FG_R00054 not working

[alleynec]

The code below should fufill this aws TF rule as flow logs are enabled. But it still fails.

---

resource "aws_flow_log" "flow-logs" {
iam_role_arn = aws_iam_role.ecs_task_execution_role.arn
log_destination = aws_cloudwatch_log_group.fargate-logs.arn
traffic_type = "ALL"
vpc_id = aws_vpc.pavpc.id

tags = {
Name = local.tag_name
POC = local.tag_poc
}
}

[alleynec]

Regula v1.5.0. I'm using the opa binary with the regula library of rules in a container.

[jason-fugue]

Hi, @alleynec! Similar to #221, I'm having trouble reproducing this issue. These are the repro steps that I tried:

1. Filled out the configuration you provided so that it has a VPC (which this rule needs) and so that I can produce a plan from it:

locals {
  tag_name = "foo"
  tag_poc  = "bar"
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "pavpc" {
  cidr_block           = "10.0.0.0/16"
}

resource "aws_flow_log" "flow-logs" {
  iam_role_arn    = aws_iam_role.ecs_task_execution_role.arn
  log_destination = aws_cloudwatch_log_group.fargate-logs.arn
  traffic_type    = "ALL"
  vpc_id          = aws_vpc.pavpc.id

  tags = {
    Name = local.tag_name
    POC  = local.tag_poc
  }
}

resource "aws_cloudwatch_log_group" "fargate-logs" {
  name       = "/ecs/fargate-task-definition"
  kms_key_id = aws_kms_key.cloudwatch.key_id

  tags = {
    Name = local.tag_name
    POC  = local.tag_poc
  }
}

resource "aws_kms_key" "cloudwatch" {
  description             = "cloudwatch kms key"
  deletion_window_in_days = 10
  enable_key_rotation     = true

  tags = {
    Name = local.tag_name
    POC  = local.tag_poc
  }
}

resource "aws_iam_role" "ecs_task_execution_role" {
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

2. I generated a plan JSON from the configuration

terraform init
terraform plan -refresh=false -out="plan.tfplan"
terraform show -json "plan.tfplan" > ./plan.json

3. Ran OPA and filtered the output with jq (same explanation as FG_R00068 not working #221)

opa eval -f pretty -d rego/lib -d rego/rules -i plan.json 'data.fugue.regula.report' | jq '.rule_results[] | select(.rule_id == "FG_R00054")'

Which gives me

{
  "controls": [
    "CIS-AWS_v1.2.0_2.9",
    "CIS-AWS_v1.3.0_3.9"
  ],
  "filepath": "",
  "input_type": "tf_plan",
  "provider": "aws",
  "resource_id": "aws_vpc.pavpc",
  "resource_type": "aws_vpc",
  "rule_description": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC. Users can use the flow logs to detect anomalous traffic or insight during security workflows.",
  "rule_id": "FG_R00054",
  "rule_message": "",
  "rule_name": "tf_aws_vpc_flow_log",
  "rule_result": "PASS",
  "rule_severity": "Medium",
  "rule_summary": "VPC flow logging should be enabled"
}

I think that more specific repro steps could help us better understand what's happening.

[alleynec]

For context, this is what I execute to create a tf plan:

terraform init -no-color && terraform plan -refresh-only -no-color
terraform plan --out tfplan.binary -no-color && terraform show -json tfplan.binary -no-color > tfplan.json

The other 102 rules pass. I was using the Regula 0.8.0 library before.

[jason-fugue]

This got closed automatically when I merged.

[alleynec]

Looks like Regula version 1.6.0 corrected this incorrect faiure