Terrascan not able to find terraform config files in a sub directory, but it works in case of k8s infrastructure type

[Saini01Basu]

• terrascan version: v1.3.3
• Operating System: Windows10 64 bit

Description

I have cloned a publicly available terragoat project which has terraform config files for aws, gcp and azure. I wanted to get a collated scan report for all config files. The config files are placed under /terraform/aws, /terraform/gcp, /terraform/azure.
It is not able to scan all config files at once but individually it works.

What I Did

I ran the command - terrascan scan -d ./terraform -t all

It throws error - cli/run.go:101 scan run failed{error 26 0 directory 'C:\Users\saini_basu\Documents\terragoat\terraform' has no terraform config files}

[Saini01Basu]

Cloned another publicly available goat application "kubernetes-goat" which has k8s config files. The config files are present under various sub directories within scenarios folder. I ran the command -
terrascan scan -d ./scenarios -i k8s

It is able to find all config files within different sub directories and produce a collated result in this case.

[kanchwala-yusuf]

Hi @Saini01Basu,

Thank you for trying out terrascan and reporting this issue.

You are correct in your analysis that terrascan behavior varies a little for terraform and k8s. For k8s iac type, terrascan recursively scans all the directories.

But for terraform, terrascan actually tries to emulate the behavior of terraform plan to load terraform resources. It is ideally expected that terrascan is executed from the directory from where terraform plan is executed.

Also, there is an open issue for this #411

Hope this helps!

[Saini01Basu]

This helps @kanchwala-yusuf :) we are considering another scan tool called checkov which is able to produce a collated result for terraform as well. So I was wondering if this feature can be added in terrascan?

[patilpankaj212]

Hi @Saini01Basu, we have implemented sub folder scanning feature for terraform as well. Can you please try it out and let us know if you face any issue?

[patilpankaj212]

Hi @Saini01Basu, the changes for terraform sub folder scanning are available in v1.6.0, you can run below command:
terrascan scan -i terraform -d dirPath
Also, we introduced a new flag --non-recursive. If the flag is used then terrascan will not scan sub directories recursively.
terrascan scan -i terraform -d dirPath --non-recursive
Note: The --non-recursive flag is only applicable for the terraform iac type.

[Saini01Basu]

Sure thanks for the info will definitely try it out

[Saini01Basu]

It worked thanks a lot for adding this feature

[patilpankaj212]

Thanks for trying it out @Saini01Basu. I will close this issue.

[Saini01Basu]

Hey but noticed that for this project - https://github.com/bridgecrewio/terragoat/tree/master/terraform it only scanned aws recursively not the gcp and azure

[Saini01Basu]

I didn't add any -t option so default is "all" right? so it should have scanned gcp and azure as well right?

[patilpankaj212]

Yes @Saini01Basu, by default directory will be scanned with all policies. I will have a look and reply back.

[patilpankaj212]

Hey, I tried out the repository shared by you with below command:

terrascan scan -r git -u https://github.com/bridgecrewio/terragoat.git//terraform -v

All folders were scanned, see below output:

Violation Details -
    
	Description    :	Ensure Stackdriver Logging is enabled on Kubernetes Engine Clusters.
	File           :	gcp/gke.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	6
	Severity       :	HIGH
	Rule Name      :	stackDriverLoggingEnabled
	Rule ID        :	accurics.gcp.LOG.100
	Resource Name  :	workload_cluster
	Resource Type  :	google_container_cluster
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure Legacy Authorization is set to disabled on Kubernetes Engine Clusters.
	File           :	gcp/gke.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	6
	Severity       :	HIGH
	Rule Name      :	legacyAuthEnabled
	Rule ID        :	accurics.gcp.IAM.142
	Resource Name  :	workload_cluster
	Resource Type  :	google_container_cluster
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure Stackdriver Monitoring is enabled on Kubernetes Engine Clusters.
	File           :	gcp/gke.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	6
	Severity       :	HIGH
	Rule Name      :	stackDriverMonitoringEnabled
	Rule ID        :	accurics.gcp.MON.143
	Resource Name  :	workload_cluster
	Resource Type  :	google_container_cluster
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	BigQuery datasets may be anonymously or publicly accessible.
	File           :	gcp/big_data.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	21
	Severity       :	HIGH
	Rule Name      :	bqDatasetPubliclyAccessible
	Rule ID        :	accurics.gcp.IAM.106
	Resource Name  :	dataset
	Resource Type  :	google_bigquery_dataset
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that Cloud Storage bucket is not anonymously or publicly accessible.
	File           :	gcp/gcs.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	16
	Severity       :	MEDIUM
	Rule Name      :	checkPubliclyAccessible
	Rule ID        :	accurics.gcp.IAM.121
	Resource Name  :	allow_public_read
	Resource Type  :	google_storage_bucket_iam_binding
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that Cloud SQL database instance requires all incoming connections to use SSL
	File           :	gcp/big_data.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	checkRequireSSLEnabled
	Rule ID        :	accurics.gcp.EKM.141
	Resource Name  :	master_instance
	Resource Type  :	google_sql_database_instance
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) .
	File           :	gcp/instances.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	36
	Severity       :	MEDIUM
	Rule Name      :	vmEncryptedwithCsek
	Rule ID        :	accurics.gcp.EKM.131
	Resource Name  :	unencrypted_disk
	Resource Type  :	google_compute_disk
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that Cloud Storage buckets have uniform bucket-level access enabled.
	File           :	gcp/gcs.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	uniformBucketEnabled
	Rule ID        :	accurics.gcp.IAM.122
	Resource Name  :	terragoat_website
	Resource Type  :	google_storage_bucket
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.
	File           :	gcp/gke.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	24
	Severity       :	HIGH
	Rule Name      :	cosNodeImageUsed
	Rule ID        :	accurics.gcp.OPS.114
	Resource Name  :	custom_node_pool
	Resource Type  :	google_container_node_pool
	Category       :	Compliance Validation
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure all Cloud SQL database instance have backup configuration enabled.
	File           :	gcp/big_data.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	backupConfigEnabled
	Rule ID        :	accurics.gcp.BDR.105
	Resource Name  :	master_instance
	Resource Type  :	google_sql_database_instance
	Category       :	Resilience
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure IP forwarding is not enabled on Instances.
	File           :	gcp/instances.tf
	Module Name    :	root
	Plan Root      :	gcp
	Line           :	3
	Severity       :	MEDIUM
	Rule Name      :	checkIpForward
	Rule ID        :	accurics.gcp.NS.130
	Resource Name  :	server
	Resource Type  :	google_compute_instance
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Enable AWS ElasticSearch Encryption At Rest
	File           :	aws/es.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	elastiSearchEncryptAtRest
	Rule ID        :	AWS.ElasticSearch.EKM.Medium.0778
	Resource Name  :	monitoring-framework
	Resource Type  :	aws_elasticsearch_domain
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	ec2UsingIMDSv1
	Rule ID        :	AC-AWS-NS-IN-M-1172
	Resource Name  :	web_host
	Resource Type  :	aws_instance
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain
	File           :	aws/db-app.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	242
	Severity       :	MEDIUM
	Rule Name      :	ec2UsingIMDSv1
	Rule ID        :	AC-AWS-NS-IN-M-1172
	Resource Name  :	db_app
	Resource Type  :	aws_instance
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure ECR repository has policy attached.
