Trivy not resolving inputs passed to submodules #7306

dhawos · 2024-08-05T15:35:28Z

dhawos
Aug 5, 2024

Description

Hello,
We are currently evaluating Trivy and we have rune into an issue. We are using this terraform module https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/beta-private-cluster inside one of our root modules.

So we have a block like this :

module "gke" {
  source                       = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"
  version                      = "28.0.0"
  enable_private_nodes         = true

In particular we have this line enable_private_nodes = true which forces nodes in the cluster to have only internal IP addresses.

When we run trivy against this configuration we get this output :

MEDIUM: Cluster does not have private nodes.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling private nodes on a cluster ensures the nodes are only available internally as they will only be assigned internal addresses.

See https://avd.aquasec.com/misconfig/avd-gcp-0059
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:22-385
   via main.tf:1-41 (module.gke)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22 ┌ resource "google_container_cluster" "primary" {
  23 │   provider = google
  24 │ 
  25 │   name            = var.name
  26 │   description     = var.description
  27 │   project         = var.project_id
  28 │   resource_labels = var.cluster_resource_labels
  29 │ 
  30 └   location          = local.location
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note that we have the same behaviour when setting enable_private_nodes = false so it seems trivy is using the default module variable (which is false) to perform its analysis.

Here are some logs from running trivy with -d option :

2024-08-05T17:08:05+02:00       DEBUG   [misconf] 08:05.267992000 terraform.parser.<gke>           Read 146 block(s) and 0 ignore(s) for module 'gke' (11 file[s])...
2024-08-05T17:08:05+02:00       DEBUG   [misconf] 08:05.268059000 terraform.parser.<gke>           Added 37 input variables from module definition.

This is inconsistent with what tfsec produces, as we do not get this output unless we specify enable_private_nodes = false, which seems like the desired behavior.

Desired Behavior

When setting enable_private_nodes to true. I should not get a warning that my nodes are not private.
When setting enable_private_nodes to false. I should get that warning.

Actual Behavior

When setting enable_private_nodes to true. I get a warning that my nodes are not private.
When setting enable_private_nodes to false. I also get that warning

Reproduction Steps

1. Create a folder with a main.tf file :


module "kubernetes-engine_beta-private-cluster" {
  source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"
  version = "28.0.0"
  ip_range_pods = "0.0.0.0/0"
  ip_range_services = "0.0.0.0/0"
  name = "test" 
  network = "network"
  project_id = "my-project"
  subnetwork = "subnetwork"
  enable_private_nodes = true
}

cd into that folder
trivy config . --skip-dirs .terraform
Note that the https://avd.aquasec.com/misconfig/avd-gcp-0059 item is raised
tfsec .
Note that the private nodes item is not raised



