Checkov - checking array values within an attribute

Question

I am looking for the operator logic to check values in an array (terraform) - has anyone tackled a similar problem and has a solution?

the resource is like this

resource "google_project_iam_binding" "my_project_iam_bigquery_dataviewer" {
  provider = google.my-project
  project  = "my-project"
  role     = "roles/bigquery.admin"
  members = [
    "group:my-first-group@my-domain.com",
    "group:my-second-group@my-domain.com"
  ]

}

I have tried adding a * (like with lists) to the attribute but - without success

        - cond_type: "attribute"
          resource_types:
            - "google_project_iam_member"
            - "google_project_iam_binding"
          attribute: "members.*"
          operator: "starting_with"
          value: "group"

otherwise, my thoughts of an operator that knows to iterate over the array

        - cond_type: "attribute"
          resource_types:
            - "google_project_iam_member"
            - "google_project_iam_binding"
          attribute: "members"
          operator: "iterate_array.starting_with"
          value: "group"

edit: this is how the python custom policy checks each value of the members array: https://github.com/bridgecrewio/checkov/blob/HEAD/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py#L34-L42

for context. If I was to check the value of an attribute that isn't an array i.e. member in a resource:


resource "google_project_iam_binding" "my_project_iam_bigquery_dataviewer" {
  provider = google.my-project
  project  = "my-project"
  role     = "roles/bigquery.admin"
  member = "group:my-group@mydomain.com"
}

I can (and do) use this yaml

        - cond_type: "attribute"
          resource_types:
            - "google_project_iam_member"
            - "google_project_iam_binding"
          attribute: "member"
          operator: "starting_with"
          value: "group"

I cannot find a way to do the same check for members

"check values in an array" is very ambiguous. Could you clarify what you are attempting to achieve here? — Matthew Schuchard, Sep 12 '22 at 11:04
Something like array[0].starting_with so that I can check if the member is a group or not. The goal is to have the checkov check run against each member of the array, instead of on the array as a whole. For example I could check that the array contains "group:my-group@mydomain.com" but I don't know what the groups will be. I'd like to have logic that see it is a group. — Matt, Sep 12 '22 at 11:38
in case it helps here is the documentation for Attribute blocks I've been referring to: https://www.checkov.io/3.Custom%20Policies/YAML%20Custom%20Policies.html — Matt, Sep 12 '22 at 11:40
this is how the python check deals with the members array: https://github.com/bridgecrewio/checkov/blob/HEAD/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py#L34-L42 — Matt, Sep 12 '22 at 15:41
did you solve it? if not you can ask us directly on slack https://slack.bridgecrew.io/ — James Woolfenden, Oct 08 '22 at 16:10

Checkov - checking array values within an attribute

0 Answers0