search

terraform-compliance / cli

a lightweight, security focused, BDD test framework against terraform.
https://terraform-compliance.com
MIT License
1.34k stars 151 forks source link

Unable to check for access log bucket pointing to itself #631

Open ozmodiar192 opened 2 years ago

ozmodiar192 commented 2 years ago

Description

I am attempting to validate that a bucket with access logging enabled is not pointing to itself as the target_bucket.

To Reproduce

Create an s3 bucket with a separate aws_s3_bucket_logging resource. Set the target_bucket to the same bucket you're creating. This is a terrible idea so don't apply it. Try to verify the value for "target_bucket" is not the same bucket you're creating.

Feature File:

Feature: S3 related general feature

    # check if at least one s3 has logging enabled, because logging will require another s3
    @noskip_at_line_21
    Scenario: S3 must have access logging enabled 
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_logging defined
        Then it must have bucket
        Then it must be in {aws_s3_bucket_logging.values.bucket}

    @noskip_at_line_28
    Scenario: Data stored in S3 has versioning enabled
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_versioning defined
        Then it must have bucket
        Then it must be in {aws_s3_bucket_versioning.values.bucket}

    @noskip_at_line_36
    Scenario: S3 access log must not log to itself
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_logging defined
        Then it must have target_bucket
        Then it must not be in {aws_s3_bucket_logging.values.bucket}

Plan File:

# aws_s3_bucket.security_bucket will be created
  + resource "aws_s3_bucket" "security_bucket" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "chhec-s3-access-log-bucket"
      + bucket_domain_name          = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

  # aws_s3_bucket_logging.security_access_log[0] will be created
  + resource "aws_s3_bucket_logging" "security_access_log" {
      + bucket        = (known after apply)
      + id            = (known after apply)
      + target_bucket = "chhec-s3-access-log-bucket"
      + target_prefix = "chhec-s3-access-log-bucket/"
    }

Sample Terraform Code:

resource "aws_s3_bucket" "security_bucket" {
  bucket = var.log_bucket
}

resource "aws_s3_bucket_logging" "security_access_log" {
  count = var.access_logging_enabled && var.access_log_bucket != "" ? 1 : 0
  bucket = aws_s3_bucket.security_bucket.id

  target_bucket = aws_s3_bucket.security_bucket.id
  target_prefix = "${var.log_bucket}/"
}

Error Output:

Expected Behavior: I would expect it to fail, but it succeeds:

    Scenario: S3 access log must not log to itself
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_logging defined
        Then it must have target_bucket
        Then it must not be in {aws_s3_bucket_logging.values.bucket}

Tested Versions:

Additional Context: I just started using terraform-compliance and it's entirely likely I'm doing something wrong.

ozmodiar192 commented 2 years ago

It looks like "target_bucket" is not in the stash:

            "aws_s3_bucket_logging": [
                {
                    "expected_bucket_owner": null,
                    "target_grant": [],
                    "target_prefix": "chhec-s3-access-log-bucket/",
                    "terraform-compliance.mounted": true
                },
                {
                    "expected_bucket_owner": null,
                    "target_grant": [],
                    "target_prefix": "chhec-s3-access-log-bucket/",
                    "terraform-compliance.mounted": true
                },
                {
                    "expected_bucket_owner": null,
                    "target_grant": [],
                    "target_prefix": "chhec-s3-access-log-bucket/",
                    "terraform-compliance.mounted": true
                },
                {
                    "expected_bucket_owner": null,
                    "target_grant": [],
                    "target_prefix": "chhec-s3-access-log-bucket/",
                    "terraform-compliance.mounted": true
                }
            ],