Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scanning remote modules doesn't have same results as for scanning Terraform plan itself #923

Closed
d47zm3 opened this issue Jul 8, 2021 · 2 comments
Closed

Scanning remote modules doesn't have same results as for scanning Terraform plan itself #923

d47zm3 opened this issue Jul 8, 2021 · 2 comments

Comments

@d47zm3
Copy link

d47zm3 commented Jul 8, 2021
edited
Loading

  • terrascan version: version: v1.8.0
  • Operating System: 20.3.0 Darwin Kernel Version 20.3.0 MacOS Big Sur

Description

I ran terrascan using remote VPC module

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 3.0"

  name = "${var.project_name}-${var.environment}"
  cidr = var.vpc_cidr

  azs             = var.aws_azs
  private_subnets = var.vpc_private_subnets_cidr
  public_subnets  = var.vpc_public_subnets_cidr
}

No problems were found, however there should be something. When generated plan file and converted to JSON, then scan resulted in some warnings.

What I Did

# simple scan
terrascan scan .


Scan Summary -

        File/Folder         :   terraform-module-vpc
        IaC Type            :   all
        Scanned At          :   2021-07-08 07:28:57.908152 +0000 UTC
        Policies Validated  :   3
        Violated Policies   :   0
        Low                 :   0
        Medium              :   0
        High                :   0

# generate plan and scan it
terraform plan --out tfplan.binary
terraform show -json tfplan.binary > tfplan.json
terrascan scan --iac-type tfplan --iac-file tfplan.json


Violation Details -

        Description    :        Ensure VPC flow logging is enabled in all VPCs
        File           :
        Line           :        0
        Severity       :        LOW
        -----------------------------------------------------------------------


Scan Summary -

        File/Folder         :   terraform-module-vpc/tfplan.json
        IaC Type            :   tfplan
        Scanned At          :   2021-07-08 07:30:37.003246 +0000 UTC
        Policies Validated  :   2
        Violated Policies   :   1
        Low                 :   1
        Medium              :   0
        High                :   0
@kanchwala-yusuf
Copy link
Contributor

Hey @d47zm3 ,

Your observation is correct. But, that is the exact reason we have two different approaches. Terrascan being a static code analyzer tries it's best to resolve terraform references, but there's a possibility that some of those references remain unresolved.

So the workaround for this is to use the terraform plan JSON which has all the values resolved with terrascan.

As you see there is a difference between the two approaches and hence the results.

@d47zm3
Copy link
Author

d47zm3 commented Jul 16, 2021

OK, thanks for clarification

@d47zm3 d47zm3 closed this as completed Jul 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@d47zm3 @kanchwala-yusuf