### Target

Filesystem

### Scanner

Misconfiguration

### Output Format

Table

### Mode

Standalone

### Debug Output

```bash
trivy config . --skip-dirs .terraform -d


2024-08-05T17:31:40+02:00       DEBUG   Cache dir       dir="<redacted>/Library/Caches/trivy"
2024-08-05T17:31:40+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-05T17:31:40+02:00       INFO    Misconfiguration scanning is enabled
2024-08-05T17:31:40+02:00       DEBUG   Policies successfully loaded from disk
2024-08-05T17:31:40+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-jso
n terraformplan-snapshot]
2024-08-05T17:31:40+02:00       DEBUG   Initializing scan cache...      type="memory"
2024-08-05T17:31:40+02:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-08-05T17:31:40+02:00       DEBUG   Skipping path   path=".terraform"
2024-08-05T17:31:40+02:00       DEBUG   Scanning files for misconfigurations... scanner="Terraform"
2024-08-05T17:31:40+02:00       DEBUG   [misconf] 31:40.942818000 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13953376463835193
408 315762501 0x108de35e0} <nil>} {{{0 0} {[] {} 0x14000f1b700} map[main.tf:0x14002173d08] 0}}}) .}] at '.'...
2024-08-05T17:31:40+02:00       DEBUG   [misconf] 31:40.944889000 terraform.scanner.rego           Overriding filesystem for checks!
2024-08-05T17:31:40+02:00       DEBUG   [misconf] 31:40.945427000 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-08-05T17:31:40+02:00       DEBUG   [misconf] 31:40.969529000 terraform.scanner.rego           Loaded 192 embedded policies.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.004186000 terraform.scanner.rego           Loaded 195 checks from disk.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.004412000 terraform.scanner.rego           Overriding filesystem for data!
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.185223000 terraform.parser.<root>          Setting project/module root to '.'
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.185244000 terraform.parser.<root>          Parsing FS from '.'
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.185273000 terraform.parser.<root>          Parsing 'main.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.185839000 terraform.parser.<root>          Added file main.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.185973000 terraform.scanner                Scanning root module '.'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.185978000 terraform.parser.<root>          Setting project/module root to '.'
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.185981000 terraform.parser.<root>          Parsing FS from '.'
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.185995000 terraform.parser.<root>          Parsing 'main.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186103000 terraform.parser.<root>          Added file main.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186122000 terraform.parser.<root>          Evaluating module...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186158000 terraform.parser.<root>          Read 1 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186166000 terraform.parser.<root>          Added 0 variables from tfvars.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186195000 terraform.parser.<root>          Working directory for module evaluation is "<redacted>/issue_trivy"
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186248000 terraform.parser.<root>.evaluator Filesystem key is 'e8ff9b796d3341a7ffdee9bda703c57c33eac39c5e181b1b57
849aba2ee75f33'
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186252000 terraform.parser.<root>.evaluator Starting module evaluation...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186308000 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186315000 terraform.parser.<root>.evaluator locating non-initialized module 'terraform-google-modules/kubernetes-
engine/google//modules/beta-private-cluster'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186319000 terraform.parser.<root>.evaluator.resolver Resolving module 'module.kubernetes-engine_beta-private-clus
ter' with source: 'terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186344000 terraform.parser.<root>.evaluator.resolver Trying to resolve: dada79691d67fe004325abb3f1860631
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186355000 terraform.parser.<root>.evaluator.resolver Module 'module.kubernetes-engine_beta-private-cluster' resol
ving via cache...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186365000 terraform.parser.<root>.evaluator.resolver Module path is .
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186370000 terraform.parser.<root>.evaluator Module 'module.kubernetes-engine_beta-private-cluster' resolved to pa
th '.' in filesystem '/var/folders/f7/_38y8mcx36s8s_wlnl1dqdfm0000gn/T/.aqua/cache/dada79691d67fe004325abb3f1860631' with prefix 'terraform-google-modules/kubernetes-eng
ine/google/modules/beta-private-cluster'
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186373000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing FS from '.'
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.186461000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'cluster.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.190915000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file cluster.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.190949000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'dns.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.191443000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file dns.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.191458000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'firewall.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.192309000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file firewall.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.192326000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'main.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.193355000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file main.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.193371000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'masq.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.193651000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file masq.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.193660000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'networks.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.193864000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file networks.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.193872000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'outputs.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.194400000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file outputs.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.194410000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'sa.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.194871000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file sa.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.194878000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'variables.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.197157000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file variables.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.197169000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'variables_defaults.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.197625000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file variables_defaults.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.197632000 terraform.parser.<kubernetes-engine_beta-private-cluster> Parsing 'versions.tf'...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.197855000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added file versions.tf.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.197864000 terraform.parser.<root>.evaluator Loaded module "kubernetes-engine_beta-private-cluster" from ".".
