What if bucket name is dynamic in terraform ? about regula HOT 12 CLOSED

That's a great question and a good insight -- it's generally not possible to know final IDs of resources, and this also includes e.g. ARNs. This is a big difference in between IaC versus checking actual resources in the cloud (like our SaaS does).

However, that doesn't mean that we can't statically analyze these templates. What regula does is use a made-up ID that corresponds to the address in the file, e.g. aws_s3_bucket.test. Other resources that refer to this bucket will get the same treatment by regula and the references there will match "aws_s3_bucket.test". Therefore, since they match up, we can still use these IDs to do "joins" across resources and write rules that span resource types.

This can't work in 100% of cases (you always can do complicated things through auxiliary files, or complex functions that we can't predict what the result will be, or fetching info from data resources that we don't have access to...), but our goal is to cover as much as possible within reason.

I hope that answered your question!

from regula.

Yes it does , I am like stuck in rule "FG_R00031" which is s3 bucket access logging should be enabled on s3 bucket that store cloudtrail log files although the bucket has the logging enabled but still that fails due to the same reason may be :orz:

But my s3 bucket do hold the logging enabled 😢

from regula.

@jaspervdj-luminal can you elaborate a little about what conditions make "FG_R00031" --> Failed 😢

from regula.

Also how do we handle exceptions if we writing custom rules , please help 🙇

from regula.

@ninjahck We have instructions for making the rule pass here: https://docs.fugue.co/FG_R00031.html#terraform. Based on your earlier question about bucket names, it is possible that our rule has issues connecting the bucket with the cloudtrail. It is important that the log bucket is somewhere in the .tf files passed to regula as well. To give a more detailed answer, I'd ideally need to see the snippet of configuration that causes the failure so I can reproduce this.

I'm not sure about your last question about exceptions: are you referring to runtime exceptions (like throwing an error) or exceptions to compliance (e.g. this single bucket is allowed to pass)?

from regula.

@jaspervdj-luminal Below is the code which is not working as you can see it has the logging enabled as well but it says logging must needs to be enabled 🙇

locals {
  aws_account_id ="223311448821"
}
module "cloudtrail" {
  source = "cloudposse/cloudtrail/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace                     = "eg"
  stage                         = "dev"
  name                          = "cluster"
  enable_log_file_validation    = true
  include_global_service_events = true
  is_multi_region_trail         = false
  enable_logging                = true
  s3_bucket_name                = aws_s3_bucket.cloudtrail_bucket.id
}

resource "aws_s3_bucket" "cloudtrail_bucket" {
  bucket = "cloudtrail-bucket-${local.aws_account_id}"
  logging {
    target_bucket = aws_s3_bucket.log_bucket.id
    target_prefix = "log"
  }
  # other required fields here
}

resource "aws_s3_bucket" "log_bucket" {
  bucket = "log-bucket"
  # other required fields here
}

from regula.

Hi, @ninjahck! I'm not able to reproduce FG_R00031 failing for that configuration with the current release of Regula.

What I do see, though, is that FG_R00274: S3 bucket access logging should be enabled fails for aws_s3_bucket.log_bucket. It's kind of a pain, but it is possible to configure a bucket to log into itself. But, it's up to standards of your organization. If that's not something you're required to do, then you can waive that rule as described in the configuration section of our docs.

from regula.

Hi @jason-fugue ,

Thanks for the information , one more question I have over here is regarding the rule : FG_R00229 , it seems like if we have a scenario where we are attaching the block_public_access settings by using bucket = aws_s3_bucket.log_bucket.id its gets failed

Below doesn't work for rule FG_R00229

resource "aws_s3_bucket" "log_bucket" {
  bucket = "my-tf-test-bucket"
  acl    = "private"
  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}
resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.log_bucket.id
  block_public_acls = true
  block_public_policy = true
  restrict_public_buckets = true
  ignore_public_acls = true
}

But if I change the terraform below it will work , why so ?

resource "aws_s3_bucket" "log_bucket" {
  bucket = "my-tf-test-bucket"
  acl    = "private"
  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}
resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.log_bucket.bucket
  block_public_acls = true
  block_public_policy = true
  restrict_public_buckets = true
  ignore_public_acls = true
}

from regula.

Hi, @ninjahck! Whenever you get a chance, could you please confirm that you're using the latest version of regula and describe how you're running it? I'm not able to reproduce this issue with FG_R00229. Both of your examples produce a passing result in my testing, both as Terraform source code and as a plan JSON file. Both of those properties resolve to the bucket name and that rule should accept either one.

from regula.

@jason-fugue I am running it from conftest integration by pulling the rego files and running them as policy but that's okay , I also did run it like from regula as well and with latest code available at github

from regula.

@ninjahck there was an incompatibility with the latest versions of Terraform that we fixed in the recent v1.6.0 release. I just tried now and I was able to reproduce the issue from your last comment using Terraform v1.0.8 and Regula v1.5.0, but not with Regula v1.6.0.

Could you please give the latest version a try when you get a chance and see if that resolves your issue?

from regula.

Thanks @jason-fugue I did tested with latest version and it did worked 🙇 hence closing the issue :)

from regula.