这是indexloc提供的服务,不要输入任何密码
Skip to content

Checkov does not run checks, issues no errors, when deleting resources in Terraform plan. #5587

New issue
New issue
Closed
#7367
Closed
Checkov does not run checks, issues no errors, when deleting resources in Terraform plan.#5587
#7367
Labels
checksCheck additions or changesgraphterraform plan
@eap

Description

@eap
eap
opened on Sep 22, 2023

I'm setting up Checkov as a presubmit test for a GitHub config management repo. When creating resources checkov will run checks as expected (including my custom check to guard against deletion). But when deleting resources checkov runs no checks at all and just reports success with no further information.

Here is an example of what the run looks like when evaluating a plan that deletes all my resources.

$ checkov --external-checks-dir tf/checks -f tf/plan.delete.json
[ arm framework ]: 100%|████████████████████|[1/1], Current File Scanned=tf/plan.delete.json
... more loading and pretty ascii art omitted for brevity ...

By bridgecrew.io | version: 2.4.47
Update available 2.4.47 -> 2.4.48
Run pip3 install -U checkov to update



$

If I make a plan against the same terraform project before I delete my resources it will run all of the checks including my custom check.

$ checkov --external-checks-dir tf/checks -f tf/plan.nochange.json
[ arm framework ]: 100%|████████████████████|[1/1], Current File Scanned=tf/plan.nochange.json
... more loading and pretty ascii art ...

By bridgecrew.io | version: 2.4.47
Update available 2.4.47 -> 2.4.48
Run pip3 install -U checkov to update

terraform_plan scan results:
Passed checks: 3, Failed checks: 3, Skipped checks: 0

Check: CKV_GIT_3: "Ensure GitHub repository has vulnerability alerts enabled"
	PASSED for resource: module.managed_github_repo["test"].github_repository.repository
Check: CKV_GIT_1: "Ensure GitHub repository is Private"
	PASSED for resource: module.managed_github_repo["test"].github_repository.repository
Check: DELETEREPO_GITHUB: "Ensure GitHub repository is not deleted"
	PASSED for resource: module.managed_github_repo["test"].github_repository.repository
Check: CKV_GIT_5: "GitHub pull requests should require at least 2 approvals"
	FAILED for resource: module.managed_github_repo["test"].github_branch_protection.protect_default_branch

Here's a heavily abbreviated version of my terraform plan that results in no checks being run. Note that there is a repository in the prior state and there's a repository in the resource changes section with "change": { "actions": [ "delete" that I am filtering for.

{
  "format_version": "1.2",
  "terraform_version": "1.5.7",
  "variables": {
    "github_token": {
      "value": "obviously-redacted-secret-key-value"
    }
  },
  "planned_values": {
    "root_module": {}
  },
  "resource_changes": [
    {
      "address": "module.managed_github_repo[\"test\"].github_repository.repository",
      "module_address": "module.managed_github_repo[\"test\"]",
      "mode": "managed",
      "type": "github_repository",
      "name": "repository",
      "provider_name": "registry.terraform.io/integrations/github",
      "change": {
        "actions": [
          "delete"
        ],
        "before": {
          ... a bunch of stuff
        },
        "after": null,
        "after_unknown": {},
        "before_sensitive": {
          ... more stuff
        },
        "after_sensitive": false
      },
      "action_reason": "delete_because_no_module"
    },
  ],
  "prior_state": {
    "format_version": "1.0",
    "terraform_version": "1.5.7",
    "values": {
      "root_module": {
        "child_modules": [
          {
            "address": "module.managed_github_repo[\"test\"]",
            "resources": [
              {
                "address": "module.managed_github_repo[\"test\"].github_repository.repository",
                "mode": "managed",
                "type": "github_repository",
                "name": "repository",
                "provider_name": "registry.terraform.io/integrations/github",
                "schema_version": 1,
                "values": {
                  ... config
                },
                "sensitive_values": {
                  ... config
                }
              },
            ],
          }
        ]
      }
    }
  },
  "configuration": {
    "provider_config": {
      "github": {
        "name": "github",
        "full_name": "registry.terraform.io/integrations/github",
        ... config
      }
    },
    "root_module": {
      "module_calls": {
        "managed_github_repo": {
          "source": "./v1/managed_github_repo",
          "expressions": {
            ... expressions
          }
        }
      }
    }
  },
  "relevant_attributes": [
    {
      "resource": "module.managed_github_repo[\"test\"].github_repository.repository",
      "attribute": [
        "node_id"
      ]
    }
  ]
}

For completeness; here's my custom "DELETEREPO_GITHUB" rule.

metadata:
  name: "Ensure GitHub repository is not deleted"
  id: "DELETEREPO_GITHUB"
  category: "GENERAL_SECURITY"
definition:
  cond_type: attribute
  resource_types:
    - github_repository
  attribute: __change_actions__
  operator: not_contains
  value: delete

Metadata

Metadata

Assignees

No one assigned

    Labels

    checksCheck additions or changesgraphterraform plan

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions