Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

Not working with aws terraform modules #231

Open
ronaldoalvescosta opened this issue Oct 21, 2021 · 4 comments
Open

Not working with aws terraform modules #231

ronaldoalvescosta opened this issue Oct 21, 2021 · 4 comments
Labels
bug Something isn't working

Comments

@ronaldoalvescosta
Copy link

ronaldoalvescosta commented Oct 21, 2021
edited
Loading

Hello!
Regula is reporting problems that do not exists when using TF modules:

module "s3_bucket" {
  source = "../terraform-aws-s3-bucket/"
  bucket = var.res_bucket_name
  block_public_acls = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
  attach_deny_insecure_transport_policy = true
}

regula run:

G_R00229: S3 buckets should have all block public access options enabled [High]
https://docs.fugue.co/FG_R00229.html
[1]: module.s3_bucket.aws_s3_bucket.this
in ../terraform-aws-s3-bucket\main.tf:5:1
included at s3.tf:6:12

FG_R00100: S3 bucket policies should only allow requests that use HTTPS [Medium]
https://docs.fugue.co/FG_R00100.html
[1]: module.s3_bucket.aws_s3_bucket.this
in ../terraform-aws-s3-bucket\main.tf:5:1
included at s3.tf:6:12
@ronaldoalvescosta
Copy link
Author

ronaldoalvescosta commented Oct 21, 2021
edited
Loading

terraform show -json tfplan > plan.json

{
            "address": "module.s3_bucket.aws_s3_bucket_policy.this[0]",
            "module_address": "module.s3_bucket",
            "mode": "managed",
            "type": "aws_s3_bucket_policy",
            "name": "this",
            "index": 0,
            "provider_name": "registry.terraform.io/hashicorp/aws",
            "change": {
                "actions": [
                    "no-op"
                ],
                "before": {
                    "bucket": "my-sandbox1-teste3",
                    "id": "my-sandbox1-teste3",
                    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"denyInsecureTransport\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::my-sandbox1-teste3/*\",\"arn:aws:s3:::my-sandbox1-teste3\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}"
                },
                "after": {
                    "bucket": "my-sandbox1-teste3",
                    "id": "my-sandbox1-teste3",
                    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"denyInsecureTransport\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::my-sandbox1-teste3/*\",\"arn:aws:s3:::my-sandbox1-teste3\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}"
                },
                "after_unknown": {},
                "before_sensitive": {},
                "after_sensitive": {}
            }
        }

regula run plan.json

FG_R00100: S3 bucket policies should only allow requests that use HTTPS [Medium]
https://docs.fugue.co/FG_R00100.html
[1]: module.s3_bucket.aws_s3_bucket.this[0]
in plan.json

@ronaldoalvescosta
Copy link
Author

ronaldoalvescosta commented Oct 21, 2021
edited
Loading

applied bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "denyInsecureTransport",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-sandbox1-teste3/*",
                "arn:aws:s3:::my-sandbox1-teste3"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

@jaspervdj-luminal jaspervdj-luminal added the bug Something isn't working label Oct 21, 2021
@jaspervdj-luminal
Copy link
Member

Hi @ronaldoalvescosta, thanks for opening this issue!

It looks like we're having trouble evaluating the HCL code inside this module. I took some time to try and reproduce this issue.

I was able to reproduce the FG_R00100 (https only) issue using this file:

module "s3-bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "2.9.0"
  bucket = var.res_bucket_name
  block_public_acls = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
  attach_deny_insecure_transport_policy = true
}

However, I could not reproduce the issue around FG_R00229 (block public access); except if I cloned the submodule and refered to it locally using source = ./terraform-aws-s3-bucket. In this case, however, using a terraform init fixed that. Could you confirm that you are still seeing the FG_R00229 issue after running a terraform init? This is necessary since Regula won't download remote HCL code; terraform init does that for us.

In either case, thanks for sharing the code and including the details in a way that makes it easy to try for me, and I'll create a ticket internally to look into and fix these two issues.

@ronaldoalvescosta
Copy link
Author

Hello! I´m getting only FG_R00100 now

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaspervdj-luminal @ronaldoalvescosta