	File           :	aws/ecr.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	ecrNoSecurePolicyAttached
	Rule ID        :	AC_AWS_058
	Resource Name  :	repository
	Resource Type  :	aws_ecr_repository
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	ssh port open to internet
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	77
	Severity       :	HIGH
	Rule Name      :	port22OpenToInternet
	Rule ID        :	AWS.SecurityGroup.NetworkPortsSecurity.Low.0560
	Resource Name  :	web-node
	Resource Type  :	aws_security_group
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that your RDS database has IAM Authentication enabled.
	File           :	aws/db-app.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	rdsIamAuthEnabled
	Rule ID        :	AWS.RDS.DataSecurity.High.0577
	Resource Name  :	default
	Resource Type  :	aws_db_instance
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	http port open to internet
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	77
	Severity       :	HIGH
	Rule Name      :	port80OpenToInternet
	Rule ID        :	AWS.SecurityGroup.NetworkPortsSecurity.Low.0561
	Resource Name  :	web-node
	Resource Type  :	aws_security_group
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Enable AWS EBS Snapshot Encryption
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	34
	Severity       :	HIGH
	Rule Name      :	ebsSnapshotDisabled
	Rule ID        :	AWS.EBS.EKM.Medium.0682
	Resource Name  :	web_host_storage
	Resource Type  :	aws_ebs_volume
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure S3 object is Encrypted
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	24
	Severity       :	MEDIUM
	Rule Name      :	notEncryptedObject
	Rule ID        :	AC_AWS_034
	Resource Name  :	data_object
	Resource Type  :	aws_s3_bucket_object
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure ECR repository is encrypted at rest
	File           :	aws/ecr.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	ecrNotEncrypted
	Rule ID        :	AC_AWS_026
	Resource Name  :	repository
	Resource Type  :	aws_ecr_repository
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	43
	Severity       :	HIGH
	Rule Name      :	s3BucketSseRulesWithKmsNull
	Rule ID        :	AWS.S3Bucket.EncryptionandKeyManagement.High.0405
	Resource Name  :	financials
	Resource Type  :	aws_s3_bucket
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	s3BucketSseRulesWithKmsNull
	Rule ID        :	AWS.S3Bucket.EncryptionandKeyManagement.High.0405
	Resource Name  :	data
	Resource Type  :	aws_s3_bucket
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	66
	Severity       :	HIGH
	Rule Name      :	s3BucketSseRulesWithKmsNull
	Rule ID        :	AWS.S3Bucket.EncryptionandKeyManagement.High.0405
	Resource Name  :	operations
	Resource Type  :	aws_s3_bucket
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	271
	Severity       :	HIGH
	Rule Name      :	s3BucketSseRulesWithKmsNull
	Rule ID        :	AWS.S3Bucket.EncryptionandKeyManagement.High.0405
	Resource Name  :	flowbucket
	Resource Type  :	aws_s3_bucket
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	91
	Severity       :	HIGH
	Rule Name      :	s3BucketSseRulesWithKmsNull
	Rule ID        :	AWS.S3Bucket.EncryptionandKeyManagement.High.0405
	Resource Name  :	data_science
	Resource Type  :	aws_s3_bucket
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Lambda tracing is not enabled.
	File           :	aws/lambda.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	31
	Severity       :	LOW
	Rule Name      :	lambdaXRayTracingDisabled
	Rule ID        :	AWS.LambdaFunction.Logging.0470
	Resource Name  :	analysis_lambda
	Resource Type  :	aws_lambda_function
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	AWS ELB incoming traffic not encrypted
	File           :	aws/elb.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	2
	Severity       :	LOW
	Rule Name      :	elbLbProtocolNotSecured
	Rule ID        :	AWS.ELB.NetworkPortsSecurity.Low.0563
	Resource Name  :	weblb
	Resource Type  :	aws_elb
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	S3 bucket Access is allowed to all AWS Account Users.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	43
	Severity       :	HIGH
	Rule Name      :	s3EnforceUserACL
	Rule ID        :	AWS.S3Bucket.DS.High.1043
	Resource Name  :	financials
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	S3 bucket Access is allowed to all AWS Account Users.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	s3EnforceUserACL
	Rule ID        :	AWS.S3Bucket.DS.High.1043
	Resource Name  :	data
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	S3 bucket Access is allowed to all AWS Account Users.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	66
	Severity       :	HIGH
	Rule Name      :	s3EnforceUserACL
	Rule ID        :	AWS.S3Bucket.DS.High.1043
	Resource Name  :	operations
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	S3 bucket Access is allowed to all AWS Account Users.
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	271
