search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.73k stars 497 forks source link

Terraform provisioner configuration not avialable using tfplan iac type #698

Open xortim opened 3 years ago

xortim commented 3 years ago

Description

I noticed that the same properties are not available between the terraform and tfplan options. There's going to be some information unavailable in the tfplan such as line numbers and source file names. The concerning part is with regard to the configuration's resource provisioner configuration not being available when using the tfplan IaC type. This information is available within the plan file, I believe that the configuration properties would simply need merged in when processing the plan file.

What I Did

main.tf

resource "null_resource" "exfiltrate" {
  provisioner "local-exec" {
    command = "cat /etc/passwd"
  }
}

terrascan scan -i terraform --config-only -o json

{
  "null_resource": [
    {
      "id": "null_resource.exfiltrate",
      "name": "exfiltrate",
      "source": "main.tf",
      "line": 1,
      "type": "null_resource",
      "config": {
        "provisioner": [
          {
            "local-exec": {
              "command": "cat /etc/passwd"
            }
          }
        ]
      },
      "skip_rules": null
    }
  ]
}

terrascan scan -i tfplan --config-only -o json -f plan.out.json

{
  "null_resource": [
    {
      "id": "null_resource.exfiltrate",
      "name": "exfiltrate",
      "source": "",
      "line": 0,
      "type": "null_resource",
      "config": {
        "triggers": null
      },
      "skip_rules": null
    }
  ]
}
kanchwala-yusuf commented 3 years ago

Hey @xortim , Sorry for picking up this one a little late.

You are right, there are some differences in the way resource configs are created for terraform and tfplan.

In this particular case, terrascan does not have any policies for the provisioner block. So, it does not really matter if provisioner block is part of resource config or not.

But, is there a specific use case that you are looking at which requires the resource config to have the provisioner block for tfplan iac type?

xortim commented 3 years ago

@kanchwala-yusuf my use case is indicated in the bug report: Having the ability to detect malicious commands in the provisioner.

kanchwala-yusuf commented 3 years ago

@kanchwala-yusuf my use case is indicated in the bug report: Having the ability to detect malicious commands in the provisioner.

Hi @xortim , it is an interesting idea, but unfortunately today terrascan does not have any policies around this.

Do you plan to add policies in terrascan for this?

xortim commented 3 years ago

I would be open to contributing policies I develop should this become available.

kanchwala-yusuf commented 3 years ago

Thanks great! Till the time we figure out the solution for tfplan iac type output, would it be possible for you make use of the terraform iac type and contribute the policies?