cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon terraform-compliance

Ignore checks for specific resources.

Open kevincox opened this issue 3 years ago • 7 comments

Feature Request

Many rules have exceptions. It would be nice if we could opt-out of checks for specific resources. Something like this.

resource "storage" "name" {
  # storage-public-access: This bucket hosts user content for public access so public access is required.
  allow_public_access = true
}

Ideally these opt-outs would be specific (AKA opt out of specific rules for specific resources) and the opt out would be close in code to the affected resource (ideally inside the defining block). This is similar to a lot of linters that allow disabling specific rules for sections of the code.

It would also be an interesting idea to require specific patterns in the opt-out such as referencing a ticket URL that should include a security review or similar.

Unfortunately comments are not part of the plan output and I don't think there are any attributes or meta-attributes that can be used to pass the opt-out and rationale to the plan file so we might need to get creative (or file a feature request upstream)

Related request to globally disable rules: https://github.com/terraform-compliance/cli/issues/263

kevincox avatar Mar 08 '21 20:03 kevincox

@kevincox https://terraform-compliance.com/pages/bdd-references/using_tags.html#supported-tags

You can think in reverse and tag your scenarios to ignore resources using tags that reference the terraform dotted resource notation

  Exclude Resources
exclude tag prevents the resource or resources described by the following regular expression to be ignored by the scenario. When @exclude_regular_expression is used, resources with addresses that match the regex will be ignored.

Possible formats:

▪ exclude_aws_s3_bucket.mybucket

▪ ignore_azurerm_storage_account.example

▪ exclude_module.ecr_repository["repository_[0-9]"].aws_ecr_repository.ecr_repository>

▪ ignore_module.ecr_repository.*aws_ecr_repository.ecr_repository

I may suggest a pattern we use and set up a feature folder or repo with subsets of features and run terraform compliance against say internal external top-secret folders. This allows you to run different sets of features as needed for different expected configs. using the -f flag https://terraform-compliance.com/pages/usage/#-f--features

mdesmarest avatar Mar 08 '21 21:03 mdesmarest

Ah, I didn't see that option. However it doesn't quite solve the use case as the config file is global, where as I would want to apply the tag to a specific folder. It would also be nice to apply it to specific workspace but that would be more complicated.

I also think that labeling the resources is nicer because it keeps the flag and justification next to the affected resource and shows up when working on it or modifying it. That might be personal preference. However if this isn't possible then putting it into the lint config would be ok.

kevincox avatar Mar 08 '21 22:03 kevincox

@kevincox I totally agree in regard to labeling resources, but thats the only thing that code based scanners like Checkov and TFSec have over this style of scanning. I have found configuring rules to flag on to be quite challenging as terraform resources can be written as you said with regard to workspaces, tfvars, variables and such. Many times its easy to flag on unintended configs or miss things that are in a variable or workspace.

We settled on terraform-compliance because of the plan scanning offering a lot more standardization and try to find ways around some of the issues you are dealing with.

mdesmarest avatar Mar 08 '21 23:03 mdesmarest

Hello, thanks to @mdesmarest explained the main problem about this. Unfortunately, there is currently no plan to have any code-scanning capability. terraform-compliance will stick on the plan :)

Closing this Issue :)

eerkunt avatar Jun 04 '21 11:06 eerkunt

Hello @eerkunt,

I see the point that terraform-compliance is not scanning the code statically, just deal with the plan file itself.

However it is possible to give exceptation ot tf-compliance via arguments?

For example:

original command

  • terraform-compliance --junit-xml TFCompliance-Report-public.xml --features git:https://github.com/terraform-compliance/user-friendly-features.git --planfile plan.compliance.json

Suggestion:

  • terraform-compliance --junit-xml TFCompliance-Report-public.xml --features git:https://github.com/terraform-compliance/user-friendly-features.git --planfile plan.compliance.json --exclude "Scenario: ALB protocol must be HTTPS"

As a next step, define an exclude file, like "tf-compliance.yml" with skippable checks. In this way excluded checeks are in the code itself, can be reviewed.

It would be nice to see it as improvement :)

Thank you :)

ch-e-mistry avatar Jun 18 '22 11:06 ch-e-mistry

Hello @ch-e-mistry

Did you mean a usage like https://radish.readthedocs.io/en/stable/tutorial.html#tags ?

Its already supported by the way, as we are using radish-bdd for the bdd engine.

What do you think ?

eerkunt avatar Jun 20 '22 11:06 eerkunt

Hi @eerkunt,

Yes, if we are speaking about the syntax. Just with exclude instead of include. (as far as I can understand from the documentation, the include mechanism is supported. "skip" is a little-bit tricky)

But I'm interested in the excludeing scenario. And would ber fine if it can be defined on terraform-compliance side instead of feature side.

Reason: I would like to use the features for many and many projects / repository (like now) via pre-defined pipelines, but I also would like to exclude a few specific check in a specific repo.

It is possible to solve it in the appliction's side instead of tagging of the features?

Thank you

ch-e-mistry avatar Jun 20 '22 13:06 ch-e-mistry