Support AWS Terraform provider v4 for S3 buckets

[maxgio92]

• terrascan version: v1.13.1
• Operating System: GNU/Linux

Description

This issue is to track the feature request to support the AWS Terraform provider v4, particularly for S3 bucket resources. This new version introduced new resource types and the previous version's related fields of the aws_s3_bucket resource are now read-only. E.g. Server side encryption configuration.

Some features are already supported by latest Terrascan rules, such as for the S3 versioning, others like server side encryption configuration are not, and fire false positives.

What I Did

terrascan scan -i terraform -d /path/to/src

[maxgio92]

Something like that supports the new resource, but it misses retro-compatibility to support the same configuration as part of the s3_bucket resource:

pkg/policies/opa/rego/aws/aws_s3_bucket/s3BucketSseRulesWithKmsNull.rego:

package accurics

{{.prefix}}s3BucketSseRulesWithKmsNull[sse.id] {
    sse := input.aws_s3_bucket_server_side_encryption_configuration[_]
    checkBucketSse(sse)
}

checkBucketSse(sse) {
    sse_apply := (sse.config.rule[_].apply_server_side_encryption_by_default[_])
    not hasEncryption(sse_apply)
}

hasEncryption(sse_default) {
    not is_empty(sse_default.kms_master_key_id)
    not is_empty(sse_default.sse_algorithm)
}

hasEncryption(sse_default) {
    sse_default.sse_algorithm == "AES256"
}

is_empty(key) {
	key == null
}

is_empty(key) {
	key == ""
}

[harkirat22]

@maxgio92 thanks for raising this issue. We are going to provide the support for updated provider terraform version, and also support the previous versions. We are aimed to update all the relevant policies within this week.

[maxgio92]

Thank you @harkirat22. This is awesome!