CKV_AWS_18 fails when count/for_each are used #7358
Description
Describe the issue
CKV_AWS_18 (Ensure S3 bucket has access logging enabled) fails when S3 bucket is created using count/for_each. I did some investigation and there are no edges created between aws_s3_bucket and aws_s3_bucket_logging vertices after for_each handling.
This is likely issue with _build_edges_for_vertex function. When the function tries to look for possible vertices here, it only looks for aws_s3_bucket.bucket.id and not for indexed aws_s3_bucket.bucket[0].id as index is getting stripped away. This issue is likely happening in other checks as well.
Examples
Passing example
resource "aws_s3_bucket" "bucket" {
bucket = "bucket"
}
resource "aws_s3_bucket_logging" "logging" {
bucket = aws_s3_bucket.bucket.id
target_bucket = local.s3_server_access_logs_target_bucket
target_prefix = "logs/"
}
Failing example (with count)
resource "aws_s3_bucket" "bucket" {
count = 1
bucket = "bucket"
}
resource "aws_s3_bucket_logging" "logging" {
bucket = aws_s3_bucket.bucket[0].id
target_bucket = local.logging_bucket
target_prefix = "logs/"
}
Failing example (for_each)
variable "bucket_names" {
type = set(string)
default = toset(["bucket1", "bucket2"])
}
resource "aws_s3_bucket" "bucket" {
for_each = var.bucket_names
bucket = each.value
}
resource "aws_s3_bucket_logging" "logging" {
for_each = aws_s3_bucket.bucket
bucket = each.value.id
target_bucket = local.logging_bucket
target_prefix = "logs/${each.value.id}/"
}
Version
- Checkov Version: 3.2.488