Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

terraform can't detect violations in terraform modules #468

Closed
ismailyenigul opened this issue Jan 11, 2021 · 1 comment
Closed

terraform can't detect violations in terraform modules #468

ismailyenigul opened this issue Jan 11, 2021 · 1 comment

Comments

@ismailyenigul
Copy link

  • terrascan version: v1.2.0
  • Operating System: MacOS

Description

$ cat main.tf 
module "sg" {
  source         = "./sg"
  vpc_id         = "vpc-123"
  company        = "c1"
  environment    = "dev"
  application    = "test"
  cidrs = "0.0.0.0/0"

and module content:

cat sg/main.tf 
resource "aws_security_group" "mysg" {
  name   = "${var.company}-${var.environment}-${var.application}-sg"
  vpc_id = var.vpc_id

  # SSH access
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = var.cidrs
  }

  # HTTPS access
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = var.cidrs
  }


  # ICMP
  ingress {
    from_port   = -1
    to_port     = -1
    protocol    = "icmp"
    cidr_blocks = var.cidrs
  }

  # outbound internet access
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "${var.company}-${var.environment}-${var.application}-sg"
  }
}

It can't find any violation.

$ terrascan scan .
results:
    violations: []
    count:
        low: 0
        medium: 0
        high: 0
        total: 0

tfsec and checkov can find the issue with ssh allow from all.

$ tfsec .

Problem 1

  [AWS009][WARNING] Resource 'module.sg:aws_security_group.mysg' defines a fully open egress security group.
  /Users/ismail/dev/sg/sg/main.tf:36

      33 |     from_port   = 0
      34 |     to_port     = 0
      35 |     protocol    = "-1"
      36 |     cidr_blocks = ["0.0.0.0/0"]
      37 |   }
      38 |

and

$ checkov -d . 
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.mysg
	File: /sg/main.tf:1-42
	Guide: https://docs.bridgecrew.io/docs/networking_1-port-security

		1  | resource "aws_security_group" "mysg" {
		2  |   name        = "${var.company}-${var.environment}-${var.application}-sg"
		3  |   vpc_id      = var.vpc_id
		4  |   description = "sg"
@ismailyenigul
Copy link
Author

It was my bad.
After replacing cidr "0.0.0.0/0" with ["0.0.0.0/0"], terrascan detected the violation.

If I set variables default value in sg/variables.tf (cidrs default = ["0.0.0.0/0"]) and run terrascan in modules directory, then it fails with panic: not a string which is already reported.

$ cd sg 

$ cat variables.tf 
variable "vpc_id" {
  type        = string
  description = "VPC ID in which to deploy RDS"
  default     = "vpc-123"
}

variable "company" {
  description = "Name of the Company"
  default     = "test"
}

variable "environment" {
  description = "The aws environment"
  default     = "test"
}

variable "application" {
  description = "Application purpose of resource"
  default     = "test"
}

variable "cidrs" {
  description = "[List] IP CIDRs to whitelist in the passwork's security group"
  type        = list(string)
  default     = ["0.0.0.0/0"]
}



$ terrascan  scan  .
panic: not a string

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString(0x61dd120, 0xc000643cf0, 0x5e56d00, 0xc004952510, 0xc004952510, 0x61dd120)
	github.com/zclconf/go-cty@v1.2.1/cty/value_ops.go:1173 +0x1a5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ismailyenigul