Replies: 6 comments 4 replies
-
|
hi @vmorkunas can you give us an example input and the expected output results? Is this for IaC scanning or AWS Cloud scanning? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I am trying to create a rego check to check if AWS resource has specific tag on it. I have a dummy rego check which prints out all resources and details: Then I am running
on terraform plan json file, but in the output I can see only these kind of details (plan contains sns resources): If this object would contain more information like tags and tags_all object, then custom checks checking tags would be easy to do. TFPlan contains this kind of information (tags, tags_all almost on each resource): |
Beta Was this translation helpful? Give feedback.
-
|
We're also quite keen to have this functionality, without it we can't migrate from tfsec. I was hoping it would be possible to write a check like the following, similar to one we have for enforcing default_tags on the provider: # METADATA
# title: AWS S3 bucket required tags
# description: Check if an S3 bucket has the required tags set on it
# scope: package
# schemas:
# - input: schema["cloud"]
# custom:
# id: FCC02
# severity: CRITICAL
# short_code: required-aws-s3-bucket-tags
# recommended_actions: "Add the required tags to the S3 bucket."
# input:
# selector:
# - type: cloud
# subtypes:
# - provider: aws
# service: s3
package fc.terraform.FCC02
import rego.v1
required_tags = ["Access", "Owner"]
deny contains res if {
bucket := input.aws.s3.buckets[_]
bucket_tags := object.keys(bucket.tags.value)
some tag in required_tags
not tag in bucket_tags
res := result.new(
sprintf("An AWS S3 bucket must have the '%s' tag", [tag]]),
bucket
)
}
For our use cases we only require it for S3 buckets and security groups. Would you be open to a PR for just those resources initially or prefer to try and add support for all taggable resources at once? |
Beta Was this translation helpful? Give feedback.
-
|
Hi @vmorkunas @jamesrwhite ! Is there any reason why you can't scan terraform-plan as json and write a check for the raw plan? Check: # METADATA
# title: AWS S3 bucket required tags
# description: Check if an S3 bucket has the required tags set on it
# scope: package
# custom:
# id: FCC02
# severity: CRITICAL
# short_code: required-aws-s3-bucket-tags
# recommended_actions: "Add the required tags to the S3 bucket."
# input:
# selector:
# - type: json
package fc.terraform.FCC02
import rego.v1
required_tags = ["Access", "Owner"]
deny contains res if {
some resource in input.planned_values.root_module.resources
resource.type == "aws_s3_bucket"
bucket_tags := object.keys(resource.values.tags)
some tag in required_tags
not tag in bucket_tags
res := result.new(
sprintf("An AWS S3 bucket %q must have the %q tag", [resource.values.bucket, tag]),
tag
)
}
Output: |
Beta Was this translation helpful? Give feedback.
-
|
@nikpivkin thanks for the suggestion! That would work I suppose but it would require changing the order of all of our pipelines across many repos as we'd need to run the plan before trivy where previously we either ran tfsec and then the plan or both concurrently. We are really trying to avoid having to make changes across all repos during this migration. The output of this is also a bit less friendly in pointing you to exactly which file the issue is in. With that in mind my preference would still to be able to run the check statically on the terraform code as we did before. Is supporting this planned? |
Beta Was this translation helpful? Give feedback.
-
|
This feature would be extremely useful for us as well. If this gets tracked as an issue, my team could help implement the logic and open a PR for it. But we currently can't contribute as PRs must be linked to issues created by maintainers. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @vmorkunas @jscott22 @jamesrwhite ! Trivy recently started supporting custom checks for raw Terraform configurations (evaluated but not adapted to the common state), so you can easily write checks. Input data schema: https://github.com/aquasecurity/trivy/blob/e4af279b29ed5b77ed1d62e31b232b1f9b92ef4f/pkg/iac/rego/schemas/terraform-raw.json Example check: # METADATA
# title: AWS required resource tags
# description: Ensure required tags are set on AWS resources
# scope: package
# schemas:
# - input: schema["terraform-raw"]
# custom:
# id: USR-TFRAW-0001
# severity: CRITICAL
# short_code: required-aws-resource-tags
# recommended_actions: "Add the required tags to AWS resources."
# input:
# selector:
# - type: terraform-raw
package user.terraform.required_aws_tags
import rego.v1
resource_types_to_check := {"aws_s3_bucket"}
resources_to_check := {block |
some module in input.modules
some block in module.blocks
block.kind == "resource"
block.type in resource_types_to_check
}
required_tags := {"Access", "Owner"}
deny contains res if {
some block in resources_to_check
not block.attributes.tags
res := result.new(
sprintf("The resource %q does not contain the following required tags: %v", [block.type, required_tags]),
block,
)
}
deny contains res if {
some block in resources_to_check
tags_attr := block.attributes.tags
tags := object.keys(tags_attr.value)
missing_tags := required_tags - tags
count(missing_tags) > 0
res := result.new(
sprintf("The resource %q does not contain the following required tags: %v", [block.type, missing_tags]),
tags_attr,
)
}Run Trivy: trivy conf examples/terraform-raw/main.tf \
--check-namespaces user \
--config-check examples/terraform-raw/required-aws-tags.rego \
--misconfig-scanners terraform --raw-config-scanners terraformOutput: main.tf (terraform)
Tests: 10 (SUCCESSES: 0, FAILURES: 10)
Failures: 10 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 6, CRITICAL: 1)
(CRITICAL): The resource "aws_s3_bucket" does not contain the following required tags: {"Access"}
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure required tags are set on AWS resources
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:3-5
via main.tf:1-6 (aws_s3_bucket.this)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "this" {
2 bucket = "test"
3 ┌ tags = {
4 │ Owner: "user"
5 └ }
6 }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @nikpivkin can we add this as an example in the trivy docs/tests somewhere? |
Beta Was this translation helpful? Give feedback.
-
|
Amazing @nikpivkin this solves a ton of our use cases! |
Beta Was this translation helpful? Give feedback.
-
|
@nikpivkin This is exactly what we needed, thanks 🙏 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Description
Currently cloud schema (in my case AWS) does not contain resource tags, so I cannot run tag based checks on AWS resources, for example to check if specific tag exits. Would be a nice and useful feature to have not just for me I believe
Target
Filesystem
Scanner
Misconfiguration
Beta Was this translation helpful? Give feedback.
All reactions