Skip to content

feat(misconf): Support additional terraform attributes  #5460

New issue
New issue
Open
#8741
Open
feat(misconf): Support additional terraform attributes #5460
#8741
Labels
kind/featureCategorizes issue or PR as related to a new feature.scan/misconfigurationIssues relating to misconfiguration scanning
Milestone
 
v0.63.0
@simar7

Description

@simar7
simar7
opened on Oct 26, 2023

Action items

  • Support additional ebs volume attributes as listed here
  • In particular to address this issue we will require: count, tags and type

Discussed in #5444

Originally posted by rickythain October 25, 2023

Question

I tried to create a custom policy that checks if an aws ec2 volume has a count of 1. Upon running the check, the policy did not report it when an aws ec2 volume was created with a count of 1.

So, I checked for any mistakes in the policy file, mistakes on the command used but to no avail. Then, I try to check the input received via the custom policy and found that that may be the issue?

The input received via the custom policy does not contain the complete attributes of the resource (no count, tags, type, size, etc)
I've compiled the terraform, policy, and the extracted-input files in this repo - test-trivy-tf.

Following are the content:
main.tf

resource "aws_s3_bucket" "my-bucket" {
   bucket = "evil"
}

resource "aws_ebs_volume" "example02" {
  count             = 1
  size              = 14
  availability_zone = "us-east-1a"
  type              = "gp3"
  encrypted         = true
  tags = {
    Name = "HelloWorld 23"
  }
}

policy.rego

# METADATA
# title: Bad buckets are bad
# description: Bad buckets are bad because they are not good.
# scope: package
# custom:
#   avd_id: AVD-TEST-0123
#   severity: CRITICAL
#   short_code: very-bad-misconfig
#   recommended_action: "Fix the s3 bucket"

package user.foobar.ABC001

deny[cause] {
	bucket := input.aws.s3.buckets[_]
	bucket.name.value == "evil"
	cause := sprintf("%v", [bucket])
}

## below is the rule for volume

# deny[cause] {
# 	volume := input.aws.ec2.volumes[_]
# 	volume.count.value == 1
# 	cause := sprintf("%v", [volume])
# }

## below is to get the input received for volume

# deny[cause] {
# 	volume := input.aws.ec2.volumes[_]
# 	cause := sprintf("%v", [volume])
# }

## below is to get the input entirely

# deny[cause] {
# 	volume := input
# 	cause := sprintf("%v", [volume])
# }

Command used to run:

trivy  config  --config-policy=./policy.rego --severity=CRITICAL --namespaces=user main.tf

I extracted the input from policy evaluation into the following:

I would appreciate if you could point out what i'm missing or if this is a limitation from trivy? 🙏

Target

None

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Operating System

Ubuntu 22.04.3 LTS

Version

Version: 0.46.0
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-10-25 03:47:17.901425136 +0000 UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.scan/misconfigurationIssues relating to misconfiguration scanning

    Type

    No type

    Projects

    Trivy Roadmap

    Status

    No status

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions