search

fugue / regula

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego
https://regula.dev/
Apache License 2.0
961 stars 109 forks source link

Not working with aws terraform modules #231

Open ronaldoalvescosta opened 3 years ago

ronaldoalvescosta commented 3 years ago

Hello! Regula is reporting problems that do not exists when using TF modules:

module "s3_bucket" {
  source = "../terraform-aws-s3-bucket/"
  bucket = var.res_bucket_name
  block_public_acls = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
  attach_deny_insecure_transport_policy = true
}

regula run:

G_R00229: S3 buckets should have all block public access options enabled [High] https://docs.fugue.co/FG_R00229.html

   in ../terraform-aws-s3-bucket\main.tf:5:1
   included at s3.tf:6:12

FG_R00100: S3 bucket policies should only allow requests that use HTTPS [Medium] https://docs.fugue.co/FG_R00100.html

   in ../terraform-aws-s3-bucket\main.tf:5:1
   included at s3.tf:6:12
ronaldoalvescosta commented 3 years ago

terraform show -json tfplan > plan.json

{
            "address": "module.s3_bucket.aws_s3_bucket_policy.this[0]",
            "module_address": "module.s3_bucket",
            "mode": "managed",
            "type": "aws_s3_bucket_policy",
            "name": "this",
            "index": 0,
            "provider_name": "registry.terraform.io/hashicorp/aws",
            "change": {
                "actions": [
                    "no-op"
                ],
                "before": {
                    "bucket": "my-sandbox1-teste3",
                    "id": "my-sandbox1-teste3",
                    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"denyInsecureTransport\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::my-sandbox1-teste3/*\",\"arn:aws:s3:::my-sandbox1-teste3\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}"
                },
                "after": {
                    "bucket": "my-sandbox1-teste3",
                    "id": "my-sandbox1-teste3",
                    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"denyInsecureTransport\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::my-sandbox1-teste3/*\",\"arn:aws:s3:::my-sandbox1-teste3\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}"
                },
                "after_unknown": {},
                "before_sensitive": {},
                "after_sensitive": {}
            }
        }

regula run plan.json

FG_R00100: S3 bucket policies should only allow requests that use HTTPS [Medium] https://docs.fugue.co/FG_R00100.html

   in plan.json
ronaldoalvescosta commented 3 years ago

applied bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "denyInsecureTransport",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-sandbox1-teste3/*",
                "arn:aws:s3:::my-sandbox1-teste3"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
jaspervdj-luminal commented 3 years ago

Hi @ronaldoalvescosta, thanks for opening this issue!

It looks like we're having trouble evaluating the HCL code inside this module. I took some time to try and reproduce this issue.

I was able to reproduce the FG_R00100 (https only) issue using this file:

module "s3-bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "2.9.0"
  bucket = var.res_bucket_name
  block_public_acls = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
  attach_deny_insecure_transport_policy = true
}

However, I could not reproduce the issue around FG_R00229 (block public access); except if I cloned the submodule and refered to it locally using source = ./terraform-aws-s3-bucket. In this case, however, using a terraform init fixed that. Could you confirm that you are still seeing the FG_R00229 issue after running a terraform init? This is necessary since Regula won't download remote HCL code; terraform init does that for us.

In either case, thanks for sharing the code and including the details in a way that makes it easy to try for me, and I'll create a ticket internally to look into and fix these two issues.

ronaldoalvescosta commented 3 years ago

Hello! I´m getting only FG_R00100 now