search

fugue / regula

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego
https://regula.dev/
Apache License 2.0
961 stars 108 forks source link

Allow s3 logging from aws_s3_bucket_logging #421

Open pguinard-public-com opened 5 months ago

pguinard-public-com commented 5 months ago

Fixes https://github.com/fugue/regula/issues/374

Sample from that pull request which also matches the code we have provided in tests:

Fixed behavior:

$ cat test.tf
resource "aws_s3_bucket" "bucket_new_syntax" {
  bucket = "bucket_new_syntax"
}

resource "aws_s3_bucket_logging" "bucket_new_syntax" {
  bucket = aws_s3_bucket.bucket_new_syntax.id

  target_bucket = aws_s3_bucket.logbucket.id
  target_prefix = "log/"
}

$ regula run --include $HOME/git/regula/rego/rules/tf/aws/s3/bucket_access_logging.rego --no-built-ins

No problems found. Good going.

Original behavior:

$ cat test.tf
resource "aws_s3_bucket" "bucket_new_syntax" {
  bucket = "bucket_new_syntax"
}

$ regula run --include $HOME/git/regula/rego/rules/tf/aws/s3/bucket_access_logging.rego --no-built-ins

FG_R00274: S3 bucket access logging should be enabled [Medium]
           https://docs.fugue.co/FG_R00274.html

  [1]: aws_s3_bucket.bucket_new_syntax
       in test.tf:1:1

Found one problem.