Was going through MITRE ATTACK matrix for AWS.
There is a technique (T1190) unde Tactic: Initial Access.
Considering a scenario for Web Application using CloudFront, it is the first step for Mitigation of above Technique.

The latest version of the GitHub provider deprecates the usage of private in favor of the visibility configuration. Following this advice Terrascan complains with accurics.gcp.IAM.145 as only the private configuration seems to be recognized. privateRepoEnabled.rego should be extended to also allow the usage of the visibility = "private" configuration instead of private.

I am having a hard time just testing terrascan. I am very interested in playing with it, but can't quite get the built in unittests to run successfully. Thoughts?

[jrat@centos7 terrascan]$ python -m unittest tests.test_logging_and_monitoring.TestLoggingAndMonitoring

Traceback (most recent call last): File "/usr/lib64/python2.7/runpy.py", line 162, in _run_module_as_main "__main__", fname, loader, pkg_name) File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code exec code in run_globals File "/usr/lib64/python2.7/unittest/__main__.py", line 12, in <module> main(module=None) File "/usr/lib64/python2.7/unittest/main.py", line 94, in __init__ self.parseArgs(argv) File "/usr/lib64/python2.7/unittest/main.py", line 149, in parseArgs self.createTests() File "/usr/lib64/python2.7/unittest/main.py", line 158, in createTests self.module) File "/usr/lib64/python2.7/unittest/loader.py", line 128, in loadTestsFromNames suites = [self.loadTestsFromName(name, module) for name in names] File "/usr/lib64/python2.7/unittest/loader.py", line 100, in loadTestsFromName parent, obj = obj, getattr(obj, part) AttributeError: 'module' object has no attribute 'test_logging_and_monitoring' [jrat@centos7 terrascan]$ vi terrascan/test_logging_and_monitoring.py

• terrascan version: n/a
• Operating System:n/a

Description

It looks like on the 1.0 update (#284) that a 20MB binary file slipped it and is now in cmd/terrascan/terrascan It seems like this should be removed. It's probably too late to clean up history and reduce the repo size, but at least avoiding having it checked out on the mainline branch seems like a good cleanup.

What I Did

MacBook-Pro:terrascan user$ file cmd/terrascan/terrascan
cmd/terrascan/terrascan: Mach-O 64-bit executable x86_64
MacBook-Pro:terrascan user$ ls -l cmd/terrascan/terrascan
-rwxr-xr-x  1 user  staff  20938316 Oct 26 11:08 cmd/terrascan/terrascan

Description

We should add support for Helm as an IaC provider.

• terrascan version: 0.1.0
• Python version: Python 3.5.3
• Operating System: Debian 9

Description

I get errors with the security group tests.

sample tf:

resource "aws_security_group_rule" "integration_allow_ssh_from_bastion" {
  security_group_id        = "${aws_security_group.integration.id}"
  source_security_group_id = "${aws_security_group.bastion.id}"
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  protocol                 = -1
  type                     = "ingress"
}

What I Did

terrascan --location . --tests all
...
Running security_group Tests
...EE
======================================================================
ERROR: test_aws_security_group_inline_rule_open (terrascan.checks.security_group.TestSecurityGroups)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/blopez/.local/lib/python3.5/site-packages/terrascan/checks/security_group.py", line 52, in test_aws_security_group_inline_rule_open
    'cidr_blocks').list_should_not_contain('0.0.0.0/0')
  File "/home/blopez/.local/lib/python3.5/site-packages/terraform_validate/terraform_validate.py", line 80, in property
    if property_name in property.property_value.keys():
AttributeError: 'list' object has no attribute 'keys'

======================================================================
ERROR: test_aws_security_group_rule_open (terrascan.checks.security_group.TestSecurityGroups)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/blopez/.local/lib/python3.5/site-packages/terrascan/checks/security_group.py", line 44, in test_aws_security_group_rule_open
    'cidr_blocks').list_should_not_contain('0.0.0.0/0')
  File "/home/blopez/.local/lib/python3.5/site-packages/terraform_validate/terraform_validate.py", line 167, in list_should_not_contain
    actual_property_value = self.validator.substitute_variable_values_in_string(property.property_value)
  File "/home/blopez/.local/lib/python3.5/site-packages/terraform_validate/terraform_validate.py", line 504, in substitute_variable_values_in_string
    variable_default_value = self.get_terraform_variable_value(a.variable)
  File "/home/blopez/.local/lib/python3.5/site-packages/terraform_validate/terraform_validate.py", line 493, in get_terraform_variable_value
    raise TerraformVariableException("There is no Terraform variable '{0}'".format(variable))
terraform_validate.terraform_validate.TerraformVariableException: There is no Terraform variable ''

----------------------------------------------------------------------

Is it possible to add terrascan as a homebrew and Chocolatey package?

