Skip to content

Terraform - Support optional() in variable type constraints #4874

Open
#7502
Open
Terraform - Support optional() in variable type constraints#4874
#7502
Labels
checksCheck additions or changesterraform
@ppawlowski

Description

@ppawlowski
ppawlowski
opened on Apr 11, 2023

Describe the issue

While adding keys to the Azure KeyVault via azurerm_key_vault_key looped with for_each approach, checkov is not recognizing key_type properly and check CKV_AZURE_112 fails.

Examples

main.tf:

  provider "azurerm" {
      features {}
  }
  
  variable "keys" {
    type = list(object({
      name = string
      type = optional(string, "RSA-HSM")
      size = optional(number, 2048)
    }))
    default     = [{
      name = "examplekey"
    }]
  }
  
  data "azurerm_client_config" "current" {}
  
  resource "azurerm_resource_group" "this" {
      name     = "example-rg"
      location = "West Europe"
  }
  
  resource "azurerm_key_vault" "this" {
      name                = "examplekv"
      tenant_id           = data.azurerm_client_config.current.tenant_id
      resource_group_name = azurerm_resource_group.this.name
      location            = azurerm_resource_group.this.location
      sku_name            = "standard"
  }
  
  resource "azurerm_key_vault_key" "this" {
    for_each     = { for key in var.keys : key.name => key }
    name         = each.value.name
    key_vault_id = azurerm_key_vault.this.id
    key_type     = each.value.type
    key_size     = each.value.size
    key_opts = [
      "decrypt",
      "encrypt"
    ]
  }

checkov execution (irrelevant output omitted):

$ checkov -d keyvault_checkov -c CKV_AZURE_112

terraform scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AZURE_112: "Ensure that key vault key is backed by HSM"
	FAILED for resource: azurerm_key_vault_key.this
	File: /main.tf:32-42
	Guide: https://docs.bridgecrew.io/docs/ensure-that-key-vault-key-is-backed-by-hsm

		32 | resource "azurerm_key_vault_key" "this" {
		33 |   for_each = { for key in var.keys : key.name => key }
		34 |   name         = each.value.name
		35 |   key_vault_id = azurerm_key_vault.this.id
		36 |   key_type     = each.value.type
		37 |   key_size     = each.value.size
		38 |   key_opts = [
		39 |     "decrypt",
		40 |     "encrypt"
		41 |   ]
		42 | }

Expected checkov output (irrelevant output omitted):

$ checkov -d keyvault_checkov -c CKV_AZURE_112

terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 0

Check: CKV_AZURE_112: "Ensure that key vault key is backed by HSM"
	PASSED for resource: azurerm_key_vault_key.this
	File: /main.tf:32-42
	Guide: https://docs.bridgecrew.io/docs/ensure-that-key-vault-key-is-backed-by-hsm

Version (please complete the following information):

  • 2.3.158

Metadata

Metadata

Assignees

No one assigned

    Labels

    checksCheck additions or changesterraform

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions