Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule supression for specific resources #868

Closed
quietkatalyst opened this issue Jun 15, 2021 · 2 comments
Closed

Rule supression for specific resources #868

quietkatalyst opened this issue Jun 15, 2021 · 2 comments

Comments

@quietkatalyst
Copy link

quietkatalyst commented Jun 15, 2021
edited
Loading

  • terrascan version: 1.7.0
  • Operating System: Windows 10

Description

Running terrascan scan -t aws -v results in resources being flagged as having violations, even though I've suppressed the correct rule on the resource.

What I Did

Here is an example of the resource and the comment:

resource "aws_lb_target_group" "target_group" {
  #ts:skip="AC_AWS_042"
  name = "${lower(var.service_name)}-${lower(var.service_environment)}"
  port = var.container_port
  protocol = "HTTP"
  target_type = "instance"
  vpc_id = var.load_balancer_vpc

  health_check {
    path = var.service_healthcheck
    protocol = "HTTP"
  }

  load_balancing_algorithm_type = var.load_balancing_algorithm
}

Here is the terrascan violation:

Description    :        Ensure Target Group use HTTPs to ensure end to end encryption
File           :        service_environment\application_load_balancer.tf
Module Name    :        root
Plan Root      :        service_environment
Line           :        11
Severity       :        MEDIUM
Rule Name      :        targetGroupUsingHttp
Rule ID        :        AC_AWS_042
Resource Name  :        target_group
Resource Type  :        aws_lb_target_group
Category       :        Infrastructure Security

I'm fairly certain I've got the correct rule ID, because if I suppress the rule for the entire scan using --skip-rules, it ignores the violation as expected.
@nasir-rabbani
Copy link
Contributor

nasir-rabbani commented Jun 22, 2021
edited
Loading

Hey @quietkatalyst , thanks for raising this issue. This inconsistency was due to non standard reference_id pattern. With PR #786 we have moved to standard Rule IDs. We encourage everyone to use the newly added id for skipping and scanning policies.

In your case the corresponding id is AC_AWS_0492. Also, I noticed you have used " around the rule id, which is invalid. I tested the following for skipping the rule and it worked.

resource "aws_lb_target_group" "target_group" {
  #ts:skip=AC_AWS_0492
  name = "${lower(var.service_name)}-${lower(var.service_environment)}"
  port = var.container_port
  protocol = "HTTP"
  target_type = "instance"
  vpc_id = var.load_balancer_vpc

  health_check {
    path = var.service_healthcheck
    protocol = "HTTP"
  }

  load_balancing_algorithm_type = var.load_balancing_algorithm
}

Please confirm if it works for you so that we can close this issue.

@quietkatalyst
Copy link
Author

Hi there! Sorry I left this unanswered for so long, I was in the middle of moving. I upgraded to version 1.8.1, gave your changes a shot, and they worked! Thanks so much for the response, I really appreciate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@quietkatalyst @nasir-rabbani