Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego
Home Page: https://regula.dev/
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Hi there!
I'm encountered an issue when using regula with big plan json files(>2mb). It looks like that when regula reads the json and loads it into memory its memory footprint blows up(over 1GB). In our CI this causes the process to be killed due to OOM, so the policies never actually able to run. Are there any recommendations on how to reduce the memory consumption? I'm not sure if this just the downside of using regula or if it can be tweaked to potentially not load everything into memory? Also, we use conftest(v0.23) to run regula and not OPA as a service.
Thanks
Need to use mktemp -t to create a temp file with a prefix.
Hello maintainers.
Please consider addressing CIS benchmarks 1.3.0 correctly. You are writing about 1.22 from AWS Foundations in the README and the rule defined here;
https://github.com/fugue/regula/blob/master/rules/aws/iam_admin_policy.rego
Seems you have not checked what the CIS 1.22 intent should be, because you are looking for "overly permissive" policy (which is great to have a rule for it just is not CIS 1.22).
You can view this rule here;
https://workbench.cisecurity.org/sections/43739/recommendations/939514
Here is a copy from the site if you have not registered for an account
1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Scoring Status
Manual
Applicable Profiles
Level 2
Description
In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.
Rationale Statement
Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.
Audit Procedure
For multi-account AWS environments with an external identity provider...
Determine the master account for identity federation or IAM user management
Login to that account through the AWS Management Console
Click Services
Click IAM
Click Identity providers
Verify the configuration
Then..., determine all accounts that should not have local users present. For each account...
Determine all accounts that should not have local users present
Log into the AWS Management Console
Switch role into each identified account
Click Services
Click IAM
Click Users
Confirm that no IAM users representing individuals are present
For multi-account AWS environments implementing AWS Organizations without an external identity provider...
Determine all accounts that should not have local users present
Log into the AWS Management Console
Switch role into each identified account
Click Services
Click IAM
Click Users
Confirm that no IAM users representing individuals are present
Remediation Procedure
The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.
CIS Controls
Version 7
16.2: Configure Centralized Point of Authentication
As you can see the intent is for federation via an identity provider (like Okta, Auth0, AzureAD, JumpCloud, etc) and I would suggest that AWS SOO or Cognito are also equally acceptable solutions to address this rule.
Happy to help you with any other CIS interpretations, but the rule basically speaks for itself, do not hesitate to ask.
This overly permissive rule is actually CIS 1.16. which strangely you have ;
resource_type = "aws_ebs_volume"
controls = {"CIS_1-16"}
You can renumber 1.22 as 1.16 to correct the first issue.
EBS is storage, and CIS is broken into 5 categories where Storage is category 2. So an EBS rule would start with a 2; 2.xx not a 1.
Again, happy to help with CIS interpretations, but they are pretty straightforward as far as security standards go i'd say they are extremely simple and very well documented.
I have the following simple rule in rule.rego:
package rules.aws_s3_bucket_encryption
__rego__metadoc__ := {
"id": "S3_ENCRYPTION",
"title": "S3 Bucket encryption should be enabled",
"custom": {"severity": "Medium"}
}
resource_type = "aws_s3_bucket"
deny[msg] {
count(input.server_side_encryption_configuration) == 0
msg = "Fail"
}Which is tested as follows in a file test.rego:
package rules.aws_s3_bucket_encryption
import data.bad_tf
import data.good_tf
test_allows_encrypted_s3_buckets {
not deny with input as good_tf.mock_resources["aws_s3_bucket.good"]
}
test_denies_non_encrypted_s3_buckets {
deny with input as bad_tf.mock_resources["aws_s3_bucket.bad"]
}Input file bad.tf:
resource "aws_s3_bucket" "bad" {
bucket = "my-sample-unencrypted-s3-bucket"
}And good.tf:
resource "aws_s3_bucket" "good" {
bucket = "my-sample-encrypted-s3-bucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}Here's my test output:
$ regula test .
INFO Loaded 2 IaC configurations as test inputs
data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets: FAIL (445.966µs) (test skipped because success not possible)
--------------------------------------------------------------------------------
PASS: 1/2
FAIL: 1/2
$ regula test . --trace
FAILURES
--------------------------------------------------------------------------------
data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets: FAIL (679.57µs)
query:1 Enter data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets = _
query:1 | Eval data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets = _
query:1 | Index data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets (matched 1 rule)
test.rego:6 | Enter data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets
test.rego:7 | | Eval __local876__ = data.good_tf.mock_resources["aws_s3_bucket.good"]
test.rego:7 | | Index data.good_tf.mock_resources (matched 1 rule)
good_tf.rego:21 | | Enter data.good_tf.mock_resources
good_tf.rego:21 | | | Eval true
good_tf.rego:21 | | | Eval __local836__ = data.good_tf.mock_input.resources
good_tf.rego:21 | | | Index data.good_tf.mock_input (matched 1 rule)
good_tf.rego:18 | | | Enter data.good_tf.mock_input
good_tf.rego:19 | | | | Eval __local872__ = data.good_tf.mock_config
good_tf.rego:19 | | | | Index data.good_tf.mock_config (matched 1 rule)
good_tf.rego:22 | | | | Enter data.good_tf.mock_config
good_tf.rego:22 | | | | | Eval true
good_tf.rego:22 | | | | | Exit data.good_tf.mock_config
good_tf.rego:19 | | | | Eval ret = data.fugue.resource_view.resource_view_input with input as __local872__
good_tf.rego:19 | | | | Index data.fugue.resource_view.resource_view_input (matched 1 rule)
lib/fugue/resource_view.rego:36 | | | | Enter data.fugue.resource_view.resource_view_input
lib/fugue/resource_view.rego:37 | | | | | Eval _ = input.hcl_resource_view_version
lib/fugue/resource_view.rego:38 | | | | | Eval __local1003__ = data.fugue.resource_view.resource_view
lib/fugue/resource_view.rego:38 | | | | | Index data.fugue.resource_view.resource_view (matched 1 rule)
lib/fugue/resource_view.rego:24 | | | | | Enter data.fugue.resource_view.resource_view
lib/fugue/resource_view.rego:26 | | | | | | Eval _ = input.hcl_resource_view_version
lib/fugue/resource_view.rego:27 | | | | | | Eval ret = input.resources
lib/fugue/resource_view.rego:24 | | | | | | Exit data.fugue.resource_view.resource_view
lib/fugue/resource_view.rego:38 | | | | | Eval ret = {"resources": __local1003__}
lib/fugue/resource_view.rego:36 | | | | | Exit data.fugue.resource_view.resource_view_input
good_tf.rego:18 | | | | Exit data.good_tf.mock_input
good_tf.rego:21 | | | Exit data.good_tf.mock_resources
test.rego:7 | | Eval not data.rules.aws_s3_bucket_encryption.deny with input as __local876__
test.rego:7 | | Enter data.rules.aws_s3_bucket_encryption.deny
test.rego:7 | | | Eval data.rules.aws_s3_bucket_encryption.deny
test.rego:7 | | | Index data.rules.aws_s3_bucket_encryption.deny (matched 1 rule)
rule.rego:16 | | | Enter data.rules.aws_s3_bucket_encryption.deny
rule.rego:17 | | | | Eval __local1063__ = input.server_side_encryption_configuration
rule.rego:17 | | | | Eval count(__local1063__, __local825__)
rule.rego:17 | | | | Eval __local825__ = 0
rule.rego:17 | | | | Fail __local825__ = 0
rule.rego:17 | | | | Redo count(__local1063__, __local825__)
rule.rego:17 | | | | Redo __local1063__ = input.server_side_encryption_configuration
test.rego:7 | | | Exit data.rules.aws_s3_bucket_encryption.deny
test.rego:7 | | Redo data.rules.aws_s3_bucket_encryption.deny
test.rego:7 | | | Redo data.rules.aws_s3_bucket_encryption.deny
test.rego:7 | | Fail not data.rules.aws_s3_bucket_encryption.deny with input as __local876__
test.rego:7 | | Redo __local876__ = data.good_tf.mock_resources["aws_s3_bucket.good"]
good_tf.rego:21 | | Redo data.good_tf.mock_resources
good_tf.rego:21 | | | Redo __local836__ = data.good_tf.mock_input.resources
good_tf.rego:18 | | | Redo data.good_tf.mock_input
good_tf.rego:19 | | | | Redo ret = data.fugue.resource_view.resource_view_input with input as __local872__
lib/fugue/resource_view.rego:36 | | | | Redo data.fugue.resource_view.resource_view_input
lib/fugue/resource_view.rego:38 | | | | | Redo ret = {"resources": __local1003__}
lib/fugue/resource_view.rego:38 | | | | | Redo __local1003__ = data.fugue.resource_view.resource_view
lib/fugue/resource_view.rego:24 | | | | | Redo data.fugue.resource_view.resource_view
lib/fugue/resource_view.rego:27 | | | | | | Redo ret = input.resources
lib/fugue/resource_view.rego:26 | | | | | | Redo _ = input.hcl_resource_view_version
lib/fugue/resource_view.rego:37 | | | | | Redo _ = input.hcl_resource_view_version
good_tf.rego:19 | | | | Redo __local872__ = data.good_tf.mock_config
good_tf.rego:22 | | | | Redo data.good_tf.mock_config
good_tf.rego:22 | | | | | Redo true
good_tf.rego:21 | | | Redo true
query:1 | Fail data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets = _
SUMMARY
--------------------------------------------------------------------------------
data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets: FAIL (679.57µs)
data.rules.aws_s3_bucket_encryption.test_denies_non_encrypted_s3_buckets: PASS (282.661µs)
--------------------------------------------------------------------------------
PASS: 1/2
FAIL: 1/2
However, if I reformulate the rule to...
default allow = false
allow {
count(input.server_side_encryption_configuration) > 0
}... and the tests accordingly:
test_allows_encrypted_s3_buckets {
allow with input as good_tf.mock_resources["aws_s3_bucket.good"]
}
test_denies_non_encrypted_s3_buckets {
not allow with input as bad_tf.mock_resources["aws_s3_bucket.bad"]
}Then everything works as intended:
$ regula test . --trace
INFO Loaded 2 IaC configurations as test inputs
data.rules.aws_s3_bucket_encryption.test_allows_encrypted_s3_buckets: PASS (478.94µs)
data.rules.aws_s3_bucket_encryption.test_denies_non_encrypted_s3_buckets: PASS (270.885µs)
--------------------------------------------------------------------------------
PASS: 2/2
Notes:
regula run on the good.tf/bad.tf files. Namely, regula run bad.tf --user-only --include rule.rego succeeds while it should failcheckov has this feature (through --check / --skip-check) to include or exclude specific rules. It would be very helpful in Regula as well
Examples:
$ regula run . --include-rules FG_R00278,FG_R00279
$ regula run . --exclude-rules FG_R00278
I realize that rules can be currently excluded using waivers, but I would say it makes sense to do it with the CLI as well (easier in some cases)
Another (more tricky use-case) is when you have a mix of custom rules that you all want to apply, and Regula built-in rules you want to pick from; what would be your approach here?
I'm trying to access the regula.dev site but it is broken:
Is it only for me or someone else has the same problem?
We make extensive use of terraform modules, but it appears that only the top-level resources in a project are included in configuration_resources and planned_values_resources.
I experimented with trying to change lib/fugue_regula.rego but I wasn't able to get very far.
The Terraform JSON output has planned_values map with resources inside the root_module key. But root_module also has a child_modules key, with a list of maps, and those have resource keys as well.
Hi there!
Wanted to try your solution for OPA checks but see the error.
{
"errors": [
{
"message": "object keys must be unique",
"code": "eval_conflict_error",
"location": {
"file": "regula/lib/fugue_resource_view.rego",
"row": 65,
"col": 11
}
}
]
}
Could you please help me understand root cause of this issue.
When running the regula rules against the output of plan for our terraform, I receive the following error:
{
"errors": [
{
"message": "functions must not produce multiple outputs for same inputs",
"code": "eval_conflict_error",
"location": {
"file": "/Users/jmcgill/src/regula/examples/aws/tag_all_resources.rego",
"row": 77,
"col": 1
}
}
]
}
First off, this is an absolutely wonderful project! We're just getting started using OPA/conftest to validate terraform plan files, and the libraries and initial rules provided by Regula make this so much easier - especially for a team that has no prior experience with Rego or Datalog.
