Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

[BUG] FG_R00252 should support arrays for condition values #379

Closed
szesch opened this issue Nov 23, 2022 · 1 comment
Closed

[BUG] FG_R00252 should support arrays for condition values #379

szesch opened this issue Nov 23, 2022 · 1 comment

Comments

@szesch
Copy link
Contributor

szesch commented Nov 23, 2022

Describe the bug
Some older terraform modules can create IAM conditions with an array of strings instead of a string. FG_R00252 only checks for strings so conditions with a value of type array will be flagged as a violation.

How you're running Regula
Regula v2.9.2 and Terraform v1.2.8 running against Terraform plan output.

$ regula version
v2.9.2, build b41673e, built with OPA v0.43.1

$ terraform -version
Terraform v1.2.8
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.40.0
+ provider registry.terraform.io/hashicorp/time v0.9.1

Operating System
Ubuntu 22.04

Steps to reproduce

terraform init
terraform plan -out plan
terraform show -json plan > plan.json
regula run --no-config --only FG_R00252 -t tf-plan plan.json

IaC Configuration

provider "aws" {
  region  = "us-east-2"
}

data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

data "aws_partition" "current" {}

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = false
  enable_vpn_gateway = false

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

module "test" {
  source  = "cloudposse/vpc-flow-logs-s3-bucket/aws"
  version = "0.18.0"

  namespace = "fugue"
  stage     = "test"
  name      = "test"

  vpc_id = module.vpc.vpc_id

  kms_policy_source_json = data.aws_iam_policy_document.test.json
}

data "aws_iam_policy_document" "test" {
  statement {
    actions = [
      "kms:Decrypt"
    ]

    resources = ["*"]

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    condition {
      test     = "StringEquals"
      variable = "kms:CallerAccount"
      values   = [data.aws_caller_identity.current.account_id]
    }
    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values   = [format("s3.%s.amazonaws.com", data.aws_region.current.name)]
    }
  }

  statement {
    sid = "Enable IAM User Permissions"
    actions = [
      "kms:*",
    ]
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [
        format(
          "arn:%s:iam::%s:root",
          data.aws_partition.current.partition,
          data.aws_caller_identity.current.account_id
        )
      ]
    }
    resources = ["*"]
  }
}
@szesch szesch mentioned this issue Nov 23, 2022
Merged
@szesch
Copy link
Contributor Author

szesch commented Feb 6, 2023

Addressed in #380

@szesch szesch closed this as completed Feb 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@szesch