avd-aws-0012: false positive for module with aws_cloudfront_distribution #7232

kiwimato · 2024-07-25T15:38:09Z

kiwimato
Jul 25, 2024

IDs

avd-aws-0012

Description

We have a module where we use dynamic function to get the param, but to debug this I just hardcoded this value to redirect-to-https:

  dynamic "default_cache_behavior" {
    for_each = length(keys(var.default_cache_behavior)) == 0 ? [] : [var.default_cache_behavior]

    content {
      viewer_protocol_policy     = "redirect-to-https"
      compress                   = lookup(default_cache_behavior.value, "compress", true)
      allowed_methods            = lookup(default_cache_behavior.value, "allowed_methods", ["GET", "HEAD"])
...
snip
..
dynamic "ordered_cache_behavior" {
    for_each = var.ordered_cache_behavior
    iterator = ordered_cache_behavior_item

    content {
      path_pattern               = lookup(ordered_cache_behavior_item.value, "path_pattern", null)
      viewer_protocol_policy     = "redirect-to-https" # lookup(ordered_cache_behavior_item.value, "viewer_protocol_policy", "redirect-to-https") == "https-only" ? "https-only" : "redirect-to-https"
      compress                   = lookup(ordered_cache_behavior_item.value, "compress", null)

Reproduction Steps

1. Run this command:

 trivy -d config '--tf-vars=test.tfvars' --skip-dirs .terraform --include-non-failures --exit-code 0 --severity CRITICAL --ignorefile /tmp/.trivyignore.yaml .

Result:

git::git@redacted:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy/git::git@redacted:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy/cloudfront.tf (terraform)
====================================================================================================================================================================================================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (CRITICAL: 1)

FAIL: CRITICAL: Distribution allows unencrypted communications.
════════════════════════════════════════
Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

See https://avd.aquasec.com/misconfig/avd-aws-0012
────────────────────────────────────────
 git::git@redacted:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy/git::git@redacted:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy/cloudfront.tf:4-266
   via git::git@redacted:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy/cloudfront.tf:17-42 (module.cloudfront)
    via main.tf:8-84 (module.frontend_website)
────────────────────────────────────────
   4 ┌ resource "aws_cloudfront_distribution" "www_distribution" {
   5 │   comment             = var.comment
   6 │   aliases             = var.aliases
   7 │   default_root_object = var.default_root_object
   8 │   enabled             = var.enabled
   9 │   is_ipv6_enabled     = var.is_ipv6_enabled
  10 │   http_version        = var.http_version
  11 │   price_class         = var.price_class
  12 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


PASS: CRITICAL: No issues found
════════════════════════════════════════
Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

See https://avd.aquasec.com/misconfig/avd-aws-0012

Note that in the module the only 2 places which have viewer_protocol_policy configured are showed above, so they are already hardcoded. Is there any other check? I tried also using --tf-exclude-downloaded-modules but then everything is reported fine, even if I configure those viewer_protocol_policy to allow_all which of course is not what I expect because I would expect it scans the resulting terraform code after the modules are being processed with the actual parameters.

I'm not sure at this point if this is just a false positive, incomplete documentation (maybe this checks for something else) or maybe just a bug? I think you guys would know better.



