From 4f327e4386d74f0191e2cec3254ee8a83f548f89 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Wed, 10 Jul 2024 23:01:28 +0700 Subject: [PATCH] docs(misconf): add info about limitations for terraform plan json --- docs/docs/coverage/iac/terraform.md | 31 ++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/docs/docs/coverage/iac/terraform.md b/docs/docs/coverage/iac/terraform.md index 843126f54d3a..e190c901cf05 100644 --- a/docs/docs/coverage/iac/terraform.md +++ b/docs/docs/coverage/iac/terraform.md @@ -47,4 +47,33 @@ trivy conf --tf-exclude-downloaded-modules ./configs ``` ## Secret -The secret scan is performed on plain text files, with no special treatment for Terraform. \ No newline at end of file +The secret scan is performed on plain text files, with no special treatment for Terraform. + +## Limitations + +### Terraform Plan JSON + +#### For each and count objects in expression + +The plan created by Terraform does not provide complete information about references in expressions that use `each` or `count` objects. For this reason, in some situations it is not possible to establish references between resources that are needed for checks when detecting misconfigurations. An example of such a configuration is: + +```hcl +locals { + buckets = toset(["test"]) +} + +resource "aws_s3_bucket" "this" { + for_each = local.buckets + bucket = each.key +} + +resource "aws_s3_bucket_acl" "this" { + for_each = local.buckets + bucket = aws_s3_bucket.this[each.key].id + acl = "private" +} +``` + +With this configuration, the plan will not contain information about which attribute of the `aws_s3_bucket` resource is referenced by the `aws_s3_bucket_acl` resource. + +See more [here](https://github.com/hashicorp/terraform/issues/30826). \ No newline at end of file