search

turbot / steampipe-mod-terraform-oci-compliance

Run compliance and security controls to detect Terraform OCI resources deviating from security best practices prior to deployment using Powerpipe and Steampipe.
https://hub.powerpipe.io/mods/turbot/terraform_oci_compliance
Apache License 2.0
3 stars 0 forks source link

Steampipe feature to check for compliance in terraform files when terraform module based implementation is involved #23

Closed hrishikeshkalita closed 2 years ago

hrishikeshkalita commented 2 years ago

Is your feature request related to a problem? Please describe. We tried steampipe terraform checks on terraform module based implementation but rules were not taken up by Steampipe. When we provided raw .tf files with hardcoded values it worked.

Describe the solution you'd like When we provided raw .tf files with hardcoded values it worked. So, it seems that steampipe is not taking up the rules when terraform modules are implemented.

Describe alternatives you've considered We have been following up with the Steampipe community in Slack. And opening this issue for inclusion of the required feature.

Additional context

Download the codebase from here

For reproducing the issue at you end, please download the zipped folder from the link mentioned above:

Pre-requisites Git, Steampipe is configured

Note: The test has been done on a Windows machine with WSL and Steampipe v0.14.4

Instructions:

  1. Run git clone https://github.com/turbot/steampipe-mod-terraform-oci-compliance.git
  2. Unzip the downloaded zipped folder
  3. Move into the unzipped folder (tf-oci-mod-vcn) and change directory to test by cd test
  4. Run export STEAMPIPE_WORKSPACE_CHDIR=../../steampipe-mod-terraform-oci-compliance (replace with whatever directory configuration at your end)
  5. Run steampipe check all

Observations Even though port 22 is opened to all 0.0.0.0/0 (tf-oci-mod-vcn/test/test.tf line 74-84), it is still passing that rule. No alarms are there for that case. And moreover we think the rules from the test.tf file are not picked up at all. Yes, we did change the settings to scan the terraform files using vi ~/.steampipe/config/terraform.spc and providing necessary directories to scan. Additional Note: Please ignore the error it may show due to some issue. But ALARM is the thing we are looking for.

cbruno10 commented 2 years ago

Hey @hrishikeshkalita , I believe that if the Terraform plugin supported scanning Terraform plan files in addition to Terraform HCL files, this would help us to properly scan more resources and modules, like some of those you linked above. We currently use the Kics parser to scan HCL files, but it looks like they also support scanning Terraform plan files, as per https://docs.kics.io/latest/platforms/#terraform_plan.

Adding this feature is not currently on our roadmap, so a suggested workaround is to use the OCI Compliance mod mod to scan your live/deployed infrastructure. If the query you're looking to run isn't included in the included benchmarks, you can add queries to that mod locally (or any local mod you have) to run as a control (more information on writing controls in Writing Controls.

Also, if you're interested in contributing any of the features mentioned above to the Terraform plugin, we'd appreciate any PRs and are happy to help if you have any questions.