pre-commit-terraform icon indicating copy to clipboard operation
pre-commit-terraform copied to clipboard

Published 20 hours ago • verified publisher icon antonbabenko

Terraform Security Check AVD-AWS-0342 [NOT IGNORED BY TRIVY:IGNORE]

Open ETSkevespi opened this issue 1 year ago • 4 comments

Describe the bug

I have the following IAM policy but everytime i run a commit it always detects the miscofirguration for avd-aws-0342 I've already added the ignore line but it still fails for the trivy hook

data "aws_iam_policy_document" "policy_document" {
#trivy:ignore:avd-aws-0342
statement {
    actions = [
      "iam:PassRole",
    ]

    resources = ["arn:aws:iam::12345677:role/*"]
  }
}

resource "aws_iam_role_policy_attachment" "policy_document" {
  role       = aws_iam_role.access_role[0].name
  policy_arn = aws_iam_policy_policy_document.arn
}

#trivy misconfiguration report
"Type": "Terraform Security Check",
          "ID": "AVD-AWS-0342",
          "AVDID": "AVD-AWS-0342",
          "Title": "IAM Pass Role Filtering",
          "Description": "Ensures any IAM pass role attched to roles are flagged and warned.",
          "Message": "IAM policy allows 'iam:PassRole' action",
          "Namespace": "builtin.aws.iam.aws0342",
          "Query": "data.builtin.aws.iam.aws0342.deny",
          "Resolution": "Resolve permission escalations by denying pass role'",
          "Severity": "MEDIUM",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0342",
          "References": [
            "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0342"
          ]

How can we reproduce it?

The trivy misconfiguration detected is specific to "iam:PassRole". if this line is removed even if there is other actions it would not trigger.

Despite the #trivy:ignore:avd-aws-0342 it is still being detected during pre-commit with trivy and not ignored.

To reproduce it create a aws_iam_policy_document that has "iam:PassRole" action

pre-commit run -a

pre-commit.yml

# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v4.5.0
  hooks:
  - id: trailing-whitespace
  - id: end-of-file-fixer
  - id: check-added-large-files
  - id: check-merge-conflict
  - id: no-commit-to-branch
    args: ['--branch', 'master']
  - id: detect-aws-credentials
  - id: detect-private-key

- repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.88.4
  hooks:
  - id: terraform_fmt
  - id: terraform_docs
    name: Generate tf documents for modules
    files: ^modules/
    args:
    - --hook-config=--path-to-file=README.md        # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
    - --hook-config=--add-to-existing-file=true     # Boolean. true or false
    - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
  - id: terraform_docs
    name: Generate tf documents for environments
    files: ^environments/
    args:
    - --hook-config=--path-to-file=README.md        # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
    - --hook-config=--add-to-existing-file=true     # Boolean. true or false
    - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
  - id: terraform_validate
    files: ^environments/
    args:
      - --tf-init-args=-backend=false
  - id: terraform_tflint
  - id: terraform_trivy
    args:
      - --args=--format=json
      - --args=--skip-dirs="**/.terraform"

OS: Win10 with Ubuntu 22 on WSL2 Trivy Version: 0.51.2 Pre-Commit Version: 3.7.0 Terraform Version: 1.5.7on linux_amd64 tflint versions: 0.50.3 terraform-docs versions: 0.16.0

ETSkevespi avatar May 28 '24 10:05 ETSkevespi

I'm wondering why you discarded whole bunch of additional data we request to be able to help investigating local issues? 🤔 Please follow Local installation bug report template to help us help you. Thanks.

yermulnik avatar May 28 '24 12:05 yermulnik

@yermulnik please see latest adjustment to give you more details

ETSkevespi avatar May 28 '24 14:05 ETSkevespi

@ETSkevespi Please follow the form and fill in the below:

  • How can we reproduce it? Post as text the data from your terminal including the command you run and the output from pre-commit-terraform. Put it in between «```bash» and «```» lines, like the screenshot of the relevant bit from the bug reporting template below: image
  • Tools availability and versions: At least Trivy version is required to understand the issue. Run trivy --version and post as code snippet: image
  • .pre-commit-config.yaml: image

ps: I updated the very 1st message in this issue so that you can learn how to use code snippets in markdown.

yermulnik avatar May 28 '24 18:05 yermulnik

@yermulnik ,

Thank you for your help. I've added some more information based on your suggestions

ETSkevespi avatar May 29 '24 01:05 ETSkevespi

@ETSkevespi Post as text the data from your terminal including the command you run and the output from pre-commit-terraform. Put it in between «```bash» and «```» lines.

I don't use Trivy and hence I might be missing something, though I can't reproduce the error neither with #trivy:ignore:avd-aws-0342 nor without this annotation:

> cat test.tf
data "aws_iam_policy_document" "policy_document" {
statement {
    actions = [
      "iam:PassRole",
    ]

    resources = ["arn:aws:iam::12345677:role/*"]
  }
}

resource "aws_iam_role_policy_attachment" "policy_document" {
  role       = aws_iam_role.access_role[0].name
  policy_arn = aws_iam_policy_policy_document.arn
}

> ~/tmp/trivy version | head -1
Version: 0.51.2

> ~/tmp/trivy conf ./ --exit-code=1 --format=table --skip-dirs="**/.terraform"
2024-05-30T18:51:52+03:00       INFO    Misconfiguration scanning is enabled
2024-05-30T18:51:52+03:00       INFO    Detected config files   num=1

Could you please run Trivy manually to see whether it spits out the same error that you see when running pre-commit-terraform?

yermulnik avatar May 30 '24 15:05 yermulnik

The odd about Trivy is that its documentation has no statements on inline annotations to ignore checks at the moment 🤔 Is it still supported? Also all the relevant search results suggest to place #trivy:ignore:... annotation before the TF resource definition block — maybe that's the trick? 🤔

#trivy:ignore:avd-aws-0342
data "aws_iam_policy_document" "policy_document" {

yermulnik avatar May 30 '24 16:05 yermulnik

Can't reproduce, The next code has no violation of trivy 0.51.4

data "aws_iam_policy_document" "policy_document" {
  statement {
    actions = [
      "iam:PassRole",
    ]

    resources = ["arn:aws:iam::12345677:role/*"]
  }
}

resource "aws_iam_role_policy_attachment" "policy_document" {
  role       = aws_iam_role.access_role[0].name
  policy_arn = aws_iam_policy_policy_document.arn
}

MaxymVlasov avatar May 30 '24 16:05 MaxymVlasov

The odd about Trivy is that its documentation has no statements on inline annotations to ignore checks at the moment 🤔 Is it still supported? Also all the relevant search results suggest to place #trivy:ignore:... annotation before the TF resource definition block — maybe that's the trick? 🤔

#trivy:ignore:avd-aws-0342
data "aws_iam_policy_document" "policy_document" {

@yermulnik ,

This approach did the trick thank you so much for being patient with me. I do have some misconfigurations where i declare the ignore before the statement block but for AVD-AWS-0342 it needed it to be before the resource block

ETSkevespi avatar May 31 '24 01:05 ETSkevespi

@ETSkevespi Great to hear that helped.

yermulnik avatar May 31 '24 14:05 yermulnik