What if bucket name is dynamic in terraform ?

[ninjahck]

What I mean is in terraform you can have the bucket where bucket id is not known at the time of terraform plan , sometimes you just see in the terraform plan is like id: (known after apply) now this is tricky we wanted to capture the issue at plan but not at apply 🙇

So all that policies which works on id will fail due to this dynamic thing 🤔

Which I think is not really a issue with regula but it's an limitation of opa as it works on decission not on processing the file and it's to get that , so yeah btw is there any possibility that we can handle this from regula ?

[jaspervdj-luminal]

That's a great question and a good insight -- it's generally not possible to know final IDs of resources, and this also includes e.g. ARNs. This is a big difference in between IaC versus checking actual resources in the cloud (like our SaaS does).

However, that doesn't mean that we can't statically analyze these templates. What regula does is use a made-up ID that corresponds to the address in the file, e.g. aws_s3_bucket.test. Other resources that refer to this bucket will get the same treatment by regula and the references there will match "aws_s3_bucket.test". Therefore, since they match up, we can still use these IDs to do "joins" across resources and write rules that span resource types.

This can't work in 100% of cases (you always can do complicated things through auxiliary files, or complex functions that we can't predict what the result will be, or fetching info from data resources that we don't have access to...), but our goal is to cover as much as possible within reason.

I hope that answered your question!

[ninjahck]

Yes it does , I am like stuck in rule "FG_R00031" which is s3 bucket access logging should be enabled on s3 bucket that store cloudtrail log files although the bucket has the logging enabled but still that fails due to the same reason may be :orz:

But my s3 bucket do hold the logging enabled 😢

[ninjahck]

@jaspervdj-luminal can you elaborate a little about what conditions make "FG_R00031" --> Failed 😢

[ninjahck]

Also how do we handle exceptions if we writing custom rules , please help 🙇

[jaspervdj-luminal]

@ninjahck We have instructions for making the rule pass here: https://docs.fugue.co/FG_R00031.html#terraform. Based on your earlier question about bucket names, it is possible that our rule has issues connecting the bucket with the cloudtrail. It is important that the log bucket is somewhere in the .tf files passed to regula as well. To give a more detailed answer, I'd ideally need to see the snippet of configuration that causes the failure so I can reproduce this.

I'm not sure about your last question about exceptions: are you referring to runtime exceptions (like throwing an error) or exceptions to compliance (e.g. this single bucket is allowed to pass)?

[ninjahck]

@jaspervdj-luminal Below is the code which is not working as you can see it has the logging enabled as well but it says logging must needs to be enabled 🙇

locals {
  aws_account_id ="223311448821"
}
module "cloudtrail" {
  source = "cloudposse/cloudtrail/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace                     = "eg"
  stage                         = "dev"
  name                          = "cluster"
  enable_log_file_validation    = true
  include_global_service_events = true
  is_multi_region_trail         = false
  enable_logging                = true
  s3_bucket_name                = aws_s3_bucket.cloudtrail_bucket.id
}

resource "aws_s3_bucket" "cloudtrail_bucket" {
  bucket = "cloudtrail-bucket-${local.aws_account_id}"
  logging {
    target_bucket = aws_s3_bucket.log_bucket.id
    target_prefix = "log"
  }
  # other required fields here
}

resource "aws_s3_bucket" "log_bucket" {
  bucket = "log-bucket"
  # other required fields here
}

[jason-fugue]

Hi, @ninjahck! I'm not able to reproduce FG_R00031 failing for that configuration with the current release of Regula.

What I do see, though, is that FG_R00274: S3 bucket access logging should be enabled fails for aws_s3_bucket.log_bucket. It's kind of a pain, but it is possible to configure a bucket to log into itself. But, it's up to standards of your organization. If that's not something you're required to do, then you can waive that rule as described in the configuration section of our docs.

[ninjahck]

Hi @jason-fugue ,

Thanks for the information , one more question I have over here is regarding the rule : FG_R00229 , it seems like if we have a scenario where we are attaching the block_public_access settings by using bucket = aws_s3_bucket.log_bucket.id its gets failed

Below doesn't work for rule FG_R00229

resource "aws_s3_bucket" "log_bucket" {
  bucket = "my-tf-test-bucket"
  acl    = "private"
  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}
resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.log_bucket.id
  block_public_acls = true
  block_public_policy = true
  restrict_public_buckets = true
  ignore_public_acls = true
}

But if I change the terraform below it will work , why so ?

resource "aws_s3_bucket" "log_bucket" {
  bucket = "my-tf-test-bucket"
  acl    = "private"
  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}
resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.log_bucket.bucket
  block_public_acls = true
  block_public_policy = true
  restrict_public_buckets = true
  ignore_public_acls = true
}

[jason-fugue]

Hi, @ninjahck! Whenever you get a chance, could you please confirm that you're using the latest version of regula and describe how you're running it? I'm not able to reproduce this issue with FG_R00229. Both of your examples produce a passing result in my testing, both as Terraform source code and as a plan JSON file. Both of those properties resolve to the bucket name and that rule should accept either one.

[ninjahck]

@jason-fugue I am running it from conftest integration by pulling the rego files and running them as policy but that's okay , I also did run it like from regula as well and with latest code available at github

[jason-fugue]

@ninjahck there was an incompatibility with the latest versions of Terraform that we fixed in the recent v1.6.0 release. I just tried now and I was able to reproduce the issue from your last comment using Terraform v1.0.8 and Regula v1.5.0, but not with Regula v1.6.0.

Could you please give the latest version a try when you get a chance and see if that resolves your issue?

[ninjahck]

Thanks @jason-fugue I did tested with latest version and it did worked 🙇 hence closing the issue :)