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.197866000 terraform.parser.<kubernetes-engine_beta-private-cluster> Evaluating module...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.204448000 terraform.parser.<kubernetes-engine_beta-private-cluster> Read 146 block(s) and 0 ignore(s) for module 
'kubernetes-engine_beta-private-cluster' (11 file[s])...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.204471000 terraform.parser.<kubernetes-engine_beta-private-cluster> Added 10 input variables from module definiti
on.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.204497000 terraform.parser.<kubernetes-engine_beta-private-cluster> Working directory for module evaluation is "<redacted>/issue_trivy"
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.204770000 terraform.parser.<root>.evaluator Evaluating submodule kubernetes-engine_beta-private-cluster
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.204776000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Filesystem key is '87df7c2074f27efa
341d08eaa612832ec0b2a17d701ff4561916fc10b4eef79e'
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.204780000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Starting module evaluation...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209848000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'data.google_compute
_subnetwork.gke_subnetwork' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209900000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'data.google_compute
_zones.available' into 1 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209911000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_compute_fire
wall.intra_egress' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209921000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_compute_fire
wall.master_webhooks' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209929000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_compute_fire
wall.shadow_allow_inkubelet' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209936000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_compute_fire
wall.shadow_allow_master' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209943000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_compute_fire
wall.shadow_allow_nodes' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209950000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_compute_fire
wall.shadow_allow_pods' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.209965000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_compute_fire
wall.shadow_deny_exkubelet' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210008000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_project_iam_
member.cluster_service_account-log_writer' into 1 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210037000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_project_iam_
member.cluster_service_account-metric_writer' into 1 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210068000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_project_iam_
member.cluster_service_account-monitoring_viewer' into 1 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210102000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_project_iam_
member.cluster_service_account-resourceMetadata-writer' into 1 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210133000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_service_acco
unt.cluster_service_account' into 1 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210140000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'kubernetes_config_m
ap.ip-masq-agent' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210152000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'kubernetes_config_m
ap_v1_data.kube-dns' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210163000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'kubernetes_config_m
ap_v1_data.kube-dns-upstream-nameservers-and-stub-domains' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210172000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'kubernetes_config_m
ap_v1_data.kube-dns-upstream-namservers' into 0 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210208000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'random_shuffle.avai
lable_zones' into 1 clones via 'count' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210492000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_container_no
de_pool.pools' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210499000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_container_no
de_pool.windows_pools' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210531000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_project_iam_
member.cluster_service_account-artifact-registry' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210555000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'google_project_iam_
member.cluster_service_account-gcr' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210565000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.managed_pro
metheus' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210574000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.auto_provis
ioning_defaults' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210581000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.resource_li
mits' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210628000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gce_persist
ent_disk_csi_driver_config' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210653000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gke_backup_
agent_config' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210661000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gcs_fuse_cs
i_driver_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210698000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.recurring_w
indow' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210720000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.daily_maint
enance_window' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210727000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.maintenance
_exclusion' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210743000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gcfs_config
' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210756000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gvnic' into
 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210778000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.workload_me
tadata_config' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210806000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.network_pol
icy' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210851000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.release_cha
nnel' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210870000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gateway_api
_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210879000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.cost_manage
ment_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210890000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.logging_con
fig' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210903000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.monitoring_
config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210913000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.binary_auth
orization' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210920000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.master_auth
orized_networks_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210929000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.service_ext
ernal_ips_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210965000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.dns_config'
 into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.210991000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.resource_us
age_export_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211016000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.database_en
cryption' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211069000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.workload_id
entity_config' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211104000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.mesh_certif
icates' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211125000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.authenticat
or_groups_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211142000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.blue_green_
settings' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211156000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gcfs_config
' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211170000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gvnic' into
 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211191000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.taint' into
 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211208000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.guest_accel
erator' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211230000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.workload_me
tadata_config' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211253000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.linux_node_
config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211293000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.autoscaling
' into 1 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211410000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.managed_pro
metheus' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211421000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.auto_provis
ioning_defaults' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211427000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.resource_li
mits' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211457000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gcs_fuse_cs
i_driver_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211494000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.recurring_w
indow' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211501000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.maintenance
_exclusion' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211517000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gcfs_config
' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211533000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gvnic' into
 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211543000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gateway_api
_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211554000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.cost_manage
ment_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211570000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.logging_con
fig' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211587000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.monitoring_
config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211603000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.binary_auth
orization' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211614000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.master_auth
orized_networks_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211808000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.service_ext
ernal_ips_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211825000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.dns_config'
 into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211854000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.resource_us
age_export_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211867000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.authenticat
or_groups_config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211890000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.blue_green_
settings' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211912000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gcfs_config
' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211932000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.gvnic' into
 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211960000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.taint' into
 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.211983000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.guest_accel
erator' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.212014000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Expanded block 'dynamic.linux_node_
config' into 0 clones via 'for_each' attribute.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.212016000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Starting submodule evaluation...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.212019000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator All submodules are evaluated at i=0
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.212022000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Starting post-submodule evaluation.
..
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214895000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Finished processing 0 submodule(s).
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214905000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Module evaluation complete.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214912000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output ca_certificate=
cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214916000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output cluster_id=cty.
StringVal("87fa7b35-725b-4a3e-883f-92f7a225de18").
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214919000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output endpoint=cty.Ni
lVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214922000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output gateway_api_cha
nnel=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214925000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output horizontal_pod_
autoscaling_enabled=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214927000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output http_load_balan
cing_enabled=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214950000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output identity_namesp
ace=cty.StringVal("my-project.svc.id.goog").
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214957000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output instance_group_
urls=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214961000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output location=cty.Ni
lVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214964000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output logging_service
=cty.StringVal("logging.googleapis.com/kubernetes").
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.214968000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output master_authoriz
ed_networks_config=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215061000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output master_version=
cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215087000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output mesh_certificat
es_config=cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"enable_certificates":cty.False})}).
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215098000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output min_master_vers
ion=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215102000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output monitoring_serv
ice=cty.StringVal("monitoring.googleapis.com/kubernetes").
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215108000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output name=cty.NilVal
.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215170000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output network_policy_