One shortcoming for us is that, while running Regula through Conftest reports the rule name and failing resources, we'd really like to also report a human-readable message that's suitable for a wider audience. For example, looking at the built-in rules/aws/security_group_ingress_anywhere.rego rule, the failure message only indicates that "Rule security_group_ingress_anywhere failed for resource
", whereas we'd like a more human-readable error message such as "Ports other than 80 and 443 may not be open to 0.0.0.0/0".I've been able to implement this by converting simple rules to advanced rules and then making use of fugue.deny_resource_with_message, but it would be a lot easier if simple rules could just include a description or failure_message variable, like controls, that would be included in the report output.
Hi,
We are still testing your tools in version v1.2.0, build 8537662, built with OPA v0.28.0. But there is an annoying issue for us.
If we don't implement as documented (https://docs.fugue.co/FG_R00100.html), regula notifies us that we didn't set the bucket policy properly. In our case, we have some bucket policies coded in a data resource aws_iam_policy_document. And when we read how the rule was coded, if we were right, it is clear that the rule checks specifically what it is documented.
This is how it is written and not read properly by regula:
data "aws_iam_policy_document" "b" {
version = "2012-10-17"
statement {
sid = "DenyUnsecureAccess"
actions = ["s3:*"]
effect = "Deny"
principals {
identifiers = ["*"]
type = "*"
}
resources = [
aws_s3_bucket.b.arn,
"${aws_s3_bucket.b.arn}/*",
]
condition {
test = "Bool"
values = ["false"]
variable = "aws:SecureTransport"
}
}
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.emr_logs.id
policy = data.aws_iam_policy_document.b.json
}
We think you need to improve your HCL interpreter or your rule.
What do you think ?
When running Regula against a directory:
regula run . --include ../rules --include waivers.rego --user-only
It reports a filepath that is not valid (. instead of being test.tf):
+----------------------+---------------+----------+----------+--------------+--------------------------+---------+--------+
| Resource | Type | Filepath | Severity | Rule ID | Rule Name | Message | Result |
+----------------------+---------------+----------+----------+--------------+--------------------------+---------+--------+
| aws_s3_bucket.bucket | aws_s3_bucket | . | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | WAIVED |
+----------------------+---------------+----------+----------+--------------+--------------------------+---------+--------+
| | | | | | | Overall | PASS |
+----------------------+---------------+----------+----------+--------------+--------------------------+---------+--------+
Same thing if using the JSON output format.
I believe the exact file name in which the resource is defined should be shown.
I promise I'll stop asking for help soon.... 😃
I want to use some of the information in the plan to implement some rules that do things like:
configuration.root_module.module_calls)configuration.resource_changes)I found you guys are already doing the heavy lifting here but I can't work out how I can actually access these values in a rule?
I'm sure this is down to my lack of knowledge around rego namespaces / imports, so I apologise if this is an obvious question!
The code below should fulfill this aws TF rule for encrypting cloudwatch logs with KMS CMKs. However, it still fails. Regula v1.5.0
resource "aws_kms_key" "cloudwatch" {
description = "cloudwatch kms key"
deletion_window_in_days = 10
enable_key_rotation = true
tags = {
Name = local.tag_name
POC = local.tag_poc
}
}
resource "aws_cloudwatch_log_group" "fargate-logs" {
name = "/ecs/fargate-task-definition"
kms_key_id = aws_kms_key.cloudwatch.key_id
tags = {
Name = local.tag_name
POC = local.tag_poc
}
}
Hi,
I was testing some rules against some terraform code and noticed two different behaviors. Realized that the OPA version was different in my environments.
simple rules like rules.ebs_volume_encrypted fail in OPA 0.20.0 and 0.21.0 and the same work fine in version 0.19.0
`# New resource for the S3 bucket.
provider "aws" {
region = "us-east-1"
}
resource "aws_s3_bucket" "bucket" {
bucket = "sometest"
acl = "private"
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
tags = {
Name = "regulatest"
}
}
resource "aws_ebs_volume" "example" {
availability_zone = "us-west-2a"
size = 40
encrypted = true
tags = {
Name = "regulatest"
}
}
resource "aws_db_instance" "default" {
allocated_storage = 5
identifier = "demodb-postgres"
engine = "postgres"
engine_version = "9.6.9"
instance_class = "db.t2.large"
name = "demodb"
username = "demouser"
password = "demotest1234"
vpc_security_group_ids = ["sg-0b9e83bf4e0062cf5"]
skip_final_snapshot = true
storage_encrypted = true
db_subnet_group_name = "pc-0076debee908b9286-dbsubnetgroup"
tags = {
Name = "regulatest"
}
}
output "aws_db_address" {
value = "${aws_db_instance.default.address}"
}
resource "aws_security_group_rule" "example" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "sg-0461a30232b33c576"
}
resource "aws_security_group" "allow_tls" {
name = "allow_rdp"
description = "Allow TLS inbound traffic"
vpc_id = "vpc-0732dd645e9e3167b"
ingress {
description = "TLS from VPC"
from_port = 3389
to_port = 3389
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
}
tags = {
Name = "allow_tls"
}
}`
Hello, I was wondering if someone might be able to clarify the licensing around the 'regula-action' repository and whether or not it's Apache 2.0. The repository didn't look particularly active so I hope you don't mind me asking this here.
Thanks in advance.
Hi,
In regula 1.5.0 changelog, analysing k8s was added but in the command line help, there is no reference:
$ regula run -h
[...]
Input types:
auto Automatically determine input types (default)
tf-plan Terraform plan JSON
cfn CloudFormation template in YAML or JSON format
tf Terraform directory or file
[...]
And in the regula.dev website, k8s is mentionned.
Am I right?
Hey Team,
I was trying to use fugue.resource_types() and what I get the error as rego_type_error: undefined function data.fugue.resource_types It seems like this function does not exists is this still works ?
If not what is the alternative to get all resource type in regula please help 🙇
package rules.mandatory_tags
import data.fugue
all_resources[id] = resource {
resource_types = fugue.resource_types()
resource_types[ty]
resource := fugue.resources(ty)[id]
}
Like I wanted to write warning rules instead of deny as some of our sources are non-compliance but we wanted them to be created like for example
s3 bucket logging disabled
can we do that in rego?
Hi,
When I try to pass folder with TF code to "regula show input" command I am getting errors like “FATAL Unable to detect input type of file terraform.tfvars” or README.md etc.
Thanks,
Mario
Hey I'm bumped regula libraries version up to version 0.4.0 and have some TF code that DOESN'T contain an IAM password policy and got a failure on the above rule. This rule is in the example/aws folder and worked in 0.3.0. Is there already fixed in the latest master commit? If so, I'll just use that.
"iam_password_length": {
"resources": {
"": {
"id": "",
"message": "No aws_iam_account_password_policy present",
"type": "aws_iam_account_password_policy",
"valid": false
}
},
"valid": false
},
Hi,
I just try to scan my directory which has terraform script file named "s3.tf"; I used the following command from Regula docs
docker run --rm -t \ -v C:\Users\Lingom\Documents\Projects\vulnado:/workspace \ --workdir /workspace \ fugue/regula:v1.0.0 run template2.yaml tfdirectory1
When run this command getting an error saying;
"docker: invalid reference format."
Can anyone help me on this. Thank You!
Hi,
We are still testing regula on a huge amount of repositories. So we have so many lines of code and problems detected to analyze. That's why we are creating issues by analyzing the regula results.
A - Description
We think there might a bug in the rule FG_R00276 - Lambda function policies should not allow global access. Regula doesn't fail when it applies the rule but in our AWS Config console, we are seeing an alarm: securityhub-lambda-function-public-access-prohibited The description is there: [Lambda.1] Lambda function policies should prohibit public access Of course, we might be wrong on the understanding of both rules.
B - Context
In the same AWS subscription, we have created a s3 bucket that invokes our lambda. Both resources are created in the same repository. But in our aws_lambda_permission resource, we have only set the source_arn and we haven't set the source_account.
C - Version
$ regula version
v1.3.2, build baa7df6, built with OPA v0.28.0D - Test
Put the below code in the file lambda_a.tf
resource "aws_s3_bucket" "bucket_a" {
bucket = "bucket_a"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
resource "aws_s3_bucket_public_access_block" "bucket_a" {
bucket = aws_s3_bucket.bucket_a.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_policy" "bucket_a" {
depends_on = [aws_s3_bucket_public_access_block.bucket_a]
bucket = aws_s3_bucket.bucket_a.id
policy = jsonencode({
Version = "2012-10-17"
Statement : [
{
Sid = "DenyUnsecureAccess"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
aws_s3_bucket.bucket_a.arn,
"${aws_s3_bucket.bucket_a.arn}/*",
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
}
]
})
}
resource "aws_s3_bucket_notification" "bucket_a" {
bucket = aws_s3_bucket.bucket_a.id
lambda_function {
lambda_function_arn = aws_lambda_function.lambda_a.arn
events = [
"s3:ObjectCreated:*"
]
}
depends_on = [aws_lambda_permission.lambda_a]
}
resource "aws_iam_role" "lambda_a" {
name = "lambda_a-exec"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_lambda_function" "lambda_a" {
function_name = "lambda_a"
role = aws_iam_role.lambda_a.arn
handler = "com.company.LambdaHandler::handleRequest"
runtime = "java11"
timeout = 30
memory_size = 1048
}
data "aws_caller_identity" "current" {
}
resource "aws_lambda_permission" "lambda_a" { # <---- We should get an error detected on this resource
statement_id = "AllowExecutionFromS3Bucket"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda_a.arn
principal = "s3.amazonaws.com"
source_arn = aws_s3_bucket.bucket_a.arn
#source_account = data.aws_caller_identity.current.account_id # <--- Following the AWS best practices, we need to set the source_account
}
Command to run and the output:
$ regula run regula/lambda_a.tf
FG_R00101: S3 bucket versioning and lifecycle policies should be enabled [Medium]
https://docs.fugue.co/FG_R00101.html
[1]: aws_s3_bucket.bucket_a
in regula/lambda_a.tf:1:1
FG_R00274: S3 bucket access logging should be enabled [Medium]
https://docs.fugue.co/FG_R00274.html
[1]: aws_s3_bucket.bucket_a
in regula/lambda_a.tf:1:1
FG_R00275: S3 bucket replication (cross-region or same-region) should be enabled [Medium]
https://docs.fugue.co/FG_R00275.html
[1]: aws_s3_bucket.bucket_a
in regula/lambda_a.tf:1:1
Found 3 problems.
We expected to see a problem for the rule FG_R00276 but nothing.
E - AWS Web Console
And in the console, the bad policy looks like this:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowExecutionFromS3Bucket",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:lambda_a",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::bucket_a"
}
}
}
]
}instead of:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowExecutionFromS3Bucket",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:lambda_a",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "<AWS_ACCOUNT_ID>"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::bucket_a"
}
}
}
]
}What do you think ?
Thank you in advance.
Regards,
Rasmey
Hello!
Regula is reporting problems that do not exists when using TF modules:
module "s3_bucket" {
source = "../terraform-aws-s3-bucket/"
bucket = var.res_bucket_name
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
attach_deny_insecure_transport_policy = true
}
regula run:
G_R00229: S3 buckets should have all block public access options enabled [High]
https://docs.fugue.co/FG_R00229.html
[1]: module.s3_bucket.aws_s3_bucket.this
in ../terraform-aws-s3-bucket\main.tf:5:1
included at s3.tf:6:12
FG_R00100: S3 bucket policies should only allow requests that use HTTPS [Medium]
https://docs.fugue.co/FG_R00100.html
[1]: module.s3_bucket.aws_s3_bucket.this
in ../terraform-aws-s3-bucket\main.tf:5:1
included at s3.tf:6:12
Love the product, and would love to scale and leverage the github action, however the ability to target either "." or a specific folder in each repo does not allow for automation. It would be fantastic if the tool could iterate over several folders or all folders in a given repo and run the TF plan against each. Also to be able to simply run the action on a repo only for the add/changes via git diff would be great. This tool is vastly superior to other TF scanners that are nothing more than glorified regex scanners, however they are able to iterate across a whole repo and provide security issues based on approximation. Regula allows contextual superior output but does not provide scalability or the ability to target a given folder as stated above.
