kics
kics copied to clipboard
Checkmarx
False positive: terraform ec2_instance_has_public_ip
Found a bug? You're welcome to 
-
Please make sure to:
- Describe in details what the problem is
- Attach a log file with relevant data preferably in DEBUG level (
--log-level=DEBUG) - Attach the scanned sample files, anonymize the data if the original file cannot be provided
- When attaching files to the issue make sure they are properly formatted
When an ec2 instance is defined with an explicit network interface, you cannot specify the associate_public_ip_address parameter for the aws_instance. You get
Error: Conflicting configuration arguments - "network_interface": conflicts with associate_public_ip_address
In my case, the aws_network_interface is provisioned in a private subnet, hence the ec2 instance will not have a public IP address. But the rego isn't able to make that determination.
Expected Behavior
No error
Actual Behavior
EC2 Instance Has Public IP, Severity: HIGH, Results: 1
Description: EC2 Instance should not have a public IP address.
Platform: Terraform
[1]: main.tf:59
058:
059: resource "aws_instance" "this" {
060: ami = data.aws_ami.amazon-linux.id
Steps to Reproduce the Problem
Provision an aws_instance using an explicit aws_network_interface. Simplified version below.
resource "aws_network_interface" "this" {
subnet_id = var.private_subnet_id
security_groups = [aws_security_group.this.id]
}
resource "aws_security_group" "this" {
name = "example"
description = "Example Security Group"
...
}
resource "aws_instance" "this" {
ami = data.aws_ami.amazon-linux.id
instance_type = "t3a.micro"
availability_zone = var.availability_zone
network_interface {
network_interface_id = aws_network_interface.this.id
device_index = 0
}
...
}
Run kics like this:
kics scan -p "." -t "Terraform" --fail-on "high"
Specifications
N/A
