Skip to content

fix(terraform_plan): fix CloudStorageSelfLogging for buckets without logging #7404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jeffreytolar wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(terraform_plan): fix CloudStorageSelfLogging for buckets without logging #7404

jeffreytolar wants to merge 1 commit into from

Conversation

@jeffreytolar
Copy link

@jeffreytolar jeffreytolar commented Dec 16, 2025
edited
Loading

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

When running checkov on a plan for a GCS bucket without logging defined:

resource "google_storage_bucket" "bucket" {
  name                        = "5bc85a21-7150-48f7-be36-0a8570c6209f"
  location                    = "us-central1"
  storage_class               = "STANDARD"
  force_destroy               = true
  uniform_bucket_level_access = true
  public_access_prevention    = "enforced"
}

checkov complains:

Check: CKV_GCP_63: "Bucket should not log to itself"
	FAILED for resource: google_storage_bucket.bucket
	File: /tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-3

This is because in the plan, Terraform populates an empty array as the logging value (likely refreshed from the live resource):

      "resources": [
        {
          "address": "google_storage_bucket.bucket",
          "values": {
            "logging": [],
          }
        }

New/Edited policies (Delete if not relevant)

  • CKV_GCP_63

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas n/a
  • I have made corresponding changes to the documentation n/a
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes
    • though I didn't run the full suite

jeffreytolar
jeffreytolar commented Dec 16, 2025
View reviewed changes
checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py
return CheckResult.PASSED
return CheckResult.FAILED
return CheckResult.FAILED
return CheckResult.PASSED
Copy link
Author

@jeffreytolar jeffreytolar Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure in what other cases conf["logging"][0] would be empty. This appears to date back to the initial introduction of this resource way back in #878.

From the test plan, the "logging": [] gets translated to conf["logging"] = [[]], i.e., an array containing an empty array.

tests/terraform/checks/resource/gcp/example_CloudStorageSelfLogging/tfplan.json
Copy link
Author

@jeffreytolar jeffreytolar Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a real plan, but I did edit it slightly to remove my project details

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeffreytolar