Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive for aws rule vpcFlowLogsNotEnabled #408

Closed
ismailyenigul opened this issue Nov 25, 2020 · 0 comments · Fixed by #475
Closed

False positive for aws rule vpcFlowLogsNotEnabled #408

ismailyenigul opened this issue Nov 25, 2020 · 0 comments · Fixed by #475
Assignees
@harkirat22
Labels
bug

Comments

@ismailyenigul
Copy link

  • terrascan version: version: v1.2.0
  • Operating System: MacOS

Description

Terrascan can't validate aws_flow_log when vpc_id referenced to aws_vpc resource. The following vpc.tf is valid but terrascan reports failure.

What I Did

$ cat vpc.tf


provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "valid_vpc" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_flow_log" "valid_vpc_flow_log" {
  iam_role_arn    = aws_iam_role.example.arn
  log_destination = aws_cloudwatch_log_group.example.arn
  traffic_type    = "ALL"
  vpc_id          = aws_vpc.valid_vpc.id
}

resource "aws_cloudwatch_log_group" "example" {
  name = "example"
}

resource "aws_iam_role" "example" {
  name = "example"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "example" {
  name = "example"
  role = aws_iam_role.example.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

$ terrascan scan
results:
    violations:
        - rule_name: vpcFlowLogsNotEnabled
          description: Ensure VPC flow logging is enabled in all VPCs
          rule_id: AWS.VPC.Logging.Medium.0470
          severity: MEDIUM
          category: Logging
          resource_name: valid_vpc
          resource_type: aws_vpc
          file: vpc_flow_log_infra.tf
          line: 18
        - rule_name: logGroupNotEncryptedWithKms
          description: AWS CloudWatch log group is not encrypted with a KMS CMK
          rule_id: AWS.CloudWatch.EncryptionandKeyManagement.High.0632
          severity: HIGH
          category: Encryption and Key Management
          resource_name: example
          resource_type: aws_cloudwatch_log_group
          file: vpc_flow_log_infra.tf
          line: 29
    count:
        low: 0
        medium: 1
        high: 1
        total: 2

Here is the terraform plan output

 # aws_flow_log.valid_vpc_flow_log will be created
  + resource "aws_flow_log" "valid_vpc_flow_log" {
      + arn                      = (known after apply)
      + iam_role_arn             = (known after apply)
      + id                       = (known after apply)
      + log_destination          = (known after apply)
      + log_destination_type     = "cloud-watch-logs"
      + log_format               = (known after apply)
      + log_group_name           = (known after apply)
      + max_aggregation_interval = 600
      + traffic_type             = "ALL"
      + vpc_id                   = (known after apply)
    }

 # aws_vpc.valid_vpc will be created
  + resource "aws_vpc" "valid_vpc" {
      + arn                              = (known after apply)
      + assign_generated_ipv6_cidr_block = false
      + cidr_block                       = "10.0.0.0/16"
      + default_network_acl_id           = (known after apply)
      + default_route_table_id           = (known after apply)
      + default_security_group_id        = (known after apply)
      + dhcp_options_id                  = (known after apply)
      + enable_classiclink               = (known after apply)
      + enable_classiclink_dns_support   = (known after apply)
      + enable_dns_hostnames             = (known after apply)
      + enable_dns_support               = true
      + id                               = (known after apply)
      + instance_tenancy                 = "default"
      + ipv6_association_id              = (known after apply)
      + ipv6_cidr_block                  = (known after apply)
      + main_route_table_id              = (known after apply)
      + owner_id                         = (known after apply)
    }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harkirat22 harkirat22

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

adding an else condition to relate the flow log with vpc
4 participants
@ismailyenigul @harkirat22 @patilpankaj212 @amirbenv