Comments (3)
salexpdx
commented on May 18, 2024
The commit above is a working fix, I haven't had a chance to look at how you are handling testing in here so I haven't created a PR.
from terrascan.
kanchwala-yusuf
commented on May 18, 2024
Hi @salexpdx ,
We had an exact same issue in the past and the PR raised by @guilhem for the same.
Moreover, I tried the same scenario again on my local setup with the latest master. I am not able reproduce the same.
Here's how my directory structure looks lik:
➜ ~ tree tf-example
tf-example
├── cloudfront
│ └── main.tf
└── root
└── main.tfroot/main.tf:
➜ ~ cat tf-example/root/main.tf
provider "aws" {
region = "us-east-1"
}
module "cloudfront" {
source = "../cloudfront"
}cloudfront/main.tf:
➜ ~ cat tf-example/cloudfront/main.tf
resource "aws_cloudfront_distribution" "s3-distribution-TLS-v1" {
origin {
domain_name = "aws_s3_bucket.b.bucket_regional_domain_name"
origin_id = "local.s3_origin_id"
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "local.s3_origin_id"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "https-only"
}
ordered_cache_behavior {
path_pattern = "/content/immutable/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "local.s3_origin_id"
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
compress = true
viewer_protocol_policy = "allow-all"
}
ordered_cache_behavior {
path_pattern = "/content/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "local.s3_origin_id"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1" #expected version is TLSv1.1 or TLSv1.2
}
}
locals {
s3_origin_id = "myS3Origin"
}Running terrascan on this directory structure:
➜ ~ terrascan scan -t aws -d ~/tf-example/root
results:
violations:
- rule_name: cloudfrontNoHTTPSTraffic
description: Use encrypted connection between CloudFront and origin server
rule_id: AWS.CloudFront.EncryptionandKeyManagement.High.0407
severity: HIGH
category: Encryption and Key Management
resource_name: s3-distribution-TLS-v1
resource_type: aws_cloudfront_distribution
file: ../cloudfront/main.tf
line: 1
- rule_name: cloudfrontNoHTTPSTraffic
description: Use encrypted connection between CloudFront and origin server
rule_id: AWS.CloudFront.EncryptionandKeyManagement.High.0407
severity: HIGH
category: Encryption and Key Management
resource_name: s3-distribution-TLS-v1
resource_type: aws_cloudfront_distribution
file: ../cloudfront/main.tf
line: 1
- rule_name: cloudfrontNoLogging
description: Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).
rule_id: AWS.CloudFront.Logging.Medium.0567
severity: MEDIUM
category: Logging
resource_name: s3-distribution-TLS-v1
resource_type: aws_cloudfront_distribution
file: ../cloudfront/main.tf
line: 1
count:
low: 0
medium: 1
high: 2
total: 3from terrascan.
salexpdx
commented on May 18, 2024
That example only shows a single module depth. I created a quick test case that shows the issue when you embed a module within a module. salexpdx@68c7601
terraform init
Initializing modules...
- m1.m2 in modules/m2
- m1.m3 in modules/m3
Initializing the backend...
Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "aws" (hashicorp/aws) 2.58.0...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
module.m1.module.m2.data.aws_iam_policy_document.readbuckets: Refreshing state...
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.m1.aws_s3_bucket.bucket will be created
+ resource "aws_s3_bucket" "bucket" {
+ acceleration_status = (known after apply)
+ acl = "private"
+ arn = (known after apply)
+ bucket = "tf-test-project-dev"
+ bucket_domain_name = (known after apply)
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = false
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "s3:GetObject",
]
+ Effect = "Allow"
+ Principal = "*"
+ Resource = [
+ "arn:aws:s3:::tf-test-project-dev/*",
]
+ Sid = "PublicRead"
},
]
+ Version = "2012-10-17"
}
)
+ region = (known after apply)
+ request_payer = (known after apply)
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
+ versioning {
+ enabled = (known after apply)
+ mfa_delete = (known after apply)
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
terrascan output
../../../../../../bin/terrascan scan -t aws
2020-10-30T09:33:46.429-0700 error v12/load-dir.go:110 failed to build unified config. errors:
<nil>: Failed to read module directory; Module directory /.../terrascan/pkg/iac-providers/terraform/v12/testdata/deep-modules/m2 does not exist or cannot be read., and 1 other diagnostic(s)
from terrascan.
Related Issues (20)
- Terrascan issue with aws terraform
- OpenTofu (née OpenTF) support HOT 2
- `terrascan` fails when using Terraform + variable image name with Kubernetes
- Scanning Terraform modules from private git repositories
- Terrascan casually panicing when downloading GCP provider
- AC_DOCKER_0041 false positive for "FROM scratch" in Dockerfile HOT 2
- Terraform init: Unsupported block type; Blocks of type "moved" are not expected here HOT 2
- Tool throws a panic error when there is a null type in the ternary operator
- terrascan not able to get administrative privileges
- Terrascan init fails on Windows since ~Oct 19 (?) HOT 1
- unable to find possible reverse shell
- No support for precondition in lifecycle HOT 1
- False positive for Docker error AC_DOCKER_0013 - workaround is to remove quotes when call WORKDIR HOT 1
- Kustomize - must specify --enable-helm
- terrascan docker image shows wrong line number in results HOT 1
- Failed to fetch latest version for builtin terraform provider HOT 1
- terrascan does not display correct line numbers in test results HOT 2
- Validate Building models geometry problems in other program
- Missing docker image for 1.19.1 HOT 2
- Inconsistent notation for severity in gcp policies documentation (sometimes "MEDIUM" uppercase, sometimes not)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terrascan.