search

terraform-compliance / cli

a lightweight, security focused, BDD test framework against terraform.
https://terraform-compliance.com
MIT License
1.36k stars 150 forks source link

Child modules issue #734

Open jotpal opened 2 months ago

jotpal commented 2 months ago

Hi, Can I please request your assistance for this issue? Thanks

As an Azure compliance policy I have two resources storage_account and management_lock, If the storage account does not have a lock then compliance should be failing. The scenario works if both the resources on the on the same module (root or child).

But in my case storage account and management lock are on different modules. I have tried the debugging option and seems like lock resource is not mounted.

module "storage_account" {
  source = "./modules/azurerm_storage_account"

  name                          = "stnpaueaalzlog007"
  resource_group_name           = azurerm_resource_group.rg.name
  location                      = azurerm_resource_group.rg.location
  account_tier                  = "Standard"
  account_replication_type      = "LRS"
  public_network_access_enabled = false
  lock_name                     = "lock-sa7"
  lock_level                    = "ReadOnly"
  notes                         = "Locked because it's needed by a third-party"
}
resource "azurerm_storage_account" "sa_acc" {
  name                          = var.name
  resource_group_name           = var.resource_group_name
  location                      = var.location
  account_tier                  = var.account_tier
  account_replication_type      = var.account_replication_type
  public_network_access_enabled = var.public_network_access_enabled
}

# Works if the module is not used
resource "azurerm_management_lock" "sa1" {
  name       = "lock-sa1"
  scope      = azurerm_storage_account.sa_acc.id
  lock_level = "CanNotDelete"
  notes      = "Locked because it's needed by a third-party"
}

# Does not work if the module is used

# module "storage_lock" {
#   source = "../azurerm_locks"
#   lock_level = "CanNotDelete"
#   scope      = azurerm_storage_account.sa_acc.id
#   lock_name  = "lock-sa1"
#   notes      = "Locked because it's needed by a third-party"
# }

resource "azurerm_management_lock" "lock" {
  name       = var.lock_name
  scope      = var.scope
  lock_level = var.lock_level
  notes      = var.notes
}
Feature: Validate lock is enabled for Storage Account

  Scenario: Ensure Azure Storage Account has lock enabled
    Given I have azurerm_storage_account defined
    Then it must have azurerm_management_lock

Please let me know if you need more info.