-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_instance lack of declared "encrypted" flag for root_block_device or ebs_block_device cause incorrect stash #416
Comments
Thanks for reporting this bug! Here's my take on it: #417 The default value of |
Thanks for getting back to me quickly! I understand your reference, but am confused at how you determined the default value, as the terraform docs. here aws_instance indicate that the default value for ebs_block_device and root_block_device are both Being able to account for situations where
3.A lot of my enforcement of tests still stems from a need to determine the difference between a also, on one of my resources, where I do not declare a root_block_device at all, |
I think we fixed this issue on |
@eerkunt @Kudbettin YES! this works, see below for confirmation. This is exactly what we need. Thanks so much!!! I see your changes in terraform.py as well as helper.py. After posting my issue, I took a look into the code and saw how you were populating the values via the after block in Much of what we are running Terraform-Compliance against, is living infrastructure where additions are being made as well as full new deployments. We can't fail on resources if the fix is resource destroying/recreation, but want to focus on the resources at deployment where we have the most flexibility to flag failures. We plan to run terraform-compliance against state files to clear up legacy compliance issues that require changes outside of terraform, but need to heavily enforce on github repos where we have junior level devs deploying code. We are running with Atlantis via github PRs, feeding a 1 liner for terraform-compliance directly into the plan step via the atlantis.yaml and passing the planfile that Atlantis produces directly into terraform-compliance. We are looking to enforce checks via protected github branches, with Terraform-compliance influencing the pass/fail of the Atlantis check and outputting our results in the same gitbot message Atlantis uses. I'd be happy to show you how we sort and format our output, and how we are using terraform-compliance. Thanks to the updated silent mode we are now very contextual! This whole deploy pattern works, we just need to scan on TEST OF PR CHANGES FEATURES
TERRAFORM RESOURCES
RESULTS
|
Please see full code and trouble shoot on 410, but the logic with how the encrypted field gets added to root_block_device or ebs_block_device when when or the other is null, the default value should be false and this is confirmed in the json file generated from terraform plan, however Terraform compliance is passing the value of one to the other, if the other is left blank. This has caused issues with rule writing and false positives and false negatives. Thanks!
#410
Scenario: root_block_device must be configured on all non bastion hosts
Given I have aws_instance defined
When its name is not bastion
Then it must have root_block_device
And it must have encrypted <skips here
And its value must be true < Skips here
When its name is not bastion
resource "aws_instance" "root_block_encrypted__field_missing" {
ami = "ami-003634241a8fcdec0"
instance_type = "t2.medium"
key_name = "tfcompliance_inf"
disable_api_termination = true
monitoring = true
ebs_optimized = true
associate_public_ip_address = false
security_groups = [aws_security_group.ingress_host.id,aws_security_group.egress_host.id]
root_block_device {
volume_size = 200
volume_type = "gp2"
}
ebs_block_device {
device_name = "/dev/sdb"
volume_size = 1000
volume_type = "gp2"
delete_on_termination = true
encrypted = true
}
tags = {
budget-area = "security"
group = "cybersecurity"
}
}
{
"address":"aws_instance.root_block_encrypted__field_missing",
REDACTED FOR BREVITY
"disable_api_termination":true,
"ebs_block_device":[
{
"delete_on_termination":true,
"device_name":"/dev/sdb",
"encrypted":true,
"volume_size":1000,
"volume_type":"gp2"
}
],
"ebs_optimized":true,
"get_password_data":false,
"hibernation":null,
"iam_instance_profile":null,
"instance_initiated_shutdown_behavior":null,
"instance_type":"t2.medium",
"key_name":"tfcompliance_inf",
"monitoring":true,
"root_block_device":[
{
"delete_on_termination":true,
"volume_size":200,
"volume_type":"gp2". <<<< NO ENCRYPTION IN THE PLAN JSON, terraform compliance sees it as True
}
],
REDACTED FOR BREVITY**
resource "aws_instance" "ebs_encrypted_not_present" {
ami = "ami-003634241a8fcdec0"
instance_type = "t2.medium"
key_name = "tfcompliance_inf"
security_groups = [aws_security_group.ingress_host.id,aws_security_group.egress_host.id]
root_block_device {
volume_size = 200
volume_type = "gp2"
encrypted = true
}
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 50
volume_type = "gp2"
delete_on_termination = true
}
tags = {
budget-area = "security"
group = "Cybersecurity"
}
}
{
"address": "aws_instance.ebs_encrypted_not_present",
** REDACTED FOR BREVITY***
"ebs_block_device": [
{
"delete_on_termination": true,
"device_name": "/dev/sdg",
"volume_size": 50,
"volume_type": "gp2"
},
{
"encrypted": true, <<<< SHOWS AS TRUE IN STASH
"iops": true,
"kms_key_id": true,
"snapshot_id": true,
"volume_id": true
}
],
"ebs_optimized": null,
"get_password_data": false,
"hibernation": null,
"iam_instance_profile": null,
"instance_initiated_shutdown_behavior": null,
"instance_type": "t2.medium",
"key_name": "tfcompliance_inf",
"monitoring": null,
"root_block_device": [
{
"delete_on_termination": true,
"encrypted": true,
"volume_size": 200,
"volume_type": "gp2"
},
{
"device_name": true,
"iops": true,
"kms_key_id": true,
"volume_id": true
}
],
{
"address":"aws_instance.ebs_encrypted_not_present",
"mode":"managed",
"type":"aws_instance",
"name":"ebs_encrypted_not_present",
"provider_name":"aws",
"schema_version":1,
"values":{
"ami":"ami-003634241a8fcdec0",
"credit_specification":[
],
"disable_api_termination":null,
"ebs_block_device":[
{
"delete_on_termination":true,
"device_name":"/dev/sdg",
"volume_size":50,
"volume_type":"gp2"
}
],
"ebs_optimized":null,
"get_password_data":false,
"hibernation":null,
"iam_instance_profile":null,
"instance_initiated_shutdown_behavior":null,
"instance_type":"t2.medium",
"key_name":"tfcompliance_inf",
"monitoring":null,
"root_block_device":[
{
"delete_on_termination":true,
"encrypted":true,
"volume_size":200,
"volume_type":"gp2"
}
],
The text was updated successfully, but these errors were encountered: