search

fugue / regula

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego
https://regula.dev/
Apache License 2.0
961 stars 109 forks source link

[Question] How can we access resources property from resource_changes section in terraform plan json ? #340

Open ninjaSec7 opened 2 years ago

ninjaSec7 commented 2 years ago

Describe the bug In some of the resources during the plan some input values we get (known after apply) value , In all those cases we fail some of the checks and in those cases we wanted to grab those details from resource_changes section in the plan output how that can be achieved ?

I was trying to take the after_unknown values from terraform json plan but was not able to get those resource I was trying below commands 

import data.fugue
import input as tfplan

has_transport_encryption {
# the below set of line fails the policy seems like due to the fact that it's now able to get the resource_changes
tfplan.resource_changes[0].change.after_unknown.transit_encryption_enabled

}

Sometimes in our tfplan.json we have some values in after_unknown which falls under resource_changes key, as a result sometimes regula gives false positive results as well.

So I need a way or workaround that we can look into resource_changes of tfplan.json so that we can grab after_unknown values as well and write custom policy too.

One of such policy I was trying to modify is below but it always pass no matter what the tfplan looks like kindly help 🙇 

#
package rules.tf_aws_elasticache_encryption
import data.fugue

__rego__metadoc__ := {
  "custom": {
    "controls": {},
    "severity": "Medium"
  },
  "description": "ElastiCache transport encryption should be enabled. In-transit encryption should be enabled for ElastiCache replication groups. Encryption protects data from unauthorized access when it is moved from one location to another, such as from a primary node to a read replica mode in a replication group or between a replication group and application.",
  "id": "FG_R00105",
  "title": "ElastiCache transport encryption should be enabled"
}

is_after(repgroup)
{
repgroup.change.after.transit_encryption_enabled
}

is_after(repgroup)
{
  repgroup.change.after_unknown.transit_encryption_enabled
 }

valid_resource(resource){
resource > 0
}

resource_type := "aws_elasticache_replication_group"

default deny = false

deny
{
resources := [r | r:= input.resource_changes[_]; r.type == "aws_elasticache_replication_group"]
count(resources)>0
repgroup := [res | res:= resources[_]; is_after(res)]
missing_resource := count(resources) - count(repgroup)
valid_resource(missing_resource)

}
Muhammada3178 commented 2 years ago

I'm not a rep from fugue but I was able to access resource changes by first importing data.fugue and then I was able to use fugue.plan.resource_changes to access the changes. Here's a snippet of a rule which returns a set with all resource changes that have the delete action 

resource_changes_with_delete_action = delete_resource_changes {
  resource_changes = fugue.plan.resource_changes
  delete_resource_changes = { resource_change | resource_change := resource_changes[_]; "delete" in resource_change.change.actions }
}
ninjaSec7 commented 2 years ago

@Muhammada3178 it gave me the error with unexpected ident token: expected \n or ; or }