	Severity       :	HIGH
	Rule Name      :	s3EnforceUserACL
	Rule ID        :	AWS.S3Bucket.DS.High.1043
	Resource Name  :	flowbucket
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	S3 bucket Access is allowed to all AWS Account Users.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	115
	Severity       :	HIGH
	Rule Name      :	s3EnforceUserACL
	Rule ID        :	AWS.S3Bucket.DS.High.1043
	Resource Name  :	logs
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	S3 bucket Access is allowed to all AWS Account Users.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	91
	Severity       :	HIGH
	Rule Name      :	s3EnforceUserACL
	Rule ID        :	AWS.S3Bucket.DS.High.1043
	Resource Name  :	data_science
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.
	File           :	aws/db-app.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	rdsHasStorageEncrypted
	Rule ID        :	AWS.RDS.DataSecurity.High.0414
	Resource Name  :	default
	Resource Type  :	aws_db_instance
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	RDS Instance publicly_accessible flag is true
	File           :	aws/db-app.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	rdsPubliclyAccessible
	Rule ID        :	AWS.RDS.NS.High.0101
	Resource Name  :	default
	Resource Type  :	aws_db_instance
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure Neptune Cluster is Encrypted
	File           :	aws/neptune.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	neptuneClusterNotEncrypted
	Rule ID        :	AC_AWS_030
	Resource Name  :	default
	Resource Type  :	aws_neptune_cluster
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Lambda function doesn't not include a VPC configuration.
	File           :	aws/lambda.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	31
	Severity       :	Low
	Rule Name      :	lambdaNotInVpc
	Rule ID        :	AWS.LambdaFunction.Logging.0472
	Resource Name  :	analysis_lambda
	Resource Type  :	aws_lambda_function
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Lambda does not use KMS CMK key to protect environment variables.
	File           :	aws/lambda.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	31
	Severity       :	High
	Rule Name      :	lambdaNotEncryptedWithKms
	Rule ID        :	AWS.LambdaFunction.EncryptionandKeyManagement.0471
	Resource Name  :	analysis_lambda
	Resource Type  :	aws_lambda_function
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure IAM policies are attached only to groups or roles
	File           :	aws/iam.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	25
	Severity       :	MEDIUM
	Rule Name      :	iamUserInlinePolicy
	Rule ID        :	AC_AWS_049
	Resource Name  :	userpolicy
	Resource Type  :	aws_iam_user_policy
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure Elasticsearch domains being created are set to be encrypted node-to-node
	File           :	aws/es.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	noNodeToNodeEncryptionDomain
	Rule ID        :	AC_AWS_045
	Resource Name  :	monitoring-framework
	Resource Type  :	aws_elasticsearch_domain
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that your AWS Elasticsearch clusters have enabled the support for publishing slow logs to AWS CloudWatch Logs. This feature enables you to publish slow logs from the indexing and search operations performed on your ES clusters and gain full insight into the performance of these operations.
	File           :	aws/es.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	esloggingdisabled
	Rule ID        :	AWS.Elasticsearch.Logging.Medium.0573
	Resource Name  :	monitoring-framework
	Resource Type  :	aws_elasticsearch_domain
	Category       :	Compliance Validation
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure AWS ELB has access logging enabled.
	File           :	aws/elb.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	2
	Severity       :	MEDIUM
	Rule Name      :	elbAccessLoggingDisabled
	Rule ID        :	AC_AWS_072
	Resource Name  :	weblb
	Resource Type  :	aws_elb
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that there are no exposed Amazon IAM access keys in order to protect your AWS resources against unapproved access
	File           :	aws/iam.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	21
	Severity       :	MEDIUM
	Rule Name      :	programmaticAccessCreation
	Rule ID        :	AWS.IamUser.IAM.High.0391
	Resource Name  :	user
	Resource Type  :	aws_iam_access_key
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure AWS Neptune clusters have logging enabled.
	File           :	aws/neptune.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	neptuneClusterLoggingDisabled
	Rule ID        :	AC_AWS_075
	Resource Name  :	default
	Resource Type  :	aws_neptune_cluster
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	43
	Severity       :	HIGH
	Rule Name      :	s3Versioning
	Rule ID        :	AWS.S3Bucket.IAM.High.0370
	Resource Name  :	financials
	Resource Type  :	aws_s3_bucket
	Category       :	Resilience
	
	-----------------------------------------------------------------------
	
	Description    :	Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	s3Versioning
	Rule ID        :	AWS.S3Bucket.IAM.High.0370
	Resource Name  :	data
	Resource Type  :	aws_s3_bucket
	Category       :	Resilience
	
	-----------------------------------------------------------------------
	
	Description    :	Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	271
	Severity       :	HIGH
	Rule Name      :	s3Versioning
	Rule ID        :	AWS.S3Bucket.IAM.High.0370
	Resource Name  :	flowbucket
	Resource Type  :	aws_s3_bucket
	Category       :	Resilience
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure EKS clusters have control plane logging enabled.
	File           :	aws/eks.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	117
	Severity       :	MEDIUM
	Rule Name      :	eksControlPlaneLoggingDisabled
	Rule ID        :	AC_AWS_071
	Resource Name  :	eks_cluster
	Resource Type  :	aws_eks_cluster
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure S3 buckets have access logging enabled.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	43
	Severity       :	MEDIUM
	Rule Name      :	s3BucketAccessLoggingDisabled
	Rule ID        :	AC_AWS_078
	Resource Name  :	financials
	Resource Type  :	aws_s3_bucket
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure S3 buckets have access logging enabled.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	s3BucketAccessLoggingDisabled
	Rule ID        :	AC_AWS_078
	Resource Name  :	data
	Resource Type  :	aws_s3_bucket
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure S3 buckets have access logging enabled.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	66
	Severity       :	MEDIUM
	Rule Name      :	s3BucketAccessLoggingDisabled
	Rule ID        :	AC_AWS_078
	Resource Name  :	operations
	Resource Type  :	aws_s3_bucket
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure S3 buckets have access logging enabled.
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	271
	Severity       :	MEDIUM
	Rule Name      :	s3BucketAccessLoggingDisabled
	Rule ID        :	AC_AWS_078
	Resource Name  :	flowbucket
	Resource Type  :	aws_s3_bucket
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure S3 buckets have access logging enabled.
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	115
	Severity       :	MEDIUM
	Rule Name      :	s3BucketAccessLoggingDisabled
	Rule ID        :	AC_AWS_078
	Resource Name  :	logs
	Resource Type  :	aws_s3_bucket
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure AWS RDS instances have logging enabled.
	File           :	aws/db-app.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	dbInstanceLoggingDisabled
	Rule ID        :	AC_AWS_076
	Resource Name  :	default
	Resource Type  :	aws_db_instance
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure rotation for customer created CMKs is enabled
	File           :	aws/kms.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	kmsKeyRotationDisabled
	Rule ID        :	AC_AWS_012
	Resource Name  :	logs_key
	Resource Type  :	aws_kms_key
	Category       :	Security Best Practices
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure VPC flow logging is enabled in all VPCs
	File           :	aws/eks.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	43
	Severity       :	MEDIUM
	Rule Name      :	vpcFlowLogsNotEnabled
	Rule ID        :	AWS.VPC.Logging.Medium.0470
	Resource Name  :	eks_vpc
	Resource Type  :	aws_vpc
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure every security group should have a description to ease the process of Auditing
	File           :	aws/db-app.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	116
	Severity       :	LOW
	Rule Name      :	noSgDescription
	Rule ID        :	AC_AWS_015
	Resource Name  :	default
	Resource Type  :	aws_security_group
	Category       :	Security Best Practices
	
	-----------------------------------------------------------------------
	
	Description    :	Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion
	File           :	aws/s3.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	allUsersReadAccess
	Rule ID        :	AWS.S3Bucket.IAM.High.0377
	Resource Name  :	data
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that detailed monitoring is enabled for EC2 instances.
	File           :	aws/ec2.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	detailedMonitoringEnabledInstance
	Rule ID        :	AC_AWS_070
	Resource Name  :	web_host
	Resource Type  :	aws_instance
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that detailed monitoring is enabled for EC2 instances.
	File           :	aws/db-app.tf
	Module Name    :	root
	Plan Root      :	aws
	Line           :	242
	Severity       :	HIGH
	Rule Name      :	detailedMonitoringEnabledInstance
	Rule ID        :	AC_AWS_070
	Resource Name  :	db_app
	Resource Type  :	aws_instance
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that Azure Active Directory Admin is configured for SQL Server
	File           :	azure/sql.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	9
	Severity       :	HIGH
	Rule Name      :	reme_sqlServerADAdminConfigured
	Rule ID        :	accurics.azure.IAM.10
	Resource Name  :	example
	Resource Type  :	azurerm_sql_server
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that standard pricing tiers are selected
	File           :	azure/security_center.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	reme_securityCenterPrincingTier
	Rule ID        :	accurics.azure.OPS.349
	Resource Name  :	pricing
	Resource Type  :	azurerm_security_center_subscription_pricing
	Category       :	Security Best Practices
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
	File           :	azure/sql.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	98
	Severity       :	MEDIUM
	Rule Name      :	reme_connectionThrottling
	Rule ID        :	accurics.azure.LOG.151
	Resource Name  :	thrtottling_config
	Resource Type  :	azurerm_postgresql_configuration
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure Azure Application Gateway Web application firewall (WAF) is enabled
	File           :	azure/application_gateway.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	reme_appGatewayWAFEnabled
	Rule ID        :	accurics.azure.NS.147
	Resource Name  :	network
	Resource Type  :	azurerm_application_gateway
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Enable Network Watcher for Azure subscriptions. Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.
	File           :	azure/networking.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	125
	Severity       :	HIGH
	Rule Name      :	reme_networkWatcherEnabled
	Rule ID        :	accurics.azure.NS.11
	Resource Name  :	flow_log
	Resource Type  :	azurerm_network_watcher_flow_log
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days. Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.
	File           :	azure/networking.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	125
	Severity       :	MEDIUM
	Rule Name      :	reme_logRetensionGraterThan90Days
	Rule ID        :	accurics.azure.NS.342
	Resource Name  :	flow_log
	Resource Type  :	azurerm_network_watcher_flow_log
	Category       :	Resilience
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
	File           :	azure/sql.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	105
	Severity       :	MEDIUM
	Rule Name      :	postgreSqlLogsEnabled
	Rule ID        :	accurics.azure.LOG.364
	Resource Name  :	example
	Resource Type  :	azurerm_postgresql_configuration
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that Azure Resource Group has resource lock enabled
	File           :	azure/resource_group.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	1
	Severity       :	LOW
	Rule Name      :	reme_resourceGroupLock
	Rule ID        :	accurics.azure.NS.272
	Resource Name  :	example
	Resource Type  :	azurerm_resource_group
	Category       :	Identity and Access Management
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that Geo Redundant Backups is enabled on PostgreSQL
	File           :	azure/sql.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	73
	Severity       :	HIGH
	Rule Name      :	reme_geoRedundancyDisabled
	Rule ID        :	accurics.azure.BDR.163
	Resource Name  :	example
	Resource Type  :	azurerm_postgresql_server
	Category       :	Resilience
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure AKS cluster has Network Policy configured.
	File           :	azure/aks.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	networkPolicyEnabled
	Rule ID        :	accurics.azure.NS.382
	Resource Name  :	k8s_cluster
	Resource Type  :	azurerm_kubernetes_cluster
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server.
	File           :	azure/sql.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	44
	Severity       :	HIGH
	Rule Name      :	sslConnectionEnabled
	Rule ID        :	accurics.azure.NS.361
	Resource Name  :	example
	Resource Type  :	azurerm_mysql_server
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that 'Send email notification for high severity alerts' is set to 'On'
	File           :	azure/security_center.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	5
	Severity       :	MEDIUM
	Rule Name      :	emailAlertsEnabled
	Rule ID        :	accurics.azure.MON.353
	Resource Name  :	contact
	Resource Type  :	azurerm_security_center_contact
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that Azure Virtual Network subnet is configured with a Network Security Group
	File           :	azure/networking.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	18
	Severity       :	MEDIUM
	Rule Name      :	reme_noSecurityGroupAssociated
	Rule ID        :	accurics.azure.NS.161
	Resource Name  :	example
	Resource Type  :	azurerm_subnet
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure Kube Dashboard is disabled
	File           :	azure/aks.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	kubeDashboardDisabled
	Rule ID        :	accurics.azure.NS.383
	Resource Name  :	k8s_cluster
	Resource Type  :	azurerm_kubernetes_cluster
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
	File           :	azure/sql.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	73
	Severity       :	HIGH
	Rule Name      :	reme_sslEnforceDisabled
	Rule ID        :	accurics.azure.EKM.1
	Resource Name  :	example
	Resource Type  :	azurerm_postgresql_server
	Category       :	Infrastructure Security
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that 'OS disk' are encrypted
	File           :	azure/storage.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	1
	Severity       :	MEDIUM
	Rule Name      :	reme_checkDataDisksEncrypted
	Rule ID        :	accurics.azure.EKM.156
	Resource Name  :	example
	Resource Type  :	azurerm_managed_disk
	Category       :	Data Protection
	