### Target

Filesystem

### Scanner

Misconfiguration

### Target OS

Ubuntu 22.04

### Debug Output

```bash
trivy -d config '-tf-vars=tfvars/tst.tfvars' --skip-dirs .terraform --include-non-failures --exit-code 0 --severity CRITICAL --ignorefile /tmp/redacted-infra-tests/trivy-critical/.trivyignore.yaml .
DEBUG	Cache dir	dir="/home/vsts/.cache/trivy"
WARN	'--template' is ignored because '--format table' is specified. Use '--template' option with '--format template' option.
DEBUG	Parsed severities	severities=[CRITICAL]
INFO	Misconfiguration scanning is enabled
DEBUG	Failed to open the check metadata	err="open /home/vsts/.cache/trivy/policy/metadata.json: no such file or directory"
INFO	Need to update the built-in policies
INFO	Downloading the built-in policies...
DEBUG	Loading check bundle	repository="ghcr.io/aquasecurity/trivy-checks:0"
-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-25T15:24:48Z	DEBUG	Digest of the built-in policies	digest="sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3"
DEBUG	Policies successfully loaded from disk
DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
DEBUG	Initializing scan cache...	type="memory"
DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
DEBUG	Skipping path	path=".terraform"
DEBUG	Scanning files for misconfigurations...	scanner="Terraform"
DEBUG	[misconf] 24:48.179537872 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13952355536460616792 1233553860 0x794e200} <nil>} {{{0 0} {[] {} 0xc00156f7c0} map[backend.tf:0xc002e147c8 data.tf:0xc002e147d8 locals.tf:0xc002e147e8 main.tf:0xc002e147f8 outputs.tf:0xc002e14808 secret.tf:0xc002e14818 tfvars:0xc002e14820 variables.tf:0xc002e14870 versions.tf:0xc002e14880] 4}}}) .}] at '.'...
DEBUG	[misconf] 24:48.182947373 terraform.scanner.rego           Overriding filesystem for checks!
DEBUG	[misconf] 24:48.184452774 terraform.scanner.rego           Loaded 3 embedded libraries.
DEBUG	[misconf] 24:48.249762204 terraform.scanner.rego           Loaded 192 embedded policies.
DEBUG	[misconf] 24:48.322791437 terraform.scanner.rego           Loaded 195 checks from disk.
DEBUG	[misconf] 24:48.323476237 terraform.scanner.rego           Overriding filesystem for data!
DEBUG	[misconf] 24:48.740177426 terraform.parser.<root>          Setting project/module root to '.'
DEBUG	[misconf] 24:48.740363926 terraform.parser.<root>          Parsing FS from '.'
DEBUG	[misconf] 24:48.740458626 terraform.parser.<root>          Parsing 'backend.tf'...
DEBUG	[misconf] 24:48.741260726 terraform.parser.<root>          Added file backend.tf.
DEBUG	[misconf] 24:48.741409527 terraform.parser.<root>          Parsing 'data.tf'...
DEBUG	[misconf] 24:48.741904927 terraform.parser.<root>          Added file data.tf.
DEBUG	[misconf] 24:48.742045627 terraform.parser.<root>          Parsing 'locals.tf'...
DEBUG	[misconf] 24:48.742611227 terraform.parser.<root>          Added file locals.tf.
DEBUG	[misconf] 24:48.742737827 terraform.parser.<root>          Parsing 'main.tf'...
DEBUG	[misconf] 24:48.743535528 terraform.parser.<root>          Added file main.tf.
DEBUG	[misconf] 24:48.743676628 terraform.parser.<root>          Parsing 'outputs.tf'...
DEBUG	[misconf] 24:48.743983728 terraform.parser.<root>          Added file outputs.tf.
DEBUG	[misconf] 24:48.744072928 terraform.parser.<root>          Parsing 'secret.tf'...
DEBUG	[misconf] 24:48.744261728 terraform.parser.<root>          Added file secret.tf.
DEBUG	[misconf] 24:48.744354128 terraform.parser.<root>          Parsing 'variables.tf'...
DEBUG	[misconf] 24:48.745453628 terraform.parser.<root>          Added file variables.tf.
DEBUG	[misconf] 24:48.745572228 terraform.parser.<root>          Parsing 'versions.tf'...
DEBUG	[misconf] 24:48.745745529 terraform.parser.<root>          Added file versions.tf.
