Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego
Describe the bug
aws_iam_source_policy_document does not follow the nested aws_iam_source_policy_document for scan because it ignores the source_policy_documents attribute in HCL as well as plan.
How you're running Regula
Please include versions of all relevant tools. Some examples:
Regula v2.9.3
OPA v0.43.1
Operating System
OS X
Steps to reproduce
Policy that addresses regula rule such as FG_R00100 in data.aws_iam_source_policy_document resource that is referenced in another data.aws_iam_source_policy_document inside the source_policy_documents attribute is not being scanned. Because of this the scan produces a false positive as the policy definition that addresses rule FG_R00100 is not scanned.
IaC Configuration
data "aws_iam_policy_document" "encryption_in_transit" {
statement {
sid = "TLSEnforcement"
actions = ["s3:*"]
effect = "Deny"
resources = [
"arn:aws:s3:::${aws_s3_bucket.this.id}/*",
"arn:aws:s3:::${aws_s3_bucket.this.id}"
]
condition {
test = "Bool"
values = [false]
variable = "aws:SecureTransport"
}
condition {
test = "NumericLessThan"
values = [1.2]
variable = "s3:TlsVersion"
}
principals {
type = "*"
identifiers = ["*"]
}
}
}
data "aws_iam_policy_document" "combine_policy" {
source_policy_documents = [
data.aws_iam_policy_document.encryption_in_transit.json // source_policy_documents is ignored so this is never scanned
]
...
}
resource "aws_s3_bucket_policy" "default" {
bucket = aws_s3_bucket.this.id
policy = data.aws_iam_policy_document.combine_policy.json
}
resource "aws_s3_bucket" "this" {
bucket = "test-bucket"
}
Additional context
Add any other context about the problem here.
Describe the bug aws_iam_source_policy_document does not follow the nested aws_iam_source_policy_document for scan because it ignores the
source_policy_documents
attribute in HCL as well as plan.How you're running Regula Please include versions of all relevant tools. Some examples:
Operating System OS X
Steps to reproduce Policy that addresses regula rule such as
FG_R00100
in data.aws_iam_source_policy_document resource that is referenced in another data.aws_iam_source_policy_document inside thesource_policy_documents
attribute is not being scanned. Because of this the scan produces a false positive as the policy definition that addresses ruleFG_R00100
is not scanned.IaC Configuration
Additional context Add any other context about the problem here.