	-----------------------------------------------------------------------
	
	Description    :	Ensure that logging for Azure KeyVault is 'Enabled'
	File           :	azure/key_vault.tf
	Module Name    :	root
	Plan Root      :	azure
	Line           :	1
	Severity       :	HIGH
	Rule Name      :	reme_keyVaultAuditLoggingEnabled
	Rule ID        :	accurics.azure.EKM.20
	Resource Name  :	example
	Resource Type  :	azurerm_key_vault
	Category       :	Logging and Monitoring
	
	-----------------------------------------------------------------------
	

Scan Summary -

	File/Folder         :	/var/folders/pt/zybdcqcx5777xknz0zgq3zhc0000gn/T/ywsh6i/terraform
	IaC Type            :	all
	Scanned At          :	2021-05-17 10:55:57.253721 +0000 UTC
	Policies Validated  :	607
	Violated Policies   :	78
	Low                 :	5
	Medium              :	36
	High                :	37

[Saini01Basu]

I am sorry my bad i got confused with three goat projects that I am using for testing. Yes it is working in all scenarios. Thanks again and sorry about the confusion

[ravitomardevops]

i need to scan recursively and dont want these error messages like 'error 26 0 directory 'C:\Users\saini_basu\Documents\terragoat\terraform' has no terraform config files ' is there any way i can recursively run it ?

[rennu]

i need to scan recursively and dont want these error messages like 'error 26 0 directory 'C:\Users\saini_basu\Documents\terragoat\terraform' has no terraform config files ' is there any way i can recursively run it ?

I have to agree. Why are subfolders without terraform config files considered scan errors?