fix(ignores): handle parameter based ignores in a foreach (#1723)

Resolves #1693

Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>

_examples/1693/main.tf

@@ -0,0 +1,25 @@
+locals {
+  rules = {
+    http = 80
+    https = 443
+  }
+}
+
+resource "aws_security_group" "this" {
+  name = "Test"
+  description = "test sg"
+  vpc_id = "vpc-7238923ye8723t8"
+}
+
+# tfsec:ignore:aws-vpc-no-public-ingress-sgr[from_port=443]
+resource "aws_security_group_rule" "this" {
+  for_each = local.rules
+  type = "ingress"
+  description = "test"
+  from_port = each.value
+  to_port = each.value
+  protocol = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = aws_security_group.this.id
+}

docs/guides/rego/rego.md

@@ -16,7 +16,7 @@ This is a useful feature if your organisation needs to implement custom security
 ```rego
 package custom.aws.s3.no_insecure_buckets
 
-import data.lib.defsec
+import data.lib.result
 
 deny[res] {
     bucket := input.aws.s3.buckets[_]
@@ -50,7 +50,7 @@ For more information about the input structure, you can review the entire schema
 
 You may have noticed that the policy checks `bucket.name.value`, instead of just `bucket.name`. This is because the `bucket.name` property contains more than just the _value_ of the property, it also contains various metadata about where this property value was defined, including the filename and line number of the source Terraform file. You can see an example of this metadata in the jq output above.
 
-The `res` object which is returned should be created with the `defsec.result()` function. This is the magic that ensures line numbers and file numbers can be reported when a policy fails. The function takes two parameters:
+The `res` object which is returned should be created with the `result.new()` function. This is the magic that ensures line numbers and file numbers can be reported when a policy fails. The function takes two parameters:
 
 - _msg_ This parameter is a string which explains the specific issue which has been encountered, e.g. `MFA is not enabled for this user`
 - _source_ This parameter is the property or object where the problem was encountered.

go.mod

@@ -5,7 +5,7 @@ go 1.16
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.4
 	github.com/Masterminds/semver v1.5.0
-	github.com/aquasecurity/defsec v0.55.5
+	github.com/aquasecurity/defsec v0.56.1
 	github.com/hashicorp/go-version v1.4.0
 	github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf
 	github.com/liamg/clinch v1.5.6

go.sum

@@ -225,8 +225,8 @@ github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2
 github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/aquasecurity/defsec v0.55.5 h1:6BDkiuk7TkPZsyou7vRrLOU4j7rd1uX50JHHIm3HTZc=
-github.com/aquasecurity/defsec v0.55.5/go.mod h1:erYNqVU+guUDnM06O2rEl3IKKYNtMN82T36BSR/GbTo=
+github.com/aquasecurity/defsec v0.56.1 h1:68csoLXez5pv7KNw1ralrsg2GbiMmhmmzQsNKRneNcA=
+github.com/aquasecurity/defsec v0.56.1/go.mod h1:erYNqVU+guUDnM06O2rEl3IKKYNtMN82T36BSR/GbTo=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=

test/testdata/rego/policies/rego.rego

@@ -1,8 +1,8 @@
 package custom.rego.rego.sauce
 
-import data.lib.defsec
+import data.lib.result
 
 deny[res] {
     count(input.aws.s3.buckets) > 0
-    res := defsec.result("NO BUCKETS", input.aws.s3.buckets[_])
+    res := result.new("NO BUCKETS", input.aws.s3.buckets[_])
 }