What I mean is in terraform you can have the bucket where bucket id is not known at the time of terraform plan , sometimes you just see in the terraform plan is like id: (known after apply) now this is tricky we wanted to capture the issue at plan but not at apply 🙇
So all that policies which works on id will fail due to this dynamic thing 🤔
Which I think is not really a issue with regula but it's an limitation of opa as it works on decission not on processing the file and it's to get that , so yeah btw is there any possibility that we can handle this from regula ?
This framework seems like a great option for validating terraform and can be used as alternative to Sentinel, does this work on windows ? i am trying to set it up and run regula locally on windows with my simple terraform (aws) and not successful so far. can you please provide windows installation instructions ?
what difference between this example :
./bin/regula ../my-tf-infra .: conveniently check ../my-tf-infr
and this example :
opa eval -d /path/to/regula --input input.json 'data.fugue.regula.report'
Hi,
I'm testing regula and I found a weird behaviour. According to the format of the path, regula checks 2x the same file and detect the same error. But sometimes, it fails to detect properly.
Regula version: v1.1.0, build 5576236, built with OPA v0.28.0
$ git clone https://github.com/fugue/regula-ci-example.git
Cloning into 'regula-ci-example'...
remote: Enumerating objects: 323, done.
remote: Counting objects: 100% (131/131), done.
remote: Compressing objects: 100% (60/60), done.
remote: Total 323 (delta 52), reused 95 (delta 27), pack-reused 192
Receiving objects: 100% (323/323), 51.50 KiB | 271.00 KiB/s, done.
Resolving deltas: 100% (132/132), done.
$ cd regula-ci-example/
$ regula run infra_tf
FG_R00092: IAM policies should not have full "*:*" administrative privileges [High]
[1]: aws_iam_policy.basically_allow_all
in infra_tf/main.tf:6:1
Found one problem.
$ regula run ./infra_tf # <------ BUG HERE
FG_R00092: IAM policies should not have full "*:*" administrative privileges [High]
[1]: aws_iam_policy.basically_allow_all
in ./infra_tf/main.tf:6:1
[2]: aws_iam_policy.basically_allow_all
in infra_tf/main.tf:6:1
Found 2 problems.
Hi all,
Following from my last post in #109, I've been setting up unit tests via conftest, and have hit a bit of an issue.
The rule shared in #109 checks for the module source and compares it to a whitelist, and supports nested modules as well. Some of our TF environments utilise local modules made up of remote modules.
In generate-test-inputs.sh:
function generate_test_input {
if [[ $# -ne 2 ]]; then
1>&2 echo "Usage: $0 INFRA_FILE REGO_FILE"
exit 1
fi
local workdir="$(mktemp -d)"
trap "rm -rf "$workdir"" return
cp "$1" "$workdir"
this creates a temp directory and copies the rule's TF input file over to init (smart!) however this then breaks the relative path to the local modules I've added alongside the x_test.rego file:
module "child_module_source_valid" {
source = "./test_module/"
project = local.project
}
I haven't really got a smart solution for this ATM, I think I'm probably just going to hardcode in the bash script to copy a directory of local test modules over to the temporary directory on each run, but I thought it was worthwhile mentioning anyway.
Hi,
When we want to parse the json output, the attribute controls can be empty. And when we look globally and in the code source, there is no reference to any AWS Foundational Security Best Practices standard: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html
We have the reference to your documentation, CIS, but why not AWS?
Is that possible to add it ?
Thanks
Rasmey
Regula published docker image is based on scratch and adds the regula binary.
Some CI systems (e.g. Gitlab CI) requires shell to exists in containers.
Would it be possible to publish additional image (e.g. regula:v.1.50-ci) that is based on at least alpine?
We have module calling modules, thus, we have 3-4 levels deep of resources. Currently, when calling the fugue.resource function, we are not obtaining all resources.
Hi,
I want to use regula framework on gitlab. For that do I need to right a custom docker file where the CI will run or is there any other option. Can someone please guide?
Thanks in advance.
Hi, hoping for some more help here, I'm not sure if I've done something wrong or if it's not working.
I'm using Regula via conftest:
waivers.rego has been pulled in, and the contents are:
package fugue.regula.config
waivers[waiver] {
waiver := {
"rule_id": "LH_01",
"resource_id": "google_bigquery_dataset.conftest"
} } {
waiver := {
"rule_id": "LH_03",
"resource_id": "module.gcs_bucket_cloudsql.google_storage_bucket.this"
}
}
rules[rule] {
rule := {
"rule_id": "LH_04_check_description_exists",
"status": "DISABLED"
}
} {
rule := {
"rule_name": "LH_04_check_description_exists",
"status": "DISABLED"
}
}
however these waivers or disabled rules don't seem to be being applied. I get the same results with or without this file present.
Example rule:
package rules.LH_01_bq_required_labels
import data.fugue
__rego__metadoc__ := {
"id": "LH_01",
"title": sprintf("Bigquery resources must have the following labels: %s", [required_labels]),
"description": "Enforce the correct labels on all BQ resources",
}
<logic>
Am I doing something wrong? Thank you in advance!
Hello,
Regula fails when a resource aws_dynamodb_table does not specify the server_side_encryption parameter.
FG_R00069: DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs [Medium]
[1]: xxx.my_dynamo_db
in ./path/to/main.tf:1:1
included at main.tf:2:30
However, quoting the docs:
AWS DynamoDB tables are automatically encrypted at rest with an AWS owned Customer Master Key if this argument isn't specified.
So this looks like a false positive.
Hi all,
After many failed attempts at running even the most basic checks, I can't tell what I'm doing wrong, so hopefully someone here can point me in the right direction.