DEBUG	[misconf] 24:48.746979829 terraform.scanner                Scanning root module '.'...
DEBUG	[misconf] 24:48.747104829 terraform.parser.<root>          Setting project/module root to '.'
DEBUG	[misconf] 24:48.747219029 terraform.parser.<root>          Parsing FS from '.'
DEBUG	[misconf] 24:48.747360929 terraform.parser.<root>          Parsing 'backend.tf'...
DEBUG	[misconf] 24:48.747519229 terraform.parser.<root>          Added file backend.tf.
DEBUG	[misconf] 24:48.747630029 terraform.parser.<root>          Parsing 'data.tf'...
DEBUG	[misconf] 24:48.747790029 terraform.parser.<root>          Added file data.tf.
DEBUG	[misconf] 24:48.747894029 terraform.parser.<root>          Parsing 'locals.tf'...
DEBUG	[misconf] 24:48.748178030 terraform.parser.<root>          Added file locals.tf.
DEBUG	[misconf] 24:48.748289030 terraform.parser.<root>          Parsing 'main.tf'...
DEBUG	[misconf] 24:48.748861830 terraform.parser.<root>          Added file main.tf.
DEBUG	[misconf] 24:48.748988830 terraform.parser.<root>          Parsing 'outputs.tf'...
DEBUG	[misconf] 24:48.749190230 terraform.parser.<root>          Added file outputs.tf.
DEBUG	[misconf] 24:48.749297530 terraform.parser.<root>          Parsing 'secret.tf'...
DEBUG	[misconf] 24:48.749476530 terraform.parser.<root>          Added file secret.tf.
DEBUG	[misconf] 24:48.749582030 terraform.parser.<root>          Parsing 'variables.tf'...
DEBUG	[misconf] 24:48.750627931 terraform.parser.<root>          Added file variables.tf.
DEBUG	[misconf] 24:48.750755231 terraform.parser.<root>          Parsing 'versions.tf'...
DEBUG	[misconf] 24:48.750920531 terraform.parser.<root>          Added file versions.tf.
DEBUG	[misconf] 24:48.751024831 terraform.parser.<root>          Evaluating module...
DEBUG	[misconf] 24:48.752183631 terraform.parser.<root>          Read 30 block(s) and 0 ignore(s) for module 'root' (8 file[s])...
DEBUG	[misconf] 24:48.752311531 terraform.parser.<root>          Added 0 variables from tfvars.
DEBUG	[misconf] 24:48.752362032 terraform.parser.<root>          Working directory for module evaluation is "/project"
DEBUG	[misconf] 24:48.752554832 terraform.parser.<root>.evaluator Filesystem key is 'f306dd13c47ace59f9b49221e8f6b4d26f093ea7db75aa232a4f9a67e13688dc'
DEBUG	[misconf] 24:48.752598432 terraform.parser.<root>.evaluator Starting module evaluation...
DEBUG	[misconf] 24:48.753930932 terraform.parser.<root>.evaluator Starting submodule evaluation...
DEBUG	[misconf] 24:48.753994332 terraform.parser.<root>.evaluator locating non-initialized module 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all'...
DEBUG	[misconf] 24:48.754114032 terraform.parser.<root>.evaluator.resolver Resolving module 'module.frontend_website' with source: 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all'...
DEBUG	[misconf] 24:48.754360032 terraform.parser.<root>.evaluator.resolver Trying to resolve: bb31c665aea2cad89ebf094f8369470f
DEBUG	[misconf] 24:48.754476632 terraform.parser.<root>.evaluator.resolver Storing with cache key bb31c665aea2cad89ebf094f8369470f
DEBUG	[misconf] 24:48.754586233 terraform.parser.<root>.evaluator.resolver Downloading git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all...
DEBUG	[misconf] 24:49.418192009 terraform.parser.<root>.evaluator.resolver Incrementing the download counter
DEBUG	[misconf] 24:49.418225909 terraform.parser.<root>.evaluator.resolver Download counter is now 1
DEBUG	[misconf] 24:49.418233709 terraform.parser.<root>.evaluator.resolver Successfully downloaded module.frontend_website from git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all
DEBUG	[misconf] 24:49.418244109 terraform.parser.<root>.evaluator.resolver Module 'module.frontend_website' resolved via remote download.
