-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FG_R00054 not working #220
Comments
Regula v1.5.0. I'm using the opa binary with the regula library of rules in a container. |
Hi, @alleynec! Similar to #221, I'm having trouble reproducing this issue. These are the repro steps that I tried:
locals {
tag_name = "foo"
tag_poc = "bar"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_vpc" "pavpc" {
cidr_block = "10.0.0.0/16"
}
resource "aws_flow_log" "flow-logs" {
iam_role_arn = aws_iam_role.ecs_task_execution_role.arn
log_destination = aws_cloudwatch_log_group.fargate-logs.arn
traffic_type = "ALL"
vpc_id = aws_vpc.pavpc.id
tags = {
Name = local.tag_name
POC = local.tag_poc
}
}
resource "aws_cloudwatch_log_group" "fargate-logs" {
name = "/ecs/fargate-task-definition"
kms_key_id = aws_kms_key.cloudwatch.key_id
tags = {
Name = local.tag_name
POC = local.tag_poc
}
}
resource "aws_kms_key" "cloudwatch" {
description = "cloudwatch kms key"
deletion_window_in_days = 10
enable_key_rotation = true
tags = {
Name = local.tag_name
POC = local.tag_poc
}
}
resource "aws_iam_role" "ecs_task_execution_role" {
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
terraform init
terraform plan -refresh=false -out="plan.tfplan"
terraform show -json "plan.tfplan" > ./plan.json
opa eval -f pretty -d rego/lib -d rego/rules -i plan.json 'data.fugue.regula.report' | jq '.rule_results[] | select(.rule_id == "FG_R00054")' Which gives me {
"controls": [
"CIS-AWS_v1.2.0_2.9",
"CIS-AWS_v1.3.0_3.9"
],
"filepath": "",
"input_type": "tf_plan",
"provider": "aws",
"resource_id": "aws_vpc.pavpc",
"resource_type": "aws_vpc",
"rule_description": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC. Users can use the flow logs to detect anomalous traffic or insight during security workflows.",
"rule_id": "FG_R00054",
"rule_message": "",
"rule_name": "tf_aws_vpc_flow_log",
"rule_result": "PASS",
"rule_severity": "Medium",
"rule_summary": "VPC flow logging should be enabled"
} I think that more specific repro steps could help us better understand what's happening. |
For context, this is what I execute to create a tf plan: terraform init -no-color && terraform plan -refresh-only -no-color The other 102 rules pass. I was using the Regula 0.8.0 library before. |
This got closed automatically when I merged. |
Looks like Regula version 1.6.0 corrected this incorrect faiure |
The code below should fufill this aws TF rule as flow logs are enabled. But it still fails.
resource "aws_flow_log" "flow-logs" {
iam_role_arn = aws_iam_role.ecs_task_execution_role.arn
log_destination = aws_cloudwatch_log_group.fargate-logs.arn
traffic_type = "ALL"
vpc_id = aws_vpc.pavpc.id
tags = {
Name = local.tag_name
POC = local.tag_poc
}
}
The text was updated successfully, but these errors were encountered: