Terraform scanner problem when having 2 instance of same resource / aws key

[ohad83]

Description

I'm not exactly sure what's the root problem here, but it seems to be a problem with trivy/defsec/tfsec when I use a module twice and it has a dynamic block which is different for each instance. It might be connected to this issue.
This is a minimal example:

resource "aws_kms_key" "key1" {
  description = "Key #1"
  enable_key_rotation = true
}

resource "aws_kms_key" "key2" {
  description = "Key #2"
  enable_key_rotation = true
}


module "bucket1" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.5.0"

  bucket_prefix           = "bucket1"
  acl                     = "private"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  versioning = {
    enabled = true
  }

  logging = {
    target_bucket = "logging-bucket"
    target_prefix = "log/"
  }

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = aws_kms_key.key1.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}


module "bucket2" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.5.0"

  bucket_prefix           = "bucket2"
  acl                     = "private"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  versioning = {
    enabled = true
  }

  logging = {
    target_bucket = "logging-bucket"
    target_prefix = "log/"
  }

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = aws_kms_key.key2.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

I have 2 buckets, each encrypted with its own key.

What did you expect to happen?

I expect trivy checks about S3 bucket encryption to pass as the buckets are encrypted.

What happened instead?

trivy says the S3 bucket isn't encrypted - only the first bucket.
This has something to do with the fact there are 2 keys and 2 buckets. If I use key2 for both of them, trivy is happy. If I use key1 for both, they're both labeled as unencrypted.

Output of run with -debug:

2022-12-21T16:02:06.296+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-12-21T16:02:06.336+0200	DEBUG	cache dir:  /Users/ohad/Library/Caches/trivy
2022-12-21T16:02:06.336+0200	INFO	Misconfiguration scanning is enabled
2022-12-21T16:02:06.336+0200	DEBUG	Walk the file tree rooted at '.' in parallel
2022-12-21T16:02:06.676+0200	DEBUG	OS is not detected.
2022-12-21T16:02:06.676+0200	INFO	Detected config files: 3
2022-12-21T16:02:06.676+0200	DEBUG	Scanned config file: .
2022-12-21T16:02:06.676+0200	DEBUG	Scanned config file: a.tf
2022-12-21T16:02:06.676+0200	DEBUG	Scanned config file: terraform-aws-modules/s3-bucket/aws/main.tf

terraform-aws-modules/s3-bucket/aws/main.tf (terraform)

Tests: 12 (SUCCESSES: 10, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:143-165
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 143 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 144 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 145 │
 146 │   bucket                = aws_s3_bucket.this[0].id
 147 │   expected_bucket_owner = var.expected_bucket_owner
 148 │
 149 │   dynamic "rule" {
 150 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 151 └
 ...
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:143-165
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 143 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 144 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 145 │
 146 │   bucket                = aws_s3_bucket.this[0].id
 147 │   expected_bucket_owner = var.expected_bucket_owner
 148 │
 149 │   dynamic "rule" {
 150 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 151 └
 ...
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

I also ran defsec, which has a better debug output for this I believe:

