Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

Waiving rules for dynamic resources? #127

Open
christophetd opened this issue Jun 2, 2021 · 3 comments
Open

Waiving rules for dynamic resources? #127

christophetd opened this issue Jun 2, 2021 · 3 comments
Labels
enhancement New feature or request Roadmap Item

Comments

@christophetd
Copy link

Say I'm creating a bunch of unencrypted S3 buckets:

resource "aws_s3_bucket" "bucket" {
  count = 20
  bucket = "christophe-my-sample-unencrypted-bucket-${count.index}"
}

and using regula to scan my Terraform plan:

+--------------------------+---------------+-----------+----------+--------------+--------------------------+---------+--------+
|         Resource         |     Type      | Filepath  | Severity |   Rule ID    |        Rule Name         | Message | Result |
+--------------------------+---------------+-----------+----------+--------------+--------------------------+---------+--------+
| aws_s3_bucket.bucket     | aws_s3_bucket | .         | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | WAIVED |
| aws_s3_bucket.bucket[0]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[10] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[11] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[12] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[13] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[14] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[15] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[16] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[17] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[18] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[19] | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[1]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[2]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[3]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[4]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[5]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[6]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[7]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[8]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
| aws_s3_bucket.bucket[9]  | aws_s3_bucket | plan.json | Unknown  | S3_ENCRYPTED | aws_s3_bucket_encryption |         | FAIL   |
+--------------------------+---------------+-----------+----------+--------------+--------------------------+---------+--------+
|                          |               |           |          |              |                          | Overall |   FAIL |
+--------------------------+---------------+-----------+----------+--------------+--------------------------+---------+--------+

And I want to suppress this rule for this specific resource aws_s3_bucket.bucket[*] resource. How can I achieve it?

Waiving aws_s3_bucket.bucket[0] works but will only waive the failure for 1 resource. Same problem for resources created with for_each
@christophetd
Copy link
Author

Just noticed this is being worked on as part of #125.

@jaspervdj-luminal
Copy link
Member

regula

Hi @christophetd, thanks for reporting this! The PR you linked to only applies
to processing .tf files directly -- not to terraform plans.

One option would be for us to support more expressive string globs for waivers.
However, you can do something like that in rego as well. If you create a
waivers configuration like this:

package fugue.regula.config

import data.fugue.resource_view

# This grabs all resource IDs from the internal resource view.
all_resource_ids[id] {
  single := input[_].content
  resource_view.resource_view[id] with input as single
}

waivers[waiver] {
  # Waive all IDs that match the regex.
  all_resource_ids[id]
  regex.match(`^aws_s3_bucket\.bucket\[[0-9]+\]$`, id)
  waiver := {"resource_id": id, "rule_id": "FG_R00099"}
}

And then pass it in using:

regula run -i waivers.rego tfplan.json

Does that help?

@ameliafugue ameliafugue added enhancement New feature or request Roadmap Item labels Jun 7, 2021
@ameliafugue
Copy link
Member

Hi @christophetd,

This is a future roadmap item and I entered it as a request here: https://feedback.eu.pendo.io/app/#/case/136142?section=requests

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request Roadmap Item
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@christophetd @jaspervdj-luminal @ameliafugue