I've added a simple rule - check-bucket-labels.rego:
package rules.my_simple_rule
resource_type = "google_storage_bucket"
allow {
input.name == "this"
}
deny {
input.name != "this"
}
Executing it as such:
./bin/regula -d ./rules/tf/google/custom/check-bucket-labels.rego ../terraform-testing/tfplan.json
undefined
./bin/regula -d lib -d ./rules/tf/google/custom/check-bucket-labels.rego ../terrascan-testing/tfplan.json
{
"rule_results": [],
"summary": {
"filepaths": [],
"rule_results": {
"FAIL": 0,
"PASS": 0,
"WAIVED": 0
},
"severities": {
"Critical": 0,
"High": 0,
"Informational": 0,
"Low": 0,
"Medium": 0,
"Unknown": 0
}
}
}
There are google_storage_bucket resources in the plan both with and without the name "this" to try and match the rules.
Can anyone explain what I'm doing wrong? Really keen to try out some of the features regula offers but I've been completely unable to even get the most basic examples from the docs working.
Hi,
Thanks for the great tool to make opa rules easier.
Do you have a plan to implement the following AWS Foundational Security Best Practices controls?
Hi there,
i recently tried to run regula with conftest. After executing the exact commands defined in documentation, i ran into the following error:
Error: running test: load: loading policies: get compiler: 1 error occurred: policy\regula\lib\fugue_resource_view.rego:34: rego_type_error: undefined function json.patch
I'm getting this error on Win10 as well as Ubuntu 20.04. I'm running conftest on version 22.0.
To make sure the reason of the error is not a wrong folder structure:
policy
├── regula
│ ├── lib
│ │ ├── aws
│ │ │ └── security_group.rego
│ │ ├── azure
│ │ │ └── network_security_group.rego
│ │ ├── fugue_check_report.rego
│ │ ├── fugue.rego
│ │ ├── fugue_regula.rego
│ │ ├── fugue_resource_view.rego
│ │ ├── gcp
│ │ │ └── compute_firewall.rego
│ │ ├── util_merge.rego
│ │ └── util_resolve.rego
│ └── rules
│ ├── cloudfront_distribution_https.rego
│ ├── cloudtrail_log_file_validation.rego
│ ├── ebs_volume_encrypted.rego
│ ├── iam_admin_policy.rego
│ ├── iam_user_attached_policy.rego
│ ├── kms_rotate.rego
│ ├── s3_bucket_sse.rego
│ ├── security_group_ingress_anywhere_rdp.rego
│ ├── security_group_ingress_anywhere.rego
│ ├── security_group_ingress_anywhere_ssh.rego
│ └── vpc_flow_log.rego
└── regula.rego
Could you please help me understand root cause of this issue.
The aws TF rule FG_R00377 allows for internet traffic (0.0.0.0/0) from ports 80 and 443. However, FG_R00041 disallows internet traffic from port 80. In my opinion, internet traffic from port 80 should be allowed for simple static sites. Here is the security group code that fails on FG_R00041. (var.port is defined as 80)
resource "aws_security_group" "lb" {
name = "tf-ecs-alb"
description = "controls access to the ALB"
vpc_id = aws_vpc.pavpc.id
ingress {
protocol = "tcp"
from_port = var.port
to_port = var.port
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = local.tag_name
Tier = local.tag_tier_public
}
}
Say I'm creating a bunch of unencrypted S3 buckets:
resource "aws_s3_bucket" "bucket" {
count = 20
bucket = "christophe-my-sample-unencrypted-bucket-${count.index}"
}
and using regula to scan my Terraform plan:
+--------------------------+---------------+-----------+----------+--------------+--------------------------+---------+--------+
| Resource | Type | Filepath | Severity | Rule ID | Rule Name | Message | Result |
+--------------------------+---------------+-----------+----------+--------------+--------------------------+---------+--------+
| aws_s3_bucket.bucket | aws_s3_bucket | . | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | WAIVED |
| aws_s3_bucket.bucket[0] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[10] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[11] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[12] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[13] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[14] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[15] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[16] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[17] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[18] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[19] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[1] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[2] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[3] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[4] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[5] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[6] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[7] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[8] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
| aws_s3_bucket.bucket[9] | aws_s3_bucket | plan.json | Unknown | S3_ENCRYPTED | aws_s3_bucket_encryption | | FAIL |
+--------------------------+---------------+-----------+----------+--------------+--------------------------+---------+--------+
| | | | | | | Overall | FAIL |
+--------------------------+---------------+-----------+----------+--------------+--------------------------+---------+--------+
And I want to suppress this rule for this specific resource aws_s3_bucket.bucket[*] resource. How can I achieve it?
Waiving aws_s3_bucket.bucket[0] works but will only waive the failure for 1 resource. Same problem for resources created with for_each
tfsec/checkov display contextual information about failing resources when scanning HCL code (checkov even supports it when scanning plans, c.f. bridgecrewio/checkov#1221)
Example:
$ cat bad.tf
resource "aws_s3_bucket" "bad" {
bucket = "my-sample-unencrypted-s3-bucket"
}
$ tfsec .
Result 6
[aws-s3-enable-versioning][MEDIUM] Resource 'aws_s3_bucket.good' does not have versioning enabled
/xxxx/good.tf:1-11
1 | resource "aws_s3_bucket" "good" {
2 | bucket = "my-sample-encrypted-s3-bucket"
3 |
4 | server_side_encryption_configuration {
5 | rule {
6 | apply_server_side_encryption_by_default {
7 | sse_algorithm = "AES256"
8 | }
9 | }
10 | }
11 | }
Legacy ID: AWS077
Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification
More Info:
- https://tfsec.dev/docs/aws/s3/enable-versioning#aws/s3
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
It would be great if Regula could add some contextual information to the output of failing rules. For instance, the line number where the offending resource is defined, or some additional context as tfsec does
Thoughts?