03:11.877042000 terraform.scanner                Scanning [&{/tmp/tfsec-check /tmp/tfsec-check}] at '.'...
03:11.879100000 terraform.scanner.rego           Loaded 3 embedded libraries.
03:11.895932000 terraform.scanner.rego           Loaded 123 embedded policies.
03:12.010416000 terraform.scanner                Scanning root module '.'...
03:12.010442000 terraform.parser.<root>          Setting project/module root to '.'
03:12.010448000 terraform.parser.<root>          Parsing FS from '.'
03:12.010537000 terraform.parser.<root>          Parsing 'a.tf'...
03:12.010813000 terraform.parser.<root>          Added file a.tf.
03:12.010824000 terraform.parser.<root>          Evaluating module...
03:12.010946000 terraform.parser.<root>          Read 4 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
03:12.010960000 terraform.parser.<root>          Added 0 variables from tfvars.
03:12.011020000 terraform.parser.<root>          Loaded module metadata for 3 module(s) from '.terraform/modules/modules.json'.
03:12.011031000 terraform.parser.<root>          Working directory for module evaluation is '/tmp/tfsec-check'
03:12.011062000 terraform.parser.<root>.evaluator Filesystem key is 'fcc4b050a2da87c154295ae67ffe9359e8db06d0d23a4e9305997ac263f01de9'
03:12.011064000 terraform.parser.<root>.evaluator Starting module evaluation...
03:12.011107000 terraform.parser.<root>.evaluator Starting submodule evaluation...
03:12.011115000 terraform.parser.<root>.evaluator Module 'module.bucket1' resolved to path '.terraform/modules/bucket1' in filesystem '&{/tmp/tfsec-check /tmp/tfsec-check}' using modules.json
03:12.011117000 terraform.parser.<bucket1>       Parsing FS from '.terraform/modules/bucket1'
03:12.011160000 terraform.parser.<bucket1>       Parsing '.terraform/modules/bucket1/main.tf'...
03:12.014970000 terraform.parser.<bucket1>       Added file .terraform/modules/bucket1/main.tf.
03:12.014989000 terraform.parser.<bucket1>       Parsing '.terraform/modules/bucket1/outputs.tf'...
03:12.015245000 terraform.parser.<bucket1>       Added file .terraform/modules/bucket1/outputs.tf.
03:12.015251000 terraform.parser.<bucket1>       Parsing '.terraform/modules/bucket1/variables.tf'...
03:12.016086000 terraform.parser.<bucket1>       Added file .terraform/modules/bucket1/variables.tf.
03:12.016091000 terraform.parser.<bucket1>       Parsing '.terraform/modules/bucket1/versions.tf'...
03:12.016127000 terraform.parser.<bucket1>       Added file .terraform/modules/bucket1/versions.tf.
03:12.016129000 terraform.parser.<root>.evaluator found module 'terraform-aws-modules/s3-bucket/aws' in .terraform/modules
03:12.016131000 terraform.parser.<root>.evaluator Loaded module 'bucket1' from '.terraform/modules/bucket1'.
03:12.016141000 terraform.parser.<root>.evaluator Module 'module.bucket2' resolved to path '.terraform/modules/bucket2' in filesystem '&{/tmp/tfsec-check /tmp/tfsec-check}' using modules.json
03:12.016144000 terraform.parser.<bucket2>       Parsing FS from '.terraform/modules/bucket2'
03:12.016192000 terraform.parser.<bucket2>       Parsing '.terraform/modules/bucket2/main.tf'...
03:12.018954000 terraform.parser.<bucket2>       Added file .terraform/modules/bucket2/main.tf.
03:12.018968000 terraform.parser.<bucket2>       Parsing '.terraform/modules/bucket2/outputs.tf'...
03:12.019217000 terraform.parser.<bucket2>       Added file .terraform/modules/bucket2/outputs.tf.
03:12.019225000 terraform.parser.<bucket2>       Parsing '.terraform/modules/bucket2/variables.tf'...
03:12.020030000 terraform.parser.<bucket2>       Added file .terraform/modules/bucket2/variables.tf.
03:12.020034000 terraform.parser.<bucket2>       Parsing '.terraform/modules/bucket2/versions.tf'...
03:12.020065000 terraform.parser.<bucket2>       Added file .terraform/modules/bucket2/versions.tf.
03:12.020071000 terraform.parser.<root>.evaluator found module 'terraform-aws-modules/s3-bucket/aws' in .terraform/modules
03:12.020073000 terraform.parser.<root>.evaluator Loaded module 'bucket2' from '.terraform/modules/bucket2'.
03:12.020074000 terraform.parser.<bucket1>       Evaluating module...
03:12.024178000 terraform.parser.<bucket1>       Read 78 block(s) and 0 ignore(s) for module 'bucket1' (4 file[s])...
03:12.024228000 terraform.parser.<bucket1>       Added 12 input variables from module definition.
03:12.024298000 terraform.parser.<bucket1>       Loaded module metadata for 3 module(s) from '.terraform/modules/modules.json'.
03:12.024308000 terraform.parser.<bucket1>       Working directory for module evaluation is '/tmp/tfsec-check'
03:12.024362000 terraform.parser.<bucket1>.evaluator Filesystem key is 'fcc4b050a2da87c154295ae67ffe9359e8db06d0d23a4e9305997ac263f01de9'
03:12.024365000 terraform.parser.<bucket1>.evaluator Starting module evaluation...
03:12.025572000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket.this' into 1 clones via 'count' attribute.
03:12.025583000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_accelerate_configuration.this' into 0 clones via 'count' attribute.
03:12.025668000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_acl.this' into 1 clones via 'count' attribute.
03:12.025680000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_cors_configuration.this' into 0 clones via 'count' attribute.
03:12.025689000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_lifecycle_configuration.this' into 0 clones via 'count' attribute.
03:12.025735000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_logging.this' into 1 clones via 'count' attribute.
03:12.025759000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_object_lock_configuration.this' into 0 clones via 'count' attribute.
03:12.025766000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_ownership_controls.this' into 0 clones via 'count' attribute.
03:12.025775000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_policy.this' into 0 clones via 'count' attribute.
03:12.025809000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_public_access_block.this' into 1 clones via 'count' attribute.
03:12.025828000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_replication_configuration.this' into 0 clones via 'count' attribute.
03:12.025838000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_request_payment_configuration.this' into 0 clones via 'count' attribute.
03:12.025894000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.this' into 1 clones via 'count' attribute.
03:12.025943000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_versioning.this' into 1 clones via 'count' attribute.
03:12.025954000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_website_configuration.this' into 0 clones via 'count' attribute.
03:12.025965000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_intelligent_tiering_configuration.this' into 0 clones via 'for_each' attribute.
03:12.025973000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_inventory.this' into 0 clones via 'for_each' attribute.
03:12.025982000 terraform.parser.<bucket1>.evaluator Expanded block 'aws_s3_bucket_metric.this' into 0 clones via 'for_each' attribute.
03:12.025988000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.grant' into 0 clones via 'for_each' attribute.
03:12.026002000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.access_control_policy' into 0 clones via 'for_each' attribute.
03:12.026450000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 0 clones via 'for_each' attribute.
03:12.026466000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.grant' into 0 clones via 'for_each' attribute.
03:12.026481000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.access_control_policy' into 0 clones via 'for_each' attribute.
03:12.026928000 terraform.parser.<bucket1>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 0 clones via 'for_each' attribute.
03:12.026933000 terraform.parser.<bucket1>.evaluator Starting submodule evaluation...
03:12.026935000 terraform.parser.<bucket1>.evaluator Finished processing 0 submodule(s).
03:12.026936000 terraform.parser.<bucket1>.evaluator Starting post-submodule evaluation...
03:12.029680000 terraform.parser.<bucket1>.evaluator Module evaluation complete.
03:12.030011000 terraform.parser.<bucket1>       Finished parsing module 'bucket1'.
03:12.030046000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_arn=cty.StringVal("e1ba6af9-455b-479a-b487-3573e0ccfad0").
03:12.030061000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_bucket_domain_name=cty.StringVal("").
03:12.030071000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_bucket_regional_domain_name=cty.StringVal("").
03:12.030083000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_hosted_zone_id=cty.StringVal("").
03:12.030098000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_id=cty.NilVal.
03:12.030109000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_region=cty.StringVal("").
03:12.030119000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_website_domain=cty.StringVal("").
03:12.030126000 terraform.parser.<bucket1>.evaluator Added module output s3_bucket_website_endpoint=cty.StringVal("").
03:12.030191000 terraform.parser.<bucket2>       Evaluating module...
03:12.034371000 terraform.parser.<bucket2>       Read 78 block(s) and 0 ignore(s) for module 'bucket2' (4 file[s])...
03:12.034403000 terraform.parser.<bucket2>       Added 12 input variables from module definition.
03:12.034489000 terraform.parser.<bucket2>       Loaded module metadata for 3 module(s) from '.terraform/modules/modules.json'.
03:12.034502000 terraform.parser.<bucket2>       Working directory for module evaluation is '/tmp/tfsec-check'
03:12.034550000 terraform.parser.<bucket2>.evaluator Filesystem key is 'fcc4b050a2da87c154295ae67ffe9359e8db06d0d23a4e9305997ac263f01de9'
03:12.034554000 terraform.parser.<bucket2>.evaluator Starting module evaluation...
03:12.035779000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket.this' into 1 clones via 'count' attribute.
03:12.035793000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_accelerate_configuration.this' into 0 clones via 'count' attribute.
03:12.035870000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_acl.this' into 1 clones via 'count' attribute.
03:12.035881000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_cors_configuration.this' into 0 clones via 'count' attribute.
03:12.035889000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_lifecycle_configuration.this' into 0 clones via 'count' attribute.
03:12.035933000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_logging.this' into 1 clones via 'count' attribute.
03:12.035957000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_object_lock_configuration.this' into 0 clones via 'count' attribute.
03:12.035964000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_ownership_controls.this' into 0 clones via 'count' attribute.
03:12.035970000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_policy.this' into 0 clones via 'count' attribute.
03:12.036241000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_public_access_block.this' into 1 clones via 'count' attribute.
