Checkov custom policy for checking resource descriptions

Question

Created a custom Checkov policy to ensure that everyone must provide a description for the resource; otherwise, it will display a failed message. But it is not working

terraform code

  region = "us-east-1"
}

resource "aws_instance" "example" {
  ami = "ami-04e914639d0cca79a"
  instance_type = "t2.micro"
  key_name = "my-key-pair"
  subnet_id = "subnet-eddcdzz4"
  vpc_security_group_ids = ["sg-12345678"]
}

checkov yaml code

---
metadata:
  name: "EC2 Instance must have a description"
  id: "CKV2_AWS_1"
  category: "GENERAL_SECURITY"
  guideline: "All EC2 instances should have a description that identifies the purpose of the instance."

definition:
  cond_type: "attribute"
  resource_types:
    - "aws_instance"
  attribute: "description"
  operator: "exists"

directory structure

.
├── checkov
│   └── checkov.yml
└── terraform
    └── main.tf

command

checkov -f terraform/main.tf -c checkov/checkov.yml

Output

ubuntu@arun:~/checkov$ checkov -f terraform/main.tf -c checkov/checkov.yml 
[ terraform framework ]: 100%|████████████████████|[1/1], Current File Scanned=main.tf
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=terraform/main.tf

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.3.361 

• Not showing the failed output

Could anyone help me solve this problem.

Answer 1

aws_instance does not have a description field.

The only way to add some meaningful metadata is inside the tags block, e.g. giving the instance a Name.