DEBUG	[misconf] 24:49.418251609 terraform.parser.<root>.evaluator.resolver Module path is .
DEBUG	[misconf] 24:49.418386609 terraform.parser.<root>.evaluator Module 'module.frontend_website' resolved to path '.' in filesystem '/tmp/.aqua/cache/bb31c665aea2cad89ebf094f8369470f' with prefix 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all'
DEBUG	[misconf] 24:49.418467409 terraform.parser.<frontend_website> Parsing FS from '.'
DEBUG	[misconf] 24:49.418699709 terraform.parser.<frontend_website> Parsing 'apigateway.tf'...
DEBUG	[misconf] 24:49.419736310 terraform.parser.<frontend_website> Added file apigateway.tf.
DEBUG	[misconf] 24:49.419759310 terraform.parser.<frontend_website> Parsing 'cloudfront.tf'...
DEBUG	[misconf] 24:49.420506110 terraform.parser.<frontend_website> Added file cloudfront.tf.
DEBUG	[misconf] 24:49.420526110 terraform.parser.<frontend_website> Parsing 'locals.tf'...
DEBUG	[misconf] 24:49.421046610 terraform.parser.<frontend_website> Added file locals.tf.
DEBUG	[misconf] 24:49.421067710 terraform.parser.<frontend_website> Parsing 'main.tf'...
DEBUG	[misconf] 24:49.421130310 terraform.parser.<frontend_website> Added file main.tf.
DEBUG	[misconf] 24:49.421609410 terraform.parser.<frontend_website> Parsing 'outputs.tf'...
DEBUG	[misconf] 24:49.421972610 terraform.parser.<frontend_website> Added file outputs.tf.
DEBUG	[misconf] 24:49.422025810 terraform.parser.<frontend_website> Parsing 'provider.tf'...
DEBUG	[misconf] 24:49.422223810 terraform.parser.<frontend_website> Added file provider.tf.
DEBUG	[misconf] 24:49.422311110 terraform.parser.<frontend_website> Parsing 'route53.tf'...
DEBUG	[misconf] 24:49.422560410 terraform.parser.<frontend_website> Added file route53.tf.
DEBUG	[misconf] 24:49.422876211 terraform.parser.<frontend_website> Parsing 's3.tf'...
DEBUG	[misconf] 24:49.423567011 terraform.parser.<frontend_website> Added file s3.tf.
DEBUG	[misconf] 24:49.423583511 terraform.parser.<frontend_website> Parsing 'variables-cloudfront.tf'...
DEBUG	[misconf] 24:49.424440611 terraform.parser.<frontend_website> Added file variables-cloudfront.tf.
DEBUG	[misconf] 24:49.424458011 terraform.parser.<frontend_website> Parsing 'variables.tf'...
DEBUG	[misconf] 24:49.425029211 terraform.parser.<frontend_website> Added file variables.tf.
DEBUG	[misconf] 24:49.425046311 terraform.parser.<frontend_website> Parsing 'versions.tf'...
DEBUG	[misconf] 24:49.425103211 terraform.parser.<frontend_website> Added file versions.tf.
DEBUG	[misconf] 24:49.425140811 terraform.parser.<frontend_website> Parsing 'wafv2.tf'...
DEBUG	[misconf] 24:49.425729111 terraform.parser.<frontend_website> Added file wafv2.tf.
DEBUG	[misconf] 24:49.425748611 terraform.parser.<root>.evaluator Loaded module "frontend_website" from ".".
DEBUG	[misconf] 24:49.425753611 terraform.parser.<frontend_website> Evaluating module...
DEBUG	[misconf] 24:49.427316112 terraform.parser.<frontend_website> Read 39 block(s) and 0 ignore(s) for module 'frontend_website' (12 file[s])...
DEBUG	[misconf] 24:49.427537912 terraform.parser.<frontend_website> Added 18 input variables from module definition.
DEBUG	[misconf] 24:49.427582912 terraform.parser.<frontend_website> Working directory for module evaluation is "/project"
DEBUG	[misconf] 24:49.427800312 terraform.parser.<root>.evaluator Evaluating submodule frontend_website
DEBUG	[misconf] 24:49.427850112 terraform.parser.<frontend_website>.evaluator Filesystem key is '193405249a2c73bbda48100f697598b9f25dbff7f9af4eee6b0144b5ffb56777'
DEBUG	[misconf] 24:49.427869812 terraform.parser.<frontend_website>.evaluator Starting module evaluation...
DEBUG	[misconf] 24:49.429724012 terraform.parser.<frontend_website>.evaluator Expanded block 'module.api_gateway' into 0 clones via 'count' attribute.