03:12.036257000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_replication_configuration.this' into 0 clones via 'count' attribute.
03:12.036269000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_request_payment_configuration.this' into 0 clones via 'count' attribute.
03:12.036339000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.this' into 1 clones via 'count' attribute.
03:12.036387000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_versioning.this' into 1 clones via 'count' attribute.
03:12.036402000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_website_configuration.this' into 0 clones via 'count' attribute.
03:12.036412000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_intelligent_tiering_configuration.this' into 0 clones via 'for_each' attribute.
03:12.036421000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_inventory.this' into 0 clones via 'for_each' attribute.
03:12.036434000 terraform.parser.<bucket2>.evaluator Expanded block 'aws_s3_bucket_metric.this' into 0 clones via 'for_each' attribute.
03:12.036440000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.grant' into 0 clones via 'for_each' attribute.
03:12.036456000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.access_control_policy' into 0 clones via 'for_each' attribute.
03:12.036910000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 0 clones via 'for_each' attribute.
03:12.037051000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.rule' into 1 clones via 'for_each' attribute.
03:12.037118000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 1 clones via 'for_each' attribute.
03:12.037148000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.grant' into 0 clones via 'for_each' attribute.
03:12.037163000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.access_control_policy' into 0 clones via 'for_each' attribute.
03:12.037612000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 0 clones via 'for_each' attribute.
03:12.037681000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 1 clones via 'for_each' attribute.
03:12.037828000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.rule' into 1 clones via 'for_each' attribute.
03:12.037894000 terraform.parser.<bucket2>.evaluator Expanded block 'dynamic.apply_server_side_encryption_by_default' into 1 clones via 'for_each' attribute.
03:12.037913000 terraform.parser.<bucket2>.evaluator Starting submodule evaluation...
03:12.037918000 terraform.parser.<bucket2>.evaluator Finished processing 0 submodule(s).
03:12.037919000 terraform.parser.<bucket2>.evaluator Starting post-submodule evaluation...
03:12.038581000 terraform.parser.<bucket2>.evaluator Module evaluation complete.
03:12.038589000 terraform.parser.<bucket2>       Finished parsing module 'bucket2'.
03:12.038598000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_arn=cty.StringVal("47678655-779b-473c-8ded-06aa61f99e48").
03:12.038608000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_bucket_domain_name=cty.StringVal("").
03:12.038619000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_bucket_regional_domain_name=cty.StringVal("").
03:12.038632000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_hosted_zone_id=cty.StringVal("").
03:12.038646000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_id=cty.NilVal.
03:12.038655000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_region=cty.StringVal("").
03:12.038662000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_website_domain=cty.StringVal("").
03:12.038672000 terraform.parser.<bucket2>.evaluator Added module output s3_bucket_website_endpoint=cty.StringVal("").
03:12.038678000 terraform.parser.<root>.evaluator Finished processing 2 submodule(s).
03:12.038680000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
03:12.038709000 terraform.parser.<root>.evaluator Module evaluation complete.
03:12.038711000 terraform.parser.<root>          Finished parsing module 'root'.
03:12.038713000 terraform.executor               Adapting modules...
03:12.039334000 terraform.executor               Adapted 3 module(s) into defsec state data.
03:12.039339000 terraform.executor               Using max routines of 9
03:12.039340000 terraform.executor               Applying state modifier functions...
03:12.039397000 terraform.executor               Initialised 398 rule(s).
03:12.039399000 terraform.executor               Created pool with 9 worker(s) to apply rules.
03:12.039693000 terraform.scanner.rego           Scanning 1 inputs...
03:12.043835000 terraform.executor               Finished applying rules.
03:12.043846000 terraform.executor               Applying ignores...
03:12.292278000 json.scanner.rego                Loaded 3 embedded libraries.
03:12.306658000 json.scanner.rego                Loaded 123 embedded policies.
03:12.391930000 json.scanner.rego                Scanning 3 inputs...
03:12.393755000 yaml.scanner.rego                Loaded 3 embedded libraries.
03:12.407540000 yaml.scanner.rego                Loaded 123 embedded policies.
03:12.492144000 yaml.scanner.rego                Scanning 6 inputs...
03:12.496653000 azure.arm.rego                   Loaded 3 embedded libraries.
03:12.510641000 azure.arm.rego                   Loaded 123 embedded policies.
AVD-AWS-0088 aws-s3-enable-bucket-encryption terraform-aws-modules/s3-bucket/aws/.terraform/modules/bucket1/main.tf:145-167
AVD-AWS-0132 aws-s3-encryption-customer-key terraform-aws-modules/s3-bucket/aws/.terraform/modules/bucket1/main.tf:145-167

Output of trivy -v:

Version: 0.35.0

[simar7]

Thanks we will get back to you.

[simar7]

I've created an issue here to track it: #4627