Update "Resource Not Using Tags" query for Terraform (AWS)

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

https://kics.io

Apache License 2.0

2.03k stars 297 forks source link

Update "Resource Not Using Tags" query for Terraform (AWS) #5056

Open codymaust opened 2 years ago

codymaust commented 2 years ago

Platform

Terraform

Provider

AWS

Description

The "Resource Not Using Tags" query is returning a false-positive when tags are being set to a variable

Example #1

Resource Not Using Tags, Severity: INFO, Results: 17
Description: AWS services resource tags are an essential part of managing components
Platform: Terraform

    [1]: lambda-pipeline/2-sub-modules/codepipeline/main.tf:120

        119:   force_destroy = true
        120:   tags          = var.tags
        121: }

Example #2224

    [7]: lambda/2-sub-modules/s3/main.tf:5

        004:
        005:   tags = merge(
        006:     var.tags,

I've even went and manually checked the resources to make sure that the tags are being applied as expected, and they are

Thanks!

codymaust commented 2 years ago

looks like maybe a duplicate of issue 4833

rafaela-soares commented 2 years ago

Hello, @codymaust!

Thank you so much for contacting us!

Can you give us more details, please? Can you show us how the tags are defined? And show us the payload, please?

It would help to understand what is happening (KICS supports Terraform vars, so maybe we are missing some edge case)

jycamier commented 2 years ago

@codymaust locals aren’t parsed but variables are

liorj-orca commented 2 years ago

Hi @rafaela-soares, I think I'll be able to assist with replicating the issue as I stumbled on the same thing. let's say this is your terraform file:

`data "aws_ami" "ubuntu" { most_recent = true

filter { name = "name" values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] }

filter { name = "virtualization-type" values = ["hvm"] }

owners = ["099720109477"] # Canonical }

variable "additional_tags" { default = {} description = "Additional resource tags" type = map(string) }

resource "aws_instance" "web" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" tags = merge( var.additional_tags, { Name = "blabla" }, ) }`

I'm getting on this:Resource Not Using Tags, Severity: INFO, Results: 1 Description: AWS services resource tags are an essential part of managing components Platform: Terraform

[1]: ../../path/ec2-lior.tf:26

    025:   instance_type = "t3.micro"
    026:   tags = merge(
    027:     var.additional_tags,

when clearly I have configured tags, I just merged 2 maps

rafaela-soares commented 2 years ago

Hello, @liorj-orca!

Thank you so much for your input on this issue!

In your example, it is returning a result because there are no tags defined other than 'Name' [KICS query source code]. If you create the JSON report, you can see the expected value and the actual value (by adding -o results to your scan, for example):

If you add another tag other than "Name", the query will not return a result:

data "aws_ami" "ubuntu" {
most_recent = true

filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}

owners = ["099720109477"] # Canonical
}

variable "additional_tags" {
default = {}
description = "Additional resource tags"
type = map(string)
}

resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
tags = merge(
var.additional_tags,
{
Name = "blabla",
Project = "my-proj",
},
)
}

We definitely should improve the query description to avoid misunderstandings and also the actual value of this policy. PR #5483 improves it.

Once again, thank you so much!

rafaela-soares commented 2 years ago

@codymaust, can you confirm if your case is related to the above, please?

v-rosa commented 1 year ago

@rafaela-soares When creating TF modules, did the team considered the use case when tags are propagated via provider? e.g.

provider "aws" {
  region = "us-east-1"
  default_tags {
    tags = ...
  }
}

kevindashton commented 7 months ago

@rafaela-soares When creating TF modules, did the team considered the use case when tags are propagated via provider? e.g.
provider "aws" {
  region = "us-east-1"
  default_tags {
    tags = ...
  }
}

We're getting false-positives in the above case as well: all of our tags except "Name" are set via the aws provider's default_tags {} block.

jycamier commented 7 months ago

@rafaela-soares When creating TF modules, did the team considered the use case when tags are propagated via provider? e.g.
provider "aws" {
  region = "us-east-1"
  default_tags {
    tags = ...
  }
}
We're getting false-positives in the above case as well: all of our tags except "Name" are set via the aws provider's default_tags {} block.

What is the query you speak about ?

The Name isn't check in the Resource Not Using Tags from the terraform provider and the default_tags is considered by the rule assets/queries/terraform/aws/resource_not_using_tags

https://github.com/Checkmarx/kics/blob/065c1326afd25fa22f2b059a34f713332ae25502/assets/queries/terraform/aws/resource_not_using_tags/query.rego#L47-L53