DEBUG	[misconf] 24:49.429750812 terraform.parser.<frontend_website>.evaluator Starting submodule evaluation...
DEBUG	[misconf] 24:49.429764412 terraform.parser.<frontend_website>.evaluator locating non-initialized module 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy-allow-all'...
DEBUG	[misconf] 24:49.429776112 terraform.parser.<frontend_website>.evaluator.resolver Resolving module 'module.frontend_website.module.cloudfront' with source: 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy-allow-all'...
DEBUG	[misconf] 24:49.429804312 terraform.parser.<frontend_website>.evaluator.resolver Trying to resolve: c16b36f6c5dd94ba8e320d54584700b1
DEBUG	[misconf] 24:49.429823112 terraform.parser.<frontend_website>.evaluator.resolver Storing with cache key c16b36f6c5dd94ba8e320d54584700b1
DEBUG	[misconf] 24:49.429847812 terraform.parser.<frontend_website>.evaluator.resolver Downloading git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy-allow-all...
DEBUG	[misconf] 24:50.143511191 terraform.parser.<frontend_website>.evaluator.resolver Incrementing the download counter
DEBUG	[misconf] 24:50.143590791 terraform.parser.<frontend_website>.evaluator.resolver Download counter is now 2
DEBUG	[misconf] 24:50.143624291 terraform.parser.<frontend_website>.evaluator.resolver Successfully downloaded module.frontend_website.module.cloudfront from git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy-allow-all
DEBUG	[misconf] 24:50.143643891 terraform.parser.<frontend_website>.evaluator.resolver Module 'module.frontend_website.module.cloudfront' resolved via remote download.
DEBUG	[misconf] 24:50.143659691 terraform.parser.<frontend_website>.evaluator.resolver Module path is .
DEBUG	[misconf] 24:50.143685591 terraform.parser.<frontend_website>.evaluator Module 'module.frontend_website.module.cloudfront' resolved to path '.' in filesystem '/tmp/.aqua/cache/c16b36f6c5dd94ba8e320d54584700b1' with prefix 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all/git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy-allow-all'
DEBUG	[misconf] 24:50.150060992 terraform.parser.<frontend_website>.evaluator Loaded module "cloudfront" from ".".
DEBUG	[misconf] 24:50.150134692 terraform.parser.<frontend_website>.evaluator locating non-initialized module 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-route53-record?ref=v1'...
DEBUG	[misconf] 24:50.150178392 terraform.parser.<frontend_website>.evaluator.resolver Resolving module 'module.frontend_website.module.route53' with source: 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-route53-record?ref=v1'...
DEBUG	[misconf] 24:50.150350992 terraform.parser.<frontend_website>.evaluator.resolver Trying to resolve: ae7e3cb844ed1ac8a96162f061216412
DEBUG	[misconf] 24:50.150440292 terraform.parser.<frontend_website>.evaluator.resolver Storing with cache key ae7e3cb844ed1ac8a96162f061216412
DEBUG	[misconf] 24:50.150545192 terraform.parser.<frontend_website>.evaluator.resolver Downloading git::[email protected]:v3/redacted/redactedXX/terraform-aws-route53-record?ref=v1...
DEBUG	[misconf] 24:50.788598052 terraform.parser.<frontend_website>.evaluator.resolver Incrementing the download counter
DEBUG	[misconf] 24:50.788626952 terraform.parser.<frontend_website>.evaluator.resolver Download counter is now 3
DEBUG	[misconf] 24:50.788635052 terraform.parser.<frontend_website>.evaluator.resolver Successfully downloaded module.frontend_website.module.route53 from git::[email protected]:v3/redacted/redactedXX/terraform-aws-route53-record?ref=v1
DEBUG	[misconf] 24:50.788642652 terraform.parser.<frontend_website>.evaluator.resolver Module 'module.frontend_website.module.route53' resolved via remote download.
