742189326 +0000 UTC
  DownloadedAt: 2023-09-11 07:08:10.751619881 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-07-17 03:55:39.691656479 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

simar7 · 2024-07-17T08:23:50Z

simar7
Jul 17, 2024
Maintainer

this feels similar to #7098 since count objects cannot be determined during plan phase @nikpivkin can you confirm?

3 replies

cybersa Jul 17, 2024
Author

I'm not sure.
But terraform apply tfplan works fine without var file.

cybersa Jul 17, 2024
Author

Update: If I pass the variable file, it throws an error in the tf apply

nikpivkin Jul 17, 2024
Maintainer

I'll look into it. terraform apply works for the Plan because the Plan already contains input data.

nikpivkin · 2024-07-25T10:04:49Z

nikpivkin
Jul 25, 2024
Maintainer

Track #7222

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Inconsistent in the issue count between terraform and terraformplan-snapshot scanner #7178

{{title}}

Replies: 2 comments 3 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Inconsistent in the issue count between terraform and terraformplan-snapshot scanner #7178

cybersa Jul 17, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 3 replies

simar7 Jul 17, 2024 Maintainer

cybersa Jul 17, 2024 Author

cybersa Jul 17, 2024 Author

nikpivkin Jul 17, 2024 Maintainer

nikpivkin Jul 25, 2024 Maintainer

cybersa
Jul 17, 2024

Replies: 2 comments 3 replies

simar7
Jul 17, 2024
Maintainer

cybersa Jul 17, 2024
Author

cybersa Jul 17, 2024
Author

nikpivkin Jul 17, 2024
Maintainer

nikpivkin
Jul 25, 2024
Maintainer