Open wesleykirklandsg opened 2 years ago
Hi @wesleykirklandsg
Thank you for bringing this to our attention. Would you like to take this issue and send a corresponding PR?
@gaurav-gogia I'm unable to do that due to a lack of OPA knowledge. I looked at some samples and could not determine how to do OR logic in this statement. If there is a link/sample I can take another stab at it.
Description
The following rule provides false negatives. https://github.com/tenable/terrascan/blob/master/pkg/runtime/testdata/testpolicies/aws_cloudfront_distribution/cloudfrontNoSecureCiphers.rego#L7
Tell us what happened, what went wrong, and what you expected to happen. Terrascan outputs the following rule
What I Did
All code is from here - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#minimum_protocol_version
Mock TF Code - This passes
Mock TF Code - This does not pass, it's
What is happening is the rule seems to be a false negative and states that it's insecure when a custom certificate is specified. The rule should check like so
cloudfront_default_certificate = true OR acm_certificate_arn OR iam_certificate_id.
Thanks @mattbarlow-sg for finding this and working through it!