feat(misconf): Support additional terraform attributes

[simar7]

Action items

• Support additional ebs volume attributes as listed here
• In particular to address this issue we will require: count, tags and type

Discussed in #5444

^{Originally posted by rickythain October 25, 2023}

Question

I tried to create a custom policy that checks if an aws ec2 volume has a count of 1. Upon running the check, the policy did not report it when an aws ec2 volume was created with a count of 1.

So, I checked for any mistakes in the policy file, mistakes on the command used but to no avail. Then, I try to check the input received via the custom policy and found that that may be the issue?

The input received via the custom policy does not contain the complete attributes of the resource (no count, tags, type, size, etc)
I've compiled the terraform, policy, and the extracted-input files in this repo - test-trivy-tf.

Following are the content:
main.tf

resource "aws_s3_bucket" "my-bucket" {
   bucket = "evil"
}

resource "aws_ebs_volume" "example02" {
  count             = 1
  size              = 14
  availability_zone = "us-east-1a"
  type              = "gp3"
  encrypted         = true
  tags = {
    Name = "HelloWorld 23"
  }
}

policy.rego

# METADATA
# title: Bad buckets are bad
# description: Bad buckets are bad because they are not good.
# scope: package
# custom:
#   avd_id: AVD-TEST-0123
#   severity: CRITICAL
#   short_code: very-bad-misconfig
#   recommended_action: "Fix the s3 bucket"

package user.foobar.ABC001

deny[cause] {
	bucket := input.aws.s3.buckets[_]
	bucket.name.value == "evil"
	cause := sprintf("%v", [bucket])
}

## below is the rule for volume

# deny[cause] {
# 	volume := input.aws.ec2.volumes[_]
# 	volume.count.value == 1
# 	cause := sprintf("%v", [volume])
# }

## below is to get the input received for volume

# deny[cause] {
# 	volume := input.aws.ec2.volumes[_]
# 	cause := sprintf("%v", [volume])
# }

## below is to get the input entirely

# deny[cause] {
# 	volume := input
# 	cause := sprintf("%v", [volume])
# }

Command used to run:

trivy  config  --config-policy=./policy.rego --severity=CRITICAL --namespaces=user main.tf

I extracted the input from policy evaluation into the following:

• input-volume.json (does not have count/size/tag/etc.)
• input-bucket.json

I would appreciate if you could point out what i'm missing or if this is a limitation from trivy? 🙏

Target

None

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Operating System

Ubuntu 22.04.3 LTS

Version

Version: 0.46.0
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-10-25 03:47:17.901425136 +0000 UTC

[itaysk]

@simar7 what is the action item here?

[simar7]

@simar7 what is the action item here?

Added the action items in the description

[nikpivkin]

@simar7 count is a meta argument that is specific to all terraform resources. The tags attribute is specific to all AWS provider resources. Does it make sense to add them only for ec2?

[simar7]

@simar7 count is a meta argument that is specific to all terraform resources. The tags attribute is specific to all AWS provider resources. Does it make sense to add them only for ec2?

We should support meta args for all terraform resources. Which we have here https://github.com/aquasecurity/trivy-iac/blob/main/pkg/scanners/terraform/parser/evaluator.go#L283-L285

As for tags, I think they are also quite important to have as they're pretty fundamental to AWS.