Replies: 4 comments 1 reply
-
|
hi @vmorkunas can you give us an example input and the expected output results? Is this for IaC scanning or AWS Cloud scanning? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I am trying to create a rego check to check if AWS resource has specific tag on it. I have a dummy rego check which prints out all resources and details: Then I am running
on terraform plan json file, but in the output I can see only these kind of details (plan contains sns resources): If this object would contain more information like tags and tags_all object, then custom checks checking tags would be easy to do. TFPlan contains this kind of information (tags, tags_all almost on each resource): |
Beta Was this translation helpful? Give feedback.
-
|
We're also quite keen to have this functionality, without it we can't migrate from tfsec. I was hoping it would be possible to write a check like the following, similar to one we have for enforcing default_tags on the provider: # METADATA
# title: AWS S3 bucket required tags
# description: Check if an S3 bucket has the required tags set on it
# scope: package
# schemas:
# - input: schema["cloud"]
# custom:
# id: FCC02
# severity: CRITICAL
# short_code: required-aws-s3-bucket-tags
# recommended_actions: "Add the required tags to the S3 bucket."
# input:
# selector:
# - type: cloud
# subtypes:
# - provider: aws
# service: s3
package fc.terraform.FCC02
import rego.v1
required_tags = ["Access", "Owner"]
deny contains res if {
bucket := input.aws.s3.buckets[_]
bucket_tags := object.keys(bucket.tags.value)
some tag in required_tags
not tag in bucket_tags
res := result.new(
sprintf("An AWS S3 bucket must have the '%s' tag", [tag]]),
bucket
)
}
For our use cases we only require it for S3 buckets and security groups. Would you be open to a PR for just those resources initially or prefer to try and add support for all taggable resources at once? |
Beta Was this translation helpful? Give feedback.
-
|
Hi @vmorkunas @jamesrwhite ! Is there any reason why you can't scan terraform-plan as json and write a check for the raw plan? Check: # METADATA
# title: AWS S3 bucket required tags
# description: Check if an S3 bucket has the required tags set on it
# scope: package
# custom:
# id: FCC02
# severity: CRITICAL
# short_code: required-aws-s3-bucket-tags
# recommended_actions: "Add the required tags to the S3 bucket."
# input:
# selector:
# - type: json
package fc.terraform.FCC02
import rego.v1
required_tags = ["Access", "Owner"]
deny contains res if {
some resource in input.planned_values.root_module.resources
resource.type == "aws_s3_bucket"
bucket_tags := object.keys(resource.values.tags)
some tag in required_tags
not tag in bucket_tags
res := result.new(
sprintf("An AWS S3 bucket %q must have the %q tag", [resource.values.bucket, tag]),
tag
)
}
Output: |
Beta Was this translation helpful? Give feedback.
-
|
@nikpivkin thanks for the suggestion! That would work I suppose but it would require changing the order of all of our pipelines across many repos as we'd need to run the plan before trivy where previously we either ran tfsec and then the plan or both concurrently. We are really trying to avoid having to make changes across all repos during this migration. The output of this is also a bit less friendly in pointing you to exactly which file the issue is in. With that in mind my preference would still to be able to run the check statically on the terraform code as we did before. Is supporting this planned? |
Beta Was this translation helpful? Give feedback.
-
Description
Currently cloud schema (in my case AWS) does not contain resource tags, so I cannot run tag based checks on AWS resources, for example to check if specific tag exits. Would be a nice and useful feature to have not just for me I believe
Target
Filesystem
Scanner
Misconfiguration
Beta Was this translation helpful? Give feedback.
All reactions