enabled=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215175000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output node_pools_name
s=cty.TupleVal([]cty.Value{cty.StringVal("default-node-pool"), cty.StringVal(""), cty.StringVal("")}).
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215181000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output node_pools_vers
ions=cty.ObjectVal(map[string]cty.Value{"default-node-pool":cty.StringVal("")}).
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215185000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output region=cty.NilV
al.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215279000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output release_channel
=cty.StringVal("REGULAR").
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215283000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output service_account
=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215287000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output type=cty.String
Val("regional").
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215292000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output vertical_pod_au
toscaling_enabled=cty.NilVal.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215294000 terraform.parser.<kubernetes-engine_beta-private-cluster>.evaluator Added module output zones=cty.NilVa
l.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215447000 terraform.parser.<root>.evaluator Submodule kubernetes-engine_beta-private-cluster inputs unchanged
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215450000 terraform.parser.<root>.evaluator All submodules are evaluated at i=1
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215452000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215546000 terraform.parser.<root>.evaluator Finished processing 1 submodule(s).
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215550000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215553000 terraform.parser.<root>          Finished parsing module 'root'.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215557000 terraform.executor               Adapting modules...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215917000 terraform.executor               Adapted 2 module(s) into defsec state data.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215921000 terraform.executor               Using max routines of 7
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215969000 terraform.executor               Initialized 487 rule(s).
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.215971000 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.216891000 terraform.scanner.rego           Scanning 1 inputs...
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.218508000 terraform.executor               Finished applying rules.
2024-08-05T17:31:41+02:00       DEBUG   [misconf] 31:41.218513000 terraform.executor               Applying ignores...
2024-08-05T17:31:41+02:00       DEBUG   OS is not detected.
2024-08-05T17:31:41+02:00       INFO    Detected config files   num=3
2024-08-05T17:31:41+02:00       DEBUG   Scanned config file     path="."
2024-08-05T17:31:41+02:00       DEBUG   Scanned config file     path="terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf"
2024-08-05T17:31:41+02:00       DEBUG   Scanned config file     path="terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/sa.tf"

terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf (terraform)

Tests: 18 (SUCCESSES: 14, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

LOW: Cluster does not use GCE resource labels.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Labels make it easier to manage assets and differentiate between clusters and environments, allowing the mapping of computational resources to the wider organisational s
tructure.

See https://avd.aquasec.com/misconfig/avd-gcp-0051
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:28
   via terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:22-385 (google_container_cluster.primary)
    via main.tf:1-11 (module.kubernetes-engine_beta-private-cluster)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22   resource "google_container_cluster" "primary" {
  ..   
  28 [   resource_labels = var.cluster_resource_labels
 ...   
 385   }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Cluster does not have a network policy enabled.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling a network policy allows the segregation of network traffic by namespace

See https://avd.aquasec.com/misconfig/avd-gcp-0056
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:38
   via terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:37-40 (content)
    via terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:34-41 (dynamic.network_policy["0"])
     via terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:22-385 (google_container_cluster.primary)
      via main.tf:1-11 (module.kubernetes-engine_beta-private-cluster)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22   resource "google_container_cluster" "primary" {
  ..   
  38 [       enabled  = network_policy.value.enabled
 ...   
 385   }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Cluster does not have private nodes.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling private nodes on a cluster ensures the nodes are only available internally as they will only be assigned internal addresses.

See https://avd.aquasec.com/misconfig/avd-gcp-0059
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:22-385
   via main.tf:1-11 (module.kubernetes-engine_beta-private-cluster)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22 ┌ resource "google_container_cluster" "primary" {
  23 │   provider = google
  24 │ 
  25 │   name            = var.name
  26 │   description     = var.description
  27 │   project         = var.project_id
  28 │   resource_labels = var.cluster_resource_labels
  29 │ 
  30 └   location          = local.location
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Cluster does not have master authorized networks enabled.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling authorized networks means you can restrict master access to a fixed set of CIDR ranges

See https://avd.aquasec.com/misconfig/avd-gcp-0061
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-google-modules/kubernetes-engine/google/modules/beta-private-cluster/cluster.tf:22-385
   via main.tf:1-11 (module.kubernetes-engine_beta-private-cluster)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  22 ┌ resource "google_container_cluster" "primary" {
  23 │   provider = google
  24 │ 
  25 │   name            = var.name
  26 │   description     = var.description
  27 │   project         = var.project_id
  28 │   resource_labels = var.cluster_resource_labels
  29 │ 
  30 └   location          = local.location
  ..   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────



### Operating System

macOS Sonoma 14.5

### Version

```bash
$ trivy version
Version: 0.53.0
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-05 13:55:39.875516 +0000 UTC

I've also tried with the binary built from source :

$ ./trivy version
Version: dev
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-05 15:34:18.823645 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

nikpivkin · 2024-08-06T05:26:34Z

nikpivkin
Aug 6, 2024
Maintainer

Hi @lgerard-pass !

The issue is related to incorrect resolution of submodules. This issue is known and it will be fixed in the next release.

#7113

1 reply

dhawos Aug 6, 2024
Author

ok sorry for the duplicate I saw the issue but did not realize it was the same problem as I was facing. Thanks for the response

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy not resolving inputs passed to submodules #7306

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Trivy not resolving inputs passed to submodules #7306

dhawos Aug 5, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Checklist

Replies: 1 comment · 1 reply

nikpivkin Aug 6, 2024 Maintainer

dhawos Aug 6, 2024 Author

dhawos
Aug 5, 2024

Replies: 1 comment 1 reply

nikpivkin
Aug 6, 2024
Maintainer

dhawos Aug 6, 2024
Author