DEBUG	[misconf] 24:50.788648752 terraform.parser.<frontend_website>.evaluator.resolver Module path is .
DEBUG	[misconf] 24:50.788660552 terraform.parser.<frontend_website>.evaluator Module 'module.frontend_website.module.route53' resolved to path '.' in filesystem '/tmp/.aqua/cache/ae7e3cb844ed1ac8a96162f061216412' with prefix 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all/git::[email protected]:v3/redacted/redactedXX/terraform-aws-route53-record?ref=v1'
DEBUG	[misconf] 24:50.789262652 terraform.parser.<frontend_website>.evaluator Loaded module "route53" from ".".
DEBUG	[misconf] 24:50.789290352 terraform.parser.<frontend_website>.evaluator locating non-initialized module 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-s3?ref=v5'...
DEBUG	[misconf] 24:50.789306952 terraform.parser.<frontend_website>.evaluator.resolver Resolving module 'module.frontend_website.module.s3' with source: 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-s3?ref=v5'...
DEBUG	[misconf] 24:50.789330052 terraform.parser.<frontend_website>.evaluator.resolver Trying to resolve: 52f2ae76e623f3879d6e54c68363f587
DEBUG	[misconf] 24:50.789364752 terraform.parser.<frontend_website>.evaluator.resolver Storing with cache key 52f2ae76e623f3879d6e54c68363f587
DEBUG	[misconf] 24:50.789389652 terraform.parser.<frontend_website>.evaluator.resolver Downloading git::[email protected]:v3/redacted/redactedXX/terraform-aws-s3?ref=v5...
DEBUG	[misconf] 24:51.399967505 terraform.parser.<frontend_website>.evaluator.resolver Incrementing the download counter
DEBUG	[misconf] 24:51.399995105 terraform.parser.<frontend_website>.evaluator.resolver Download counter is now 4
DEBUG	[misconf] 24:51.400001105 terraform.parser.<frontend_website>.evaluator.resolver Successfully downloaded module.frontend_website.module.s3 from git::[email protected]:v3/redacted/redactedXX/terraform-aws-s3?ref=v5
DEBUG	[misconf] 24:51.400006505 terraform.parser.<frontend_website>.evaluator.resolver Module 'module.frontend_website.module.s3' resolved via remote download.
DEBUG	[misconf] 24:51.400012205 terraform.parser.<frontend_website>.evaluator.resolver Module path is .
DEBUG	[misconf] 24:51.400024305 terraform.parser.<frontend_website>.evaluator Module 'module.frontend_website.module.s3' resolved to path '.' in filesystem '/tmp/.aqua/cache/52f2ae76e623f3879d6e54c68363f587' with prefix 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all/git::[email protected]:v3/redacted/redactedXX/terraform-aws-s3?ref=v5'
DEBUG	[misconf] 24:51.406228206 terraform.parser.<frontend_website>.evaluator Loaded module "s3" from ".".
DEBUG	[misconf] 24:51.406257906 terraform.parser.<frontend_website>.evaluator locating non-initialized module 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-wafv2?ref=v3'...
DEBUG	[misconf] 24:51.406267806 terraform.parser.<frontend_website>.evaluator.resolver Resolving module 'module.frontend_website.module.wafv2' with source: 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-wafv2?ref=v3'...
DEBUG	[misconf] 24:51.406288106 terraform.parser.<frontend_website>.evaluator.resolver Trying to resolve: f925b1199479d338fcc91f3e8dc6e98a
DEBUG	[misconf] 24:51.406360006 terraform.parser.<frontend_website>.evaluator.resolver Storing with cache key f925b1199479d338fcc91f3e8dc6e98a
DEBUG	[misconf] 24:51.406400406 terraform.parser.<frontend_website>.evaluator.resolver Downloading git::[email protected]:v3/redacted/redactedXX/terraform-aws-wafv2?ref=v3...
DEBUG	[misconf] 24:52.043326465 terraform.parser.<frontend_website>.evaluator.resolver Incrementing the download counter
DEBUG	[misconf] 24:52.043356265 terraform.parser.<frontend_website>.evaluator.resolver Download counter is now 5
