We're using an older third-party version of an EKS module that is throwing a valid policy violation (terraform-aws-modules/eks/aws). However, we're looking to skip that violation for the module while we work on upgrading to the newer version.
Unfortunately, I'm having a difficult time getting terrascan to skip violations that occur within modules.
What I Did
I added the following to the Terraform code:
module "eks" {
#ts:skip=AC_AWS_0487 skip rule as this is in the module
source = "terraform-aws-modules/eks/aws"
I'm then attempted to run terrascan with --non-recursive and I still get the error:
❯ terrascan scan --non-recursive --verbose
Violation Details -
Description : Launch configuration uses IMDSv1 which vulnerable to SSRF
File : git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=v17.23.0/workers.tf
Module Name : eks
Plan Root : ./
Line : 204
Severity : HIGH
Rule Name : imdsv1LaunchConfig
Rule ID : AC_AWS_0487
Resource Name : workers
Resource Type : aws_launch_configuration
Category : Configuration and Vulnerability Analysis
-----------------------------------------------------------------------
I can run terrascan with --skip-rules="AC_AWS_0487", but we run terrascan within our GitHub Action checks, where we have a lot of internal Terraform modules we've written, that are independent of each other. Due to this, I would prefer we didn't have to disable this violation for the whole repo, just this particular resource.
Is there a way I can skip a violation that occurs within a module? I thought --non-recursive would do this, but that doesn't appear to be the case.
Description
We're using an older third-party version of an EKS module that is throwing a valid policy violation (terraform-aws-modules/eks/aws). However, we're looking to skip that violation for the module while we work on upgrading to the newer version.
Unfortunately, I'm having a difficult time getting terrascan to skip violations that occur within modules.
What I Did
I added the following to the Terraform code:
I'm then attempted to run terrascan with
--non-recursive
and I still get the error:I can run terrascan with
--skip-rules="AC_AWS_0487"
, but we run terrascan within our GitHub Action checks, where we have a lot of internal Terraform modules we've written, that are independent of each other. Due to this, I would prefer we didn't have to disable this violation for the whole repo, just this particular resource.Is there a way I can skip a violation that occurs within a module? I thought
--non-recursive
would do this, but that doesn't appear to be the case.