How to ignore rules onto whole module included into HCL file

[gueux]

• terrascan version: v1.9.0
• Operating System: MacOs 10.15.4

Description

I'm trying to ignore some rules for specific module included into my IaC

What I Did

Here is my HCL file s3.tf

#ts:skip=AC_AWS_0207
#ts:skip=AC_AWS_0214
#ts:skip=AC_AWS_0497
#ts:maxseverity=None
module "backup_operator_s3_bucket" {
  count = var.backup_operator_enabled ? 1 : 0

  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "~> 1.25"

  bucket               = lower(format("backup-operator-%s", var.cluster_spec.name))
  acl                  = "private"
  attach_public_policy = false

  logging = {
    target_bucket = local.backup_storage_logging_bucket
    target_prefix = format("Access_Log/S3/backup-operator-%s/", lower(var.cluster_spec.name))
  }

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        sse_algorithm = "AES256"
      }
    }
  }
}

And every time i got next failures:

Violation Details -

	Description    :	Ensure S3 buckets have access logging enabled.
	File           :	.terraform/modules/backup_operator_s3_bucket/main.tf
	Module Name    :	backup_operator_s3_bucket
	Plan Root      :	./
	Line           :	5
	Severity       :	MEDIUM
	Rule Name      :	s3BucketAccessLoggingDisabled
	Rule ID        :	AC_AWS_0497
	Resource Name  :	this
	Resource Type  :	aws_s3_bucket
	Category       :	Logging and Monitoring

	-----------------------------------------------------------------------

	Description    :	Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
	File           :	.terraform/modules/backup_operator_s3_bucket/main.tf
	Module Name    :	backup_operator_s3_bucket
	Plan Root      :	./
	Line           :	5
	Severity       :	HIGH
	Rule Name      :	s3BucketSseRulesWithKmsNull
	Rule ID        :	AC_AWS_0207
	Resource Name  :	this
	Resource Type  :	aws_s3_bucket
	Category       :	Data Protection

	-----------------------------------------------------------------------

	Description    :	Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
	File           :	.terraform/modules/backup_operator_s3_bucket/main.tf
	Module Name    :	backup_operator_s3_bucket
	Plan Root      :	./
	Line           :	5
	Severity       :	HIGH
	Rule Name      :	s3Versioning
	Rule ID        :	AC_AWS_0214
	Resource Name  :	this
	Resource Type  :	aws_s3_bucket
	Category       :	Resilience

	-----------------------------------------------------------------------

So, seems included module's resources don't inherit "skip" labels. Is there any possibility to make it workable?

[cesar-rodriguez]

Hi @gueux,

Currently rule skipping doesn't work within Terraform modules unless it's performed using the skip-rules flag, but that would also skip the rules for all other resources in your template. Here's an example:

$ terrascan scan -i terraform --skip-rules AC_AWS_0207,AC_AWS_0214,AC_AWS_0497

[gueux]

Got it. Uses exatly abovementioned workaround.