terrascan
terrascan copied to clipboard
tenable
Terraform map variables not being evaluated
- terrascan version: 1.15.1
- Operating System: Ubuntu 18.04.1
Description
I am testing terrascan tool to see whether it works well with our terraform files. In my testing I find terrascan does not evaluate map variables to determine if there are policy violations or not. While researching this issue I came across #678 where it demonstrates var.pgsql.encryption setting storage_encrypted to true.
In my testing of this example I find if you set var.pgsql.encryption to false, terrascan will not detect a violation. In fact if you set var.pgsql.encryption to anything it will pass.
What I Did
I use simple example from issue #678 however I set "encryption" = false
provider "aws" {
region = "us-east-1"
}
variable "pgsql" {
type = map(any)
default = {
"encryption" = false
}
}
resource "aws_rds_cluster" "yesEncrypted" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
database_name = "mydb"
storage_encrypted = var.pgsql.encryption
}
resource "aws_rds_cluster" "noEncrypted" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
database_name = "mydb"
storage_encrypted = false
}
Running terrascan -i terraform -t aws --show-passed produces the following output. Note it doesn't show the passed policy either.
Violation Details -
Description : Ensure backup retention period is set for rds cluster
File : main.tf
Module Name : root
Plan Root : ./
Line : 35
Severity : MEDIUM
-----------------------------------------------------------------------
Description : Ensure backup retention period is set for rds cluster
File : main.tf
Module Name : root
Plan Root : ./
Line : 44
Severity : MEDIUM
-----------------------------------------------------------------------
Description : Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance
File : main.tf
Module Name : root
Plan Root : ./
Line : 44
Severity : HIGH
-----------------------------------------------------------------------
Scan Summary -
File/Folder : /workspaces/test
IaC Type : terraform
Scanned At : 2022-05-31 02:25:51.636180554 +0000 UTC
Policies Validated : 2
Violated Policies : 3
Low : 0
Medium : 2
High : 1
The expected behaviour is for there to be another violation for Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance.
If you comment out the noEncrypted resource. It produces the following output.
Passed Rules -
Rule ID : AC_AWS_0186
Rule Name : storageNotEncrypted
Description : Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance
Severity : HIGH
Category : Data Protection
-----------------------------------------------------------------------
Violation Details -
Description : Ensure backup retention period is set for rds cluster
File : main.tf
Module Name : root
Plan Root : ./
Line : 35
Severity : MEDIUM
-----------------------------------------------------------------------
Scan Summary -
File/Folder : /workspaces/test
IaC Type : terraform
Scanned At : 2022-05-31 02:29:44.387238469 +0000 UTC
Policies Validated : 2
Violated Policies : 1
Low : 0
Medium : 1
High : 0
I have also tried using the lookup function in terraform console to confirm it should parse correctly.
> lookup(var.pgsql, "encryption")
false
>