Hello, I am running regula (v1.4.0, build 86060c9, built with OPA v0.28.0) in MacOS, it was installed via Homebrew. I am getting the following error while using a directory as a parameter: regula run my_infra/dev/uw2
The directory contains 50 files. If I use just one file as a parameter, regula doesn't have issues.
runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc027880548 stack=[0xc027880000, 0xc047880000]
fatal error: stack overflow
runtime stack:
runtime.throw({0x1afe6d7, 0x22e33c0})
/opt/hostedtoolcache/go/1.17.1/x64/src/runtime/panic.go:1198 +0x71
runtime.newstack()
/opt/hostedtoolcache/go/1.17.1/x64/src/runtime/stack.go:1088 +0x5ac
runtime.morestack()
/opt/hostedtoolcache/go/1.17.1/x64/src/runtime/asm_amd64.s:461 +0x8b
goroutine 1 [running]:
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f6e0, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:691 +0x5a9 fp=0xc027880558 sp=0xc027880550 pc=0x1507509
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc0278805e0 sp=0xc027880558 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d416380, 0x0}, {0xc00d41a380, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027880758 sp=0xc0278805e0 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a380, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc0278807a0 sp=0xc027880758 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f680, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027880978 sp=0xc0278807a0 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f680, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027880c80 sp=0xc027880978 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027880d08 sp=0xc027880c80 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebf20, 0x0}, {0xc00d41a340, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027880e80 sp=0xc027880d08 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a340, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027880ec8 sp=0xc027880e80 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f620, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc0278810a0 sp=0xc027880ec8 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f620, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc0278813a8 sp=0xc0278810a0 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027881430 sp=0xc0278813a8 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d416340, 0x0}, {0xc00d41a300, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc0278815a8 sp=0xc027881430 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a300, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc0278815f0 sp=0xc0278815a8 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f5c0, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc0278817c8 sp=0xc0278815f0 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f5c0, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027881ad0 sp=0xc0278817c8 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027881b58 sp=0xc027881ad0 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebef0, 0x0}, {0xc00d41a2c0, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027881cd0 sp=0xc027881b58 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a2c0, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027881d18 sp=0xc027881cd0 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f560, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027881ef0 sp=0xc027881d18 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f560, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc0278821f8 sp=0xc027881ef0 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027882280 sp=0xc0278821f8 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d416300, 0x0}, {0xc00d41a280, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc0278823f8 sp=0xc027882280 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a280, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027882440 sp=0xc0278823f8 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f500, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027882618 sp=0xc027882440 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f500, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027882920 sp=0xc027882618 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc0278829a8 sp=0xc027882920 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebec0, 0x0}, {0xc00d41a240, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027882b20 sp=0xc0278829a8 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a240, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027882b68 sp=0xc027882b20 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f4a0, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027882d40 sp=0xc027882b68 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f4a0, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027883048 sp=0xc027882d40 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc0278830d0 sp=0xc027883048 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d4162c0, 0x0}, {0xc00d41a200, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027883248 sp=0xc0278830d0 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a200, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027883290 sp=0xc027883248 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f440, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027883468 sp=0xc027883290 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f440, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027883770 sp=0xc027883468 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc0278837f8 sp=0xc027883770 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebe90, 0x0}, {0xc00d41a1c0, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027883970 sp=0xc0278837f8 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a1c0, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc0278839b8 sp=0xc027883970 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f3e0, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027883b90 sp=0xc0278839b8 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f3e0, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027883e98 sp=0xc027883b90 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027883f20 sp=0xc027883e98 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d416280, 0x0}, {0xc00d41a180, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027884098 sp=0xc027883f20 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a180, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc0278840e0 sp=0xc027884098 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f380, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc0278842b8 sp=0xc0278840e0 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f380, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc0278845c0 sp=0xc0278842b8 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027884648 sp=0xc0278845c0 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebe60, 0x0}, {0xc00d41a140, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc0278847c0 sp=0xc027884648 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a140, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027884808 sp=0xc0278847c0 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f320, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc0278849e0 sp=0xc027884808 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f320, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027884ce8 sp=0xc0278849e0 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027884d70 sp=0xc027884ce8 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d416240, 0x0}, {0xc00d41a100, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027884ee8 sp=0xc027884d70 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a100, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027884f30 sp=0xc027884ee8 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f2c0, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027885108 sp=0xc027884f30 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f2c0, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027885410 sp=0xc027885108 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027885498 sp=0xc027885410 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebe30, 0x0}, {0xc00d41a0c0, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027885610 sp=0xc027885498 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a0c0, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027885658 sp=0xc027885610 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f260, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027885830 sp=0xc027885658 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f260, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027885b38 sp=0xc027885830 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027885bc0 sp=0xc027885b38 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d416200, 0x0}, {0xc00d41a080, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027885d38 sp=0xc027885bc0 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a080, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027885d80 sp=0xc027885d38 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f200, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027885f58 sp=0xc027885d80 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f200, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027886260 sp=0xc027885f58 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc0278862e8 sp=0xc027886260 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebe00, 0x0}, {0xc00d41a040, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027886460 sp=0xc0278862e8 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a040, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc0278864a8 sp=0xc027886460 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f1a0, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027886680 sp=0xc0278864a8 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f1a0, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027886988 sp=0xc027886680 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027886a10 sp=0xc027886988 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d4161c0, 0x0}, {0xc00d41a000, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027886b88 sp=0xc027886a10 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d41a000, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027886bd0 sp=0xc027886b88 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f140, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027886da8 sp=0xc027886bd0 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f140, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc0278870b0 sp=0xc027886da8 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027887138 sp=0xc0278870b0 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebdd0, 0x0}, {0xc00d409fc0, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc0278872b0 sp=0xc027887138 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d409fc0, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc0278872f8 sp=0xc0278872b0 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f0e0, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc0278874d0 sp=0xc0278872f8 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f0e0, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc0278877d8 sp=0xc0278874d0 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027887860 sp=0xc0278877d8 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d416180, 0x0}, {0xc00d409f80, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc0278879d8 sp=0xc027887860 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d409f80, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027887a20 sp=0xc0278879d8 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f080, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027887bf8 sp=0xc027887a20 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f080, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027887f00 sp=0xc027887bf8 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027887f88 sp=0xc027887f00 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebda0, 0x0}, {0xc00d409f40, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027888100 sp=0xc027887f88 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d409f40, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027888148 sp=0xc027888100 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40f020, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027888320 sp=0xc027888148 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40f020, 0xc00055a420)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027888628 sp=0xc027888320 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d110, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc0278886b0 sp=0xc027888628 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d416140, 0x0}, {0xc00d409f00, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027888828 sp=0xc0278886b0 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d409f00, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027888870 sp=0xc027888828 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40efc0, {0x1ce82f8, 0xc00038f260})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027888a48 sp=0xc027888870 pc=0x1507a78
github.com/fugue/regula/pkg/loader.(*renderContext).RenderAttribute(...)