DEBUG	[misconf] 24:52.043364165 terraform.parser.<frontend_website>.evaluator.resolver Successfully downloaded module.frontend_website.module.wafv2 from git::[email protected]:v3/redacted/redactedXX/terraform-aws-wafv2?ref=v3
DEBUG	[misconf] 24:52.043371465 terraform.parser.<frontend_website>.evaluator.resolver Module 'module.frontend_website.module.wafv2' resolved via remote download.
DEBUG	[misconf] 24:52.043395666 terraform.parser.<frontend_website>.evaluator.resolver Module path is .
DEBUG	[misconf] 24:52.043438266 terraform.parser.<frontend_website>.evaluator Module 'module.frontend_website.module.wafv2' resolved to path '.' in filesystem '/tmp/.aqua/cache/f925b1199479d338fcc91f3e8dc6e98a' with prefix 'git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all/git::[email protected]:v3/redacted/redactedXX/terraform-aws-wafv2?ref=v3'
DEBUG	[misconf] 24:52.053639968 terraform.parser.<frontend_website>.evaluator Loaded module "wafv2" from ".".
DEBUG	[misconf] 24:52.074162073 terraform.parser.<frontend_website>.evaluator Evaluating submodule cloudfront
DEBUG	[misconf] 24:52.785913651 terraform.parser.<frontend_website>.evaluator Submodule cloudfront inputs unchanged
DEBUG	[misconf] 24:52.785955351 terraform.parser.<frontend_website>.evaluator Evaluating submodule route53
DEBUG	[misconf] 24:52.788112152 terraform.parser.<frontend_website>.evaluator Submodule cloudfront inputs unchanged
DEBUG	[misconf] 24:52.788148452 terraform.parser.<frontend_website>.evaluator Submodule route53 inputs unchanged
DEBUG	[misconf] 24:52.788176752 terraform.parser.<frontend_website>.evaluator Evaluating submodule s3
DEBUG	[misconf] 24:52.809819957 terraform.parser.<frontend_website>.evaluator Evaluating submodule cloudfront
DEBUG	[misconf] 24:52.866326071 terraform.parser.<frontend_website>.evaluator Submodule cloudfront inputs unchanged
DEBUG	[misconf] 24:52.866606271 terraform.parser.<frontend_website>.evaluator Submodule route53 inputs unchanged
DEBUG	[misconf] 24:52.867441671 terraform.parser.<frontend_website>.evaluator Submodule s3 inputs unchanged
DEBUG	[misconf] 24:52.867884072 terraform.parser.<frontend_website>.evaluator Evaluating submodule wafv2
DEBUG	[misconf] 24:52.880897175 terraform.parser.<frontend_website>.evaluator Submodule cloudfront inputs unchanged
DEBUG	[misconf] 24:52.881395075 terraform.parser.<frontend_website>.evaluator Submodule route53 inputs unchanged
DEBUG	[misconf] 24:52.881721375 terraform.parser.<frontend_website>.evaluator Submodule s3 inputs unchanged
DEBUG	[misconf] 24:52.881926375 terraform.parser.<frontend_website>.evaluator Submodule wafv2 inputs unchanged
DEBUG	[misconf] 24:52.882115275 terraform.parser.<frontend_website>.evaluator All submodules are evaluated at i=5
DEBUG	[misconf] 24:52.882513975 terraform.parser.<frontend_website>.evaluator Starting post-submodule evaluation...
DEBUG	[misconf] 24:52.884108476 terraform.parser.<frontend_website>.evaluator Finished processing 6 submodule(s).
DEBUG	[misconf] 24:52.884281476 terraform.parser.<frontend_website>.evaluator Module evaluation complete.
DEBUG	[misconf] 24:52.884398076 terraform.parser.<frontend_website>.evaluator Added module output api_gateway_deployment_id=cty.StringVal("").
DEBUG	[misconf] 24:52.884523676 terraform.parser.<frontend_website>.evaluator Added module output arn=cty.StringVal("b3eced8d-fe0b-4582-9ad9-9ceb5338ac0d").
DEBUG	[misconf] 24:52.884628976 terraform.parser.<frontend_website>.evaluator Added module output distribution_arn=cty.StringVal("b3eced8d-fe0b-4582-9ad9-9ceb5338ac0d").
DEBUG	[misconf] 24:52.884733176 terraform.parser.<frontend_website>.evaluator Added module output distribution_id=cty.StringVal("7f40e451-eef9-4625-9dfe-8c75cd462377").
DEBUG	[misconf] 24:52.884933376 terraform.parser.<frontend_website>.evaluator Added module output route53_fqdn=cty.NilVal.
