Skip to content

Commit

Permalink
docs(misconf): add info about limitations for terraform plan json
Browse files Browse the repository at this point in the history
  • Loading branch information
nikpivkin committed Jul 10, 2024
1 parent f27c236 commit 4f327e4
Showing 1 changed file with 30 additions and 1 deletion.
31 changes: 30 additions & 1 deletion docs/docs/coverage/iac/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,4 +47,33 @@ trivy conf --tf-exclude-downloaded-modules ./configs
```

## Secret
The secret scan is performed on plain text files, with no special treatment for Terraform.
The secret scan is performed on plain text files, with no special treatment for Terraform.

## Limitations

### Terraform Plan JSON

#### For each and count objects in expression

The plan created by Terraform does not provide complete information about references in expressions that use `each` or `count` objects. For this reason, in some situations it is not possible to establish references between resources that are needed for checks when detecting misconfigurations. An example of such a configuration is:

```hcl
locals {
buckets = toset(["test"])
}
resource "aws_s3_bucket" "this" {
for_each = local.buckets
bucket = each.key
}
resource "aws_s3_bucket_acl" "this" {
for_each = local.buckets
bucket = aws_s3_bucket.this[each.key].id
acl = "private"
}
```

With this configuration, the plan will not contain information about which attribute of the `aws_s3_bucket` resource is referenced by the `aws_s3_bucket_acl` resource.

See more [here](https://github.com/hashicorp/terraform/issues/30826).

0 comments on commit 4f327e4

Please sign in to comment.