Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform map variables not being evaluated #1278

Open
haodeon opened this issue May 31, 2022 · 0 comments
Open

Terraform map variables not being evaluated #1278

haodeon opened this issue May 31, 2022 · 0 comments

Comments

@haodeon
Copy link

haodeon commented May 31, 2022

  • terrascan version: 1.15.1
  • Operating System: Ubuntu 18.04.1

Description

I am testing terrascan tool to see whether it works well with our terraform files. In my testing I find terrascan does not evaluate map variables to determine if there are policy violations or not. While researching this issue I came across #678 where it demonstrates var.pgsql.encryption setting storage_encrypted to true.

In my testing of this example I find if you set var.pgsql.encryption to false, terrascan will not detect a violation. In fact if you set var.pgsql.encryption to anything it will pass.

What I Did

I use simple example from issue #678 however I set "encryption" = false

provider "aws" {
  region = "us-east-1"
}

variable "pgsql" {
  type = map(any)
  default = {
    "encryption" = false
  }
}

resource "aws_rds_cluster" "yesEncrypted" {
  cluster_identifier = "aurora-cluster-demo"
  engine             = "aurora-mysql"
  engine_version     = "5.7.mysql_aurora.2.03.2"
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
  database_name      = "mydb"
  storage_encrypted  = var.pgsql.encryption
}

resource "aws_rds_cluster" "noEncrypted" {
  cluster_identifier = "aurora-cluster-demo"
  engine             = "aurora-mysql"
  engine_version     = "5.7.mysql_aurora.2.03.2"
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
  database_name      = "mydb"
  storage_encrypted  = false
}

Running terrascan -i terraform -t aws --show-passed produces the following output. Note it doesn't show the passed policy either.

Violation Details -
    
        Description    :        Ensure backup retention period is set for rds cluster
        File           :        main.tf
        Module Name    :        root
        Plan Root      :        ./
        Line           :        35
        Severity       :        MEDIUM
        -----------------------------------------------------------------------

        Description    :        Ensure backup retention period is set for rds cluster
        File           :        main.tf
        Module Name    :        root
        Plan Root      :        ./
        Line           :        44
        Severity       :        MEDIUM
        -----------------------------------------------------------------------

        Description    :        Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance
        File           :        main.tf
        Module Name    :        root
        Plan Root      :        ./
        Line           :        44
        Severity       :        HIGH
        -----------------------------------------------------------------------


Scan Summary -

        File/Folder         :   /workspaces/test
        IaC Type            :   terraform
        Scanned At          :   2022-05-31 02:25:51.636180554 +0000 UTC
        Policies Validated  :   2
        Violated Policies   :   3
        Low                 :   0
        Medium              :   2
        High                :   1

The expected behaviour is for there to be another violation for Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance.

If you comment out the noEncrypted resource. It produces the following output.

Passed Rules -
    
        Rule ID        :        AC_AWS_0186
        Rule Name      :        storageNotEncrypted
        Description    :        Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance
        Severity       :        HIGH
        Category       :        Data Protection

        -----------------------------------------------------------------------


Violation Details -
    
        Description    :        Ensure backup retention period is set for rds cluster
        File           :        main.tf
        Module Name    :        root
        Plan Root      :        ./
        Line           :        35
        Severity       :        MEDIUM
        -----------------------------------------------------------------------


Scan Summary -

        File/Folder         :   /workspaces/test
        IaC Type            :   terraform
        Scanned At          :   2022-05-31 02:29:44.387238469 +0000 UTC
        Policies Validated  :   2
        Violated Policies   :   1
        Low                 :   0
        Medium              :   1
        High                :   0

I have also tried using the lookup function in terraform console to confirm it should parse correctly.

> lookup(var.pgsql, "encryption")
false
>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@haodeon