Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

accurics.azure.AKS.3 is defective #711

Closed
xortim opened this issue Apr 29, 2021 · 0 comments · Fixed by #712
Closed

accurics.azure.AKS.3 is defective #711

xortim opened this issue Apr 29, 2021 · 0 comments · Fixed by #712
Assignees
@harkirat22
Labels
policy Issue concerning policy maintainers.

Comments

@xortim
Copy link
Contributor

xortim commented Apr 29, 2021

  • terrascan version: 1.50
  • Operating System: all

Description

Using terrascan to interrogate a Terraform plan file. When attempting to resolve the HIGH severity error produced by terrascan with regard to resource locks on azure resources, the provided rule does not compare the relevant components to determine if a lock is present.

What I Did

main.tf

locals {
  name_prefix = "prefix"
  name_suffix = "suffix"
}

resource "azurerm_container_registry" "this" {
  name                = "${local.name_prefix}acr${local.name_suffix}"
  resource_group_name = "resource_group_name"
  location            = "eastus"

  sku                      = var.sku
  admin_enabled            = var.admin_enabled
}

resource "azurerm_management_lock" "this" {
  name       = "${local.name_prefix}acr${local.name_suffix}"
  scope      = azurerm_container_registry.this.id
  lock_level = "CanNotDelete"
  notes      = "Managed by terraform. Locked for the warm and fuzzies"
}

This rule is trigged as a violation containerRegistryResourceLock.rego

I enabled debugging mode and grabbed the "expected" result and decoded it.

{
    "reme_containerRegistryResourceLock": [
        {
            "Actual": null,
            "Attribute": "",
            "AttributeDataType": "resource",
            "CodeType": "resource",
            "Expected": "cmVzb3VyY2UgImF6dXJlcm1fbWFuYWdlbWVudF9sb2NrIiAidGhpcyIgewogIG5hbWUgICAgICAgPSAiYXp1cmVybV9tYW5hZ2VtZW50X2xvY2sudGhpcyIKICBzY29wZSAgICAgID0gYXp1cmVybV9jb250YWluZXJfcmVnaXN0cnkudGhpcy5pZAogIGxvY2tfbGV2ZWwgPSAiQ2FuTm90RGVsZXRlIgogICMgYXp1cmVybV9tYW5hZ2VtZW50X2xvY2sgZG9lcyBub3QgY29udGFpbiB0YWdzLCBhbmQgd2UgY2Fubm90IG1hdGNoIHRoZW0gbm90IHVubGVzcyB0aGUgcmVzb3VyY2UgaXMgZGVwbG95ZWQgaW4gdGhlIGNsb3VkLgogIG5vdGVzICAgICAgPSAiQ2Fubm90IERlbGV0ZSBSZXNvdXJjZSIKfQ==",
            "Id": "azurerm_container_registry.this",
            "ReplaceType": "add",
            "Traverse": ""
        }
    ]
}

The expected lock resource is:

resource "azurerm_management_lock" "this" {
  name       = "azurerm_management_lock.this"
  scope      = azurerm_container_registry.this.id
  lock_level = "CanNotDelete"
  # azurerm_management_lock does not contain tags, and we cannot match them not unless the resource is deployed in the cloud.
  notes      = "Cannot Delete Resource"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harkirat22 harkirat22

Labels
policy Issue concerning policy maintainers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix accurics.azure.AKS.3 xortim/terrascan
3 participants
@xortim @harkirat22 @amirbenv