policy not evaluating

[andrewCluey]

• terrascan version: 1.4.0
• Operating System: Windows 10

Description

Hi, I've just started using Terrascan and new to Rego so this is likely user error. Any help is really appreciated.

So, I've started using Terrascan and want to incorporate it into our IAC pipelines. Most of the policies built in are fine, but we want to add a few more. So I've created one test policy to try and understand how it works.

The policy checks out in the Rego playground, but when we scan, pointing to this new policy, it doesn't seem to generate a violation, where it should.

What I Did

Here's a copy of my .rego policy, which is effectively a copy of one of the other policies already included in the storage_account directory. This is to check for any 'min_tls_version' settings that aren't TLS 1.2. :

package accurics

storageAccountTLS[retVal] {
   minTLS := input.azurerm_storage_account[_]
   not minTLS.config.min_tls_version == "TLS1_2"
   traverse := "min_tls_version"
   retVal := { "Id": minTLS.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": traverse, "AttributeDataType": "string", "Expected": "TLS1_2", "Actual": minTLS.config.min_tls_version }  
}

When I run this in the playground, I get the returned value as expected when TLS version does not match TLS1_2.

So, when I run a scan I point the local directory that contains my policy file (and json) using this command:

terrascan scan -p \tfdev\terrascan\terrascan-master\pkg\policies\opa\rego\azure\terraform-azurerm_storage_account

I would expect to get a violated policy as my config is set to use TLS1_0. however, I get this.

Scan Summary -

        File/Folder            :   \tfdev\demo-dev\terraform-azurerm-storage-account
        IaC Type                :   terraform
        Scanned At           :   2021-03-24 11:00:09.6435432 +0000 UTC
        Policies Validated  :   4
        Violated Policies    :   0
        Low                        :   0
        Medium                 :   0
        High                :   0

This is my json file too:

{
    "name": "storageAccountTLSVersion",
    "file": "storageAccountTLSVersion.rego",
    "template_args": {
        "prefix": ""
    },
    "severity": "HIGH",
    "description": "Ensure that minimum TLS version is set to TLS 1.2.",
    "reference_id": "azure.StorageAccount.TLS.High.8",
    "category": "Network Security",
    "version": 2
}

I must be going wrong somewhere, so any help appreciated.

[hapyharshit]

The returned function name from the rego should match the name specified in the json.
I see the name in the rego is storageAccountTLS and name specified in the json is storageAccountTLSVersion.
Can try making those same and see if that helps.

[andrewCluey]

The returned function name from the rego should match the name specified in the json.
I see the name in the rego is storageAccountTLS and name specified in the json is storageAccountTLSVersion.
Can try making those same and see if that helps.

Awesome! That's done the trick.. I'm kicking myself now that it's something so obvious... Thanks for pointing that out though. Big help.. :-)

[amirbenv]

Thanks for using Terrascan!