fix(checks): aws_lambda_permission should not be checked for x-ray scanning

[simar7]

Discussed in #8227

^{Originally posted by MattBergin January 10, 2025}

Description

The aws_lambda_permission resource is being mistakenly scanned by trivy as a lambda function and returning a failure that it doesn't have x-ray tracing enabled.

This should not be the case as you cannot enable x-ray tracing on an aws_lambda_permission resource, only on a Lambda function.

Desired Behavior

aws_lambda_permissions resource should not be scanned for x-ray tracing

Actual Behavior

aws_lambda_permission resource is scanned for x-ray tracing and returns a failure as it cannot be applied to this resource.

Reproduction Steps

We can replicate the issue by creating an empty Terraform project that just contains one file (main.tf) with contents:


resource "aws_lambda_permission" "allow_cloudwatch" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = "foobar"
  principal     = "events.amazonaws.com"
  source_arn    = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
}

Running a trivy scan on this returns the following error:

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

AVD-AWS-0066 (LOW): Function does not have tracing enabled.
════════════════════════════════════════════════════════════════════════════════
X-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts.

### Target

None

### Scanner

Misconfiguration

### Output Format

JSON

### Mode

Standalone

### Debug Output

```bash
$ /usr/local/bin/./trivy conf --debug --misconfig-scanners terraform .
2025-01-10T14:10:47Z    DEBUG   No plugins loaded
2025-01-10T14:10:47Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-10T14:10:47Z    DEBUG   Cache dir       dir="/home/ec2-user/.cache/trivy"
2025-01-10T14:10:47Z    DEBUG   Cache dir       dir="/home/ec2-user/.cache/trivy"
2025-01-10T14:10:47Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-10T14:10:47Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-10T14:10:47Z    DEBUG   [misconfig] Checks successfully loaded from disk
2025-01-10T14:10:47Z    DEBUG   Enabling misconfiguration scanners      scanners=[terraform]
2025-01-10T14:10:47Z    DEBUG   Initializing scan cache...      type="memory"
2025-01-10T14:10:47Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2025-01-10T14:10:47Z    DEBUG   [terraform scanner] Scanning directory  file_path="."
2025-01-10T14:10:47Z    DEBUG   [rego] Overriding filesystem for checks
2025-01-10T14:10:47Z    DEBUG   [rego] Embedded libraries are loaded    count=15
2025-01-10T14:10:47Z    DEBUG   [rego] Embedded checks are loaded       count=511
2025-01-10T14:10:47Z    DEBUG   [rego] Checks from disk are loaded      count=526
2025-01-10T14:10:47Z    DEBUG   [rego] Overriding filesystem for data
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2025-01-10T14:10:47Z    INFO    [terraform scanner] Scanning root module        file_path="."
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Loading module       module="root" module="root"
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=1 ignores=0
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/home/ec2-user/debugtrivy"
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Starting module evaluation...     path="."
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Starting iteration        iteration=0
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Starting iteration        iteration=1
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Context unchanged iteration=1
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Starting post-submodules evaluation...
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Starting iteration        iteration=0
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Starting iteration        iteration=1
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Context unchanged iteration=1
2025-01-10T14:10:47Z    DEBUG   [terraform evaluator] Module evaluation complete.
2025-01-10T14:10:47Z    DEBUG   [terraform parser] Finished parsing module      module="root"
2025-01-10T14:10:47Z    DEBUG   [terraform executor] Adapting modules...
2025-01-10T14:10:47Z    DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2025-01-10T14:10:47Z    DEBUG   [rego] Scanning inputs  count=1
2025-01-10T14:10:47Z    DEBUG   [terraform executor] Finished applying rules.
2025-01-10T14:10:47Z    DEBUG   [terraform executor] Applying ignores...
2025-01-10T14:10:47Z    DEBUG   OS is not detected.
2025-01-10T14:10:47Z    INFO    Detected config files   num=2
2025-01-10T14:10:47Z    DEBUG   Scanned config file     file_path=""
2025-01-10T14:10:47Z    DEBUG   Scanned config file     file_path="."
2025-01-10T14:10:47Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-01-10T14:10:47Z    DEBUG   [vex] VEX filtering is disabled

 (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

AVD-AWS-0066 (LOW): Function does not have tracing enabled.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
X-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts.


See https://avd.aquasec.com/misconfig/avd-aws-0066
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Operating System

Tested on Linux and MacOs

Version

0.58.1

Checklist

• Run trivy clean --all
• Read the troubleshooting