/home/runner/work/regula/regula/pkg/loader/tf.go:727
github.com/fugue/regula/pkg/loader.(*renderContext).RenderBody(0xc00d40efc0, 0xc0003afef0)
/home/runner/work/regula/regula/pkg/loader/tf.go:697 +0x149 fp=0xc027888d50 sp=0xc027888a48 pc=0x15070a9
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild(0xc0002cf860, {0xc00025d2f0, 0xc000056900})
/home/runner/work/regula/regula/pkg/loader/tf.go:582 +0x1df fp=0xc027888dd8 sp=0xc027888d50 pc=0x150619f
github.com/fugue/regula/pkg/loader.(*HclConfiguration).resolveResourceReference(0x0, {0xc00d3ebd70, 0x0}, {0xc00d409ec0, 0x3, 0x0})
/home/runner/work/regula/regula/pkg/loader/tf.go:519 +0x138 fp=0xc027888f50 sp=0xc027888dd8 pc=0x1505a58
github.com/fugue/regula/pkg/loader.(*HclConfiguration).GetChild.func1({0xc00d409ec0, 0x3, 0x4})
/home/runner/work/regula/regula/pkg/loader/tf.go:579 +0x66 fp=0xc027888f98 sp=0xc027888f50 pc=0x15062c6
github.com/fugue/regula/pkg/loader.(*renderContext).RenderExpr(0xc00d40ef60, {0x1ce82f8, 0xc000094840})
/home/runner/work/regula/regula/pkg/loader/tf.go:772 +0x1f8 fp=0xc027889170 sp=0xc027888f98 pc=0x1507a78
The code below should fufill this aws TF rule as flow logs are enabled. But it still fails.
resource "aws_flow_log" "flow-logs" {
iam_role_arn = aws_iam_role.ecs_task_execution_role.arn
log_destination = aws_cloudwatch_log_group.fargate-logs.arn
traffic_type = "ALL"
vpc_id = aws_vpc.pavpc.id
tags = {
Name = local.tag_name
POC = local.tag_poc
}
}
When a rule is waived, it seems the table format of Regula prints the WAIVED status in black color. This means on a black shell background, we don't see it.
e.g.
Highlighting the output shows it's there
Hello,
Just trying to follow the conftest example in the README but for me it errors. I'm not currently experienced enough to understand why so was hoping you might know ?
conftest pull -p policy/ github.com/fugue/regula/conftest
Error: download policies: client get: RemoveAll .: invalid argument
conftest pull -p policy/regula/lib github.com/fugue/regula/lib
Error: download policies: client get: RemoveAll .: invalid argument
❯ conftest -v
Version: 0.21.0
Commit: 125160d
Date: 2020-09-13T10:21:35Z
Describe the bug
We are using conftest with regula and would like to waive some rules mentioned inside in the json file, I saw there is a support of filepath option in waivers would like to know how we can waive the rules mentioned in the file or can we waive the rules with dynamic resource_id ?
How you're running Regula
We are running the regula with conftest and regula version is 0.28.0
Operating System
Linux
Last time #59 the issue was closed without a clue if/when CIS AWS version 1.3.0 would be completed (or even started).
This time, let's get an idea when 1.4.0 will be started and keep the issue open until the issue subject matter is completed or you decide to abandon the latest CIS AWS benchmark version
Hi team,
Not an issue or bug, but we at loveholidays recently posted about how we have incorporated Regula into our Terraform + Atlantis + Conftest pipeline:
Wanted to share with the Fugue team as the Regula Rego framework helped us tremendously with designing our Policy as Code solution, and I haven't seen anywhere else talking about integrating Regula with Conftest in an Atlantis pipeline yet.
Wasn't sure how to reach you guys, hence the GH issue. Thanks for a great product!
Went through the documentation a couple of times, but i'm still completely confused.
This article https://github.com/fugue/example-tf-circleci-part-2 points to a file named regula-check.sh that according to the documentation runs regula (??), but i only see a script with a function that generates the plan and outputs it to a JSON file. What exactly is the regula part? Is it the script?
If i open this link https://github.com/fugue/regula/blob/master/bin/regula i see a completely different script?
Also this part: Walks through the imported Terraform modules and merges them into a flat format. I've tried searching for this step, but couldn't find any? Except a simple convert to a JSON plan.
Hi,
I am trying to debug rules to print values that are processed after regula
https://github.com/fugue/regula/blob/master/examples/aws/ec2_t2_only.rego#L19
resource_type = "aws_instance"
valid_instance_types[input.instance_type]
regula library eliminates most of the json parsing part with standard rego codes
For example in above code you just specify resource_type and input.instance_type returns instance types
and in https://github.com/fugue/regula/blob/master/rules/aws/ebs_volume_encrypted.rego#L35
encrypted attribute can be accessible directly with
input.encrypted == true
How can I get regula processed input in fregot too? input in fregot displays all original input in json.
$ fregot repl lib rules tests examples/
F u g u e R E G O T o o l k i t
fregot v0.12.3 repl - use :help for usage info
repl% :break data.rules.ec2_t2_only.allow
Set breakpoint at rules.ec2_t2_only.allow
repl% data.rules.ec2_t2_only with input as data.tests.rules.ec2_t2_only.mock_input
25| valid_instance_types[input.instance_type]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rules.ec2_t2_only(debug)%
rules.ec2_t2_only(debug)% input
= {
"format_version": "0.1",
"terraform_version": "0.12.18",
"resource_changes": [
{
"change": {
"actions": ["create"],
"after_unknown": {
"ami": true,
"id": true,
"associate_public_ip_address": true,
"arn": true,
"volume_tags": true,
"network_interface": true,
I added
rs[name] {
name := input.resource_changes
}
to ec2_t2_only.rego
I can get some output with fregot data.rules.ec2_t2_only with input as data.tests.rules.ec2_t2_only.mock_input call.
},
"rs": {[
{
"change": {
"actions": ["create"],
"after_unknown": {
"ami": true,
"id": true,
"associate_public_
Also without using fregot, how can I print/debug variables or a function call output in regula output.
bash -x ./bin/regula ../ec2/ lib examples/aws/ec2_t2_only.rego does not return anything about rs above.
I only got the rule final result.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.