Failed to run prepared query error in opa/engine.go

[henrychoi7]

• terrascan version: 1.5.0
• Operating System: macOS 11.2.3

Description

I was trying to test it on my Terraform code but an error keeps occur every moment when I execute it. I think it should be going without any errors, but every code I test it with makes the same error.

2021-04-29T16:53:45.436+0900 warn opa/engine.go:346 failed to run prepared query{error 26 0 hardCodedShellScript:22: eval_builtin_error: base64.decode: illegal base64 data at input byte 0} {rule 15 0 'AWS.LaunchConfiguration.DataSecurity.High.0101' <nil>} {file 15 0 hardCodedShellScript.rego <nil>}

What I Did

Example Terraform:

provider "aws" {
  region = "eu-west-1"
}

locals {
  user_data = <<EOF
#!/bin/bash
echo "Hello Terraform!"
EOF
}
data "aws_vpc" "default" {
  default = true
}

data "aws_subnet_ids" "all" {
  vpc_id = data.aws_vpc.default.id
}

data "aws_ami" "amazon_linux" {
  most_recent = true

  owners = ["amazon"]

  filter {
    name = "name"

    values = [
      "amzn-ami-hvm-*-x86_64-gp2",
    ]
  }

  filter {
    name = "owner-alias"

    values = [
      "amazon",
    ]
  }
}

module "security_group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 3.0"

  name        = "example"
  description = "Security group for example usage with EC2 instance"
  vpc_id      = data.aws_vpc.default.id

  ingress_cidr_blocks = ["0.0.0.0/0"]
  ingress_rules       = ["http-80-tcp", "all-icmp"]
  egress_rules        = ["all-all"]
}

resource "aws_eip" "this" {
  vpc      = true
  instance = module.ec2.id[0]
}

resource "aws_placement_group" "web" {
  name     = "hunky-dory-pg"
  strategy = "cluster"
}

resource "aws_kms_key" "this" {
}

module "ec2" {
  source = "../../"

  instance_count = 1

  name          = "example-normal"
  ami           = data.aws_ami.amazon_linux.id
  instance_type = "c5.large"
  subnet_id     = tolist(data.aws_subnet_ids.all.ids)[0]
  vpc_security_group_ids      = [module.security_group.this_security_group_id]
  associate_public_ip_address = true
  placement_group             = aws_placement_group.web.id

  user_data_base64 = base64encode(local.user_data)

  root_block_device = [
    {
      volume_type = "gp2"
      volume_size = 10
    },
  ]

  ebs_block_device = [
    {
      device_name = "/dev/sdf"
      volume_type = "gp2"
      volume_size = 5
      encrypted   = true
      kms_key_id  = aws_kms_key.this.arn
    }
  ]

  tags = {
    "Env"      = "Private"
    "Location" = "Secret"
  }
}

Below is the actual command and the error message. I tried installing with brew, manual build and Docker but it all made the same error.

$ terrascan scan
2021-04-29T16:53:45.436+0900	warn	opa/engine.go:346	failed to run prepared query{error 26 0  hardCodedShellScript:22: eval_builtin_error: base64.decode: illegal base64 data at input byte 0} {rule 15 0 'AWS.LaunchConfiguration.DataSecurity.High.0101' <nil>} {file 15 0 hardCodedShellScript.rego <nil>}


Violation Details -

	Description    :	EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain
	File           :	../../../../../var/folders/m_/9v32lyj95dd5pgy44xgmj7j80000gn/T/cyz88y/main.tf
	Line           :	5
	Severity       :	MEDIUM
	-----------------------------------------------------------------------


Scan Summary -

	File/Folder         :	/Users/user/terraform/production/ubuntu-1804
	IaC Type            :	terraform
	Scanned At          :	2021-04-29 07:53:45.565984 +0000 UTC
	Policies Validated  :	562
	Violated Policies   :	1
	Low                 :	0
	Medium              :	1
	High                :	0

[sspatwardhan]

seeing these warnings on Ubuntu and Windows @jlk @kanchwala-yusuf @amirbenv

[devang-gaur]

it looks like a policy issue to me. @gaurav-gogia @harkirat22 @Avanti19 @shreyas-phansalkar-189 can anyone of you have a look at the policy file mentioned the error description?
pkg/policies/opa/rego/aws/aws_launch_configuration/hardCodedShellScript.rego

[gaurav-gogia]

@dev-gaur yes, looking into it

[gaurav-gogia]

@henrychoi7

Configuration:

1. terrascan version(s): 1.5.0, 1.5.1
2. Operating System: macOS 11.3

Unable to reproduce the issue on my end with the provided terraform file. Please share if any more terraform files or terrascan config files are being used.

[devang-gaur]

@henrychoi7 i see your main.tf consumes modules "security_group" and "ec2" .. which do get scanned as well. is it possible for you to share a .tar or zip archive with the whole directory structure being scanned? fill dummy strings in place of sensitive values

[henrychoi7]

@gaurav-gogia @dev-gaur Sure. This is the whole directory archive.

terraform_709.zip

I still get the warning on these working files. Thank you for your help.

[devang-gaur]

The warning message occurs due to a limitation of terrascan in reference resolutions. To stop annoying users with this warning message, we're chaning the log level of this message to debug.