The Wayback Machine - https://web.archive.org/web/20220707004441/https://github.com/bridgecrewio/checkov/issues/2957
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

using data google_iam_policy results in no checks perfomed #2957

Open
jezzirolk opened this issue May 11, 2022 · 3 comments
Open

using data google_iam_policy results in no checks perfomed #2957

jezzirolk opened this issue May 11, 2022 · 3 comments
Labels
checks good first issue terraform

Comments

@jezzirolk
Copy link

@jezzirolk jezzirolk commented May 11, 2022
edited

Describe the issue
On GCP if you apply a role via a policy that is applied none of the checks are performed. The example below should pass CKV_GCP_48 and fail CKV_GCP_44 (with my variables) but when checkov is run, no checks are run, pass or fail.

Examples\

 data "google_iam_policy" "folder" {
   binding {
     role = "roles/owner"

     members = var.admins
  }

  binding {
    role = "roles/viewer"

    members = var.viewers
  }
}

resource "google_folder_iam_policy" "folder" {
  folder      = resource.google_folder.folder.name
  policy_data = data.google_iam_policy.folder.policy_data
}

Version (please complete the following information):
Checkov Version 2.0.1136
@jezzirolk jezzirolk added the checks label May 11, 2022
@gruebel
Copy link
Collaborator

@gruebel gruebel commented May 13, 2022

hi @jezzirolk this correct. We differentiate between resource and data blocks and the mentioned checks only support resources. We welcome contributions to add those checks also for data blocks.
@gruebel gruebel added good first issue terraform labels May 13, 2022
@hek23
Copy link

@hek23 hek23 commented May 13, 2022

But, in this example is assumed that the folder from which you extract the policy (used in data object) is different to the used on th resource object?. Because if it's different makes sense that is a bug, if not, it's just a getIam action (no modification)
@jezzirolk
Copy link
Author

@jezzirolk jezzirolk commented May 26, 2022

so the thing to note here is that while this is a data object it is not reading any data, to apply a policy as a whole you define a data object and then apply said object with the google_folder_iam_policy resource. I understand that you don't check data normal data objects because they aren't being managed, but in this case I'm not reading the data from anywhere I'm defining it to be applied elsewhere. This issue follows to anything I define in a policy like this and fails in both when I check the terraform and when I check the plan file(which at that point it is in a resource definition and should definitely fail)

documentation about how these resources are used below

https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam#google_folder_iam_policy

but this also applies to google_organization_iam_policy , google_project_iam_policy , and probably others(these are so far the 3 that I'm using)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
checks good first issue terraform
3 participants
@jezzirolk @hek23 @gruebel