False positives for S3 resource creation with new aws provider

[joegajeckyj-ecs]

Description

Since upgrading to the latest provider, i am now getting false positives for S3 bucket creation

Feature File:

    Scenario: Ensure S3 bucket is Encrypted
    Given I have aws_s3_bucket defined
    Then it must contain server_side_encryption_configuration

Used terraform-compliance Parameters:

Tested Versions:

• terraform-compliance version: terraform-compliance v1.3.32 initiated
• terraform version: Terraform v1.1.7
• python version: 3.8

Additional Context:

[joegajeckyj-ecs]

attempted workaround

  Scenario: Ensure S3 bucket is Encrypted
    Given I have aws_s3_bucket defined
    When it does not contain server_side_encryption_configuration
    Given I have aws_s3_bucket_server_side_encryption_configuration defined
    Then it must have bucket
    And it must be in {aws_s3_bucket.values.bucket}

stash creates the following and still fails

[
    {
        "address": "module.website_s3_bucket[0].aws_s3_bucket_server_side_encryption_configuration.example[0]",
        "values": "",
        "type": "aws_s3_bucket_server_side_encryption_configuration"
    },
    {
        "address": "module.website_s3_bucket_test[0].aws_s3_bucket_server_side_encryption_configuration.example[0]",
        "values": "module.website_s3_bucket_test[0].aws_s3_bucket.this[0]",
        "type": "aws_s3_bucket_server_side_encryption_configuration"
    }
]

output

                Failure: {aws_s3_bucket.values.bucket} does not cover selected resources.
        And it must be in {aws_s3_bucket.values.bucket}
          Failure: 

[doteric]

@joegajeckyj-ecs I'm a little bit newbie to terraform-compliance, but try the following:

In your resource aws_s3_bucket_server_side_encryption_configuration you specify the bucket and point to the right bucket using the id, but in the compliance scenario it's {aws_s3_bucket.values.bucket} so .bucket. Could that be the issue? I think this solved it for me.

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  count  = var.create_bucket && var.enable_server_side_encryption == true ? 1 : 0
  bucket = join("", aws_s3_bucket.this.*.id) # <- Use .bucket here instead of .id
  ...
}

[joegajeckyj-ecs]

Great spot @doteric that has sorted one part however it still does not work with the server_side_encryption_configuration values

[
    {
        "address": "module.website_s3_bucket[0].aws_s3_bucket_server_side_encryption_configuration.example[0]",
        "values": ",
        "type": "aws_s3_bucket_server_side_encryption_configuration"
    },
    {
        "address": "module.website_s3_bucket_test[0].aws_s3_bucket_server_side_encryption_configuration.example[0]",
        "values": "",
        "type": "aws_s3_bucket_server_side_encryption_configuration"
    }
]

[joegajeckyj-ecs]

Only way I can get this to actually be consistent is to set the sse resource first

  Scenario: Ensure S3 bucket is Encrypted
    Given I have aws_s3_bucket_server_side_encryption_configuration defined
    Given I have aws_s3_bucket defined
    Then it must have bucket
    Then it must be in {aws_s3_bucket_server_side_encryption_configuration.values.bucket}

but then it wont stop you creating buckets without sse which is the whole point

[joegajeckyj-ecs]

Scenario: Ensure S3 bucket is Encrypted
        💡 SKIPPING: Can not find aws_s3_bucket_server_side_encryption_configuration defined in target terraform plan.
        Given I have aws_s3_bucket_server_side_encryption_configuration defined
>> Press enter to continue
        Given I have aws_s3_bucket defined
>> Press enter to continue
        Then it must have bucket
>> Press enter to continue
        Then it must be in {aws_s3_bucket_server_side_encryption_configuration.values.bucket}
>> Press enter to continue

[joegajeckyj-ecs]

Only adding @noskip_at_lines_20 works as a workaround

@noskip_at_lines_20 
  Scenario: Ensure S3 bucket is Encrypted
    Given I have aws_s3_bucket defined
    Given I have aws_s3_bucket_server_side_encryption_configuration defined
    Given I have aws_s3_bucket defined
    Then it must have bucket
    Then it must be in {aws_s3_bucket_server_side_encryption_configuration.values.bucket}

[doteric]

@joegajeckyj-ecs So I have it done this way, seems to work fine from what I see:

  @noskip_at_line_18
  Scenario: Ensure S3 bucket is Encrypted (aws provider v4)
    Given I have aws_s3_bucket resource configured
    When it does not have server_side_encryption_configuration
    Given I have aws_s3_bucket_server_side_encryption_configuration resource configured
    Then it must have bucket
    And it must be in {aws_s3_bucket.values.bucket}
    Given I have aws_s3_bucket_server_side_encryption_configuration resource configured
    Then it must contain rule
    And it must contain apply_server_side_encryption_by_default
    And its sse_algorithm property must not be None

What do you think?

[joegajeckyj-ecs]

@doteric just tested your one and it didnt catch my bucket when there was one bucket with and one without sse

    @noskip_at_line_21
    Scenario: Ensure S3 bucket is Encrypted (aws provider v4)
        Given I have aws_s3_bucket resource configured
        When it does not have server_side_encryption_configuration
        Given I have aws_s3_bucket_server_side_encryption_configuration resource configured
        Then it must have bucket
        And it must be in {aws_s3_bucket.values.bucket}
        Given I have aws_s3_bucket_server_side_encryption_configuration resource configured
        Then it must contain rule
        And it must contain apply_server_side_encryption_by_default
        And its sse_algorithm property must not be None

mine does

    @noskip_at_lines_20
    Scenario: Ensure S3 bucket is Encrypted
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_server_side_encryption_configuration defined
        Given I have aws_s3_bucket defined
        Then it must have bucket
                Failure: {aws_s3_bucket_server_side_encryption_configuration.values.bucket} does not cover selected resources.
        Then it must be in {aws_s3_bucket_server_side_encryption_configuration.values.bucket}
          Failure: 

[joegajeckyj-ecs]

closing