DEBUG	[misconf] 24:52.885034576 terraform.parser.<frontend_website>.evaluator Added module output s3_id=cty.StringVal("2bafcb29-cf1d-4db4-a21b-b5c5ab7d6de3").
DEBUG	[misconf] 24:52.886712776 terraform.parser.<root>.evaluator Submodule frontend_website inputs unchanged
DEBUG	[misconf] 24:52.886874976 terraform.parser.<root>.evaluator All submodules are evaluated at i=1
DEBUG	[misconf] 24:52.886970476 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
DEBUG	[misconf] 24:52.888073977 terraform.parser.<root>.evaluator Finished processing 7 submodule(s).
DEBUG	[misconf] 24:52.888219877 terraform.parser.<root>.evaluator Module evaluation complete.
DEBUG	[misconf] 24:52.888333877 terraform.parser.<root>          Finished parsing module 'root'.
DEBUG	[misconf] 24:52.888452477 terraform.parser.<root>.evaluator Added module output distribution_id=cty.StringVal("7f40e451-eef9-4625-9dfe-8c75cd462377").
DEBUG	[misconf] 24:52.888594077 terraform.parser.<root>.evaluator Added module output route53_fqdn=cty.NilVal.
DEBUG	[misconf] 24:52.888690877 terraform.parser.<root>.evaluator Added module output s3_id=cty.StringVal("2bafcb29-cf1d-4db4-a21b-b5c5ab7d6de3").
DEBUG	[misconf] 24:52.888813977 terraform.executor               Adapting modules...
DEBUG	[misconf] 24:52.890555977 terraform.executor               Adapted 8 module(s) into defsec state data.
DEBUG	[misconf] 24:52.890723377 terraform.executor               Using max routines of 1
DEBUG	[misconf] 24:52.890965677 terraform.executor               Initialized 487 rule(s).
DEBUG	[misconf] 24:52.891093777 terraform.executor               Created pool with 1 worker(s) to apply rules.
DEBUG	[misconf] 24:52.894561078 terraform.scanner.rego           Scanning 1 inputs...
DEBUG	[misconf] 24:52.928285387 terraform.executor               Finished applying rules.
DEBUG	[misconf] 24:52.928314987 terraform.executor               Applying ignores...
DEBUG	OS is not detected.
INFO	Detected config files	num=4
DEBUG	Scanned config file	path="."
DEBUG	Scanned config file	path="git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all/git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy-allow-all/cloudfront.tf"
DEBUG	Scanned config file	path="git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all/git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront?ref=test-trivy-allow-all/git::[email protected]:v3/redacted/redactedXX/terraform-aws-s3?ref=v5/main.tf"
DEBUG	Scanned config file	path="git::[email protected]:v3/redacted/redactedXX/terraform-aws-cloudfront-s3?ref=test-trivy-allow-all/git::[email protected]:v3/redacted/redactedXX/terraform-aws-s3?ref=v5/main.tf"
DEBUG	Found an ignore yaml	path="/tmp/redacted-infra-tests/trivy-critical/.trivyignore.yaml"



### Version

```bash
v0.53.0

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

nikpivkin · 2024-07-26T05:04:21Z

nikpivkin
Jul 26, 2024
Maintainer

Hi @kiwimato !

We default to allow-all for viewer_protocol_policy even if default_cache_behavior is not defined. We will fix this, as the documentation says that default_cache_behavior is a required argument.

0 replies

nikpivkin · 2024-07-26T05:06:16Z

nikpivkin
Jul 26, 2024
Maintainer

Track #7233

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

avd-aws-0012: false positive for module with aws_cloudfront_distribution #7232

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

avd-aws-0012: false positive for module with aws_cloudfront_distribution #7232

kiwimato Jul 25, 2024

IDs

Description

Reproduction Steps

Checklist

Replies: 2 comments

nikpivkin Jul 26, 2024 Maintainer

nikpivkin Jul 26, 2024 Maintainer

kiwimato
Jul 25, 2024

nikpivkin
Jul 26, 2024
Maintainer

nikpivkin
Jul 26, 2024
Maintainer