See:
https://docs.brew.sh/Adding-Software-to-Homebrew
https://chocolatey.org/docs/create-packages

• terrascan version: 2.5.0 (latest in pip)
• Python version: 3.6.5
• Operating System: Win10
• Terraform Version: 0.11.7

Description

I have been able to successfully execute Terrascan against the /tests/infrastructure/ files included. When running against simple Terraform templates that that successfully execute both 'terraform plan' and 'terraform apply,' it fails out on every test. Does it support Terraform 0.11.x?

What I Did

# pathes omitted
C:\<path>\terrascan -l C:\<path> -t all
ERROR: test_aws_alb_listener_certificate (terrascan.checks.encryption.TestEncryption)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\terraform_validate\terraform_validate.py", line 464, in parse_terraform_directory
    hcl.loads(new_terraform)
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\hcl\api.py", line 62, in loads
    return HclParser().parse(s)
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\hcl\parser.py", line 307, in parse
    return self.yacc.parse(s, lexer=Lexer())
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\ply\yacc.py", line 331, in parse
    return self.parseopt_notrack(input, lexer, debug, tracking, tokenfunc)
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\ply\yacc.py", line 1061, in parseopt_notrack
    lookahead = get_token()     # Get the next token
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\hcl\lexer.py", line 275, in token
    return self.lex.token()
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\ply\lex.py", line 406, in token
    newtok = self.lexeoff(tok)
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\hcl\lexer.py", line 222, in t_heredoc_eof
    _raise_error(t, 'EOF before closing heredoc')
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\hcl\lexer.py", line 17, in _raise_error
    raise ValueError("Line %d, column %d, index %d: %s" % (lineno, column, lexpos, message))
ValueError: Line 98, column 0, index 2138: EOF before closing heredoc

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\terrascan\checks\encryption.py", line 20, in setUp
    self.v = terraform_validate.Validator(self.path)
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\terraform_validate\terraform_validate.py", line 431, in __init__
    self.terraform_config = self.parse_terraform_directory(path)
  File "c:\users\<user>\appdata\local\programs\python\python36-32\lib\site-packages\terraform_validate\terraform_validate.py", line 466, in parse_terraform_directory
    raise TerraformSyntaxException("Invalid terraform configuration in {0}\n{1}".format(os.path.join(directory,file),e))
terraform_validate.terraform_validate.TerraformSyntaxException: Invalid terraform configuration in C:<path>\main.tf
Line 98, column 0, index 2138: EOF before closing heredoc

• terrascan version: 1.0.0
• Python version: 3.8.5
• Operating System: MacOS 10.15.6 (Catalina)

Description

Getting error with XML output option - getting the following error:

2020-08-17T20:35:08.082-0400	error
writer/xml.go:39	
failed to write XML output. error: 'xml: unsupported type: results.Violation'

What I Did

/terrascan scan -t aws -o xml

• terrascan version: 1.0.0
• Operating System: Linux

Descriptions

I created some terraform files using modules and some without using modules. I added some violations in both but terrascan found violations in the files created without using modules but no violations found in the files using modules.

What I Did

terrascan scan -t aws 

• terrascan version: last I presume (I use github/super-linter)
• Operating System: github/super-linter in docker container

Description

I got this error:

  - rule_name: reme_keyVaultAuditLoggingEnabled
    description: Ensure that logging for Azure KeyVault is 'Enabled'
    rule_id: accurics.azure.EKM.20
    severity: HIGH
    category: Encryption and Key Management
    resource_name: main
    resource_type: azurerm_key_vault
    file: main.tf
    line: 145

What I Did

Here is my terraform config :

resource "azurerm_key_vault" "main" {
  name                        = "kv-${var.prefix}-${terraform.workspace}"
  location                    = azurerm_resource_group.main.location
  resource_group_name         = azurerm_resource_group.main.name
  enabled_for_disk_encryption = false
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_enabled         = true
  purge_protection_enabled    = false

  sku_name = "standard"

  network_acls {
    default_action = "Allow"
    bypass         = "AzureServices"
  }

  tags = merge(azurerm_resource_group.main.tags, {
  })
}

resource "azurerm_monitor_diagnostic_setting" "keyvault" {
  name                       = azurerm_key_vault.main.name
  target_resource_id         = azurerm_key_vault.main.id
  storage_account_id         = azurerm_storage_account.logs.id
  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id

  log {
    category = "AuditEvent"
    enabled  = true

    retention_policy {
      enabled = true
      days    = 365
    }
  }

  metric {
    category = "AllMetrics"
    enabled  = true

    retention_policy {
      enabled = true
      days    = 365
    }
  }
}

What am I missing ?

Similar to #339, but on repository level. The GitHub provider has a resource github_repository_webhook, which can be used to setup a webhook for an organization. In the configuration it allows several options. One of the them is insecure_ssl, which is not recommended to be set to true. The new policy for the github policy set should check this configuration and report a violation if this option was set to true.

• terrascan version: v0.2.0
• Python version: Python 3.6.9
• Operating System: Ubuntu 18.04.1 LTS (Bionic Beaver)

Description

I was trying to scan one of my terraform directory. It contains a line where nested brackets exists, its giving errors there.

What I Did

I ran the terrascan on below code

locals {
  map = {
    r1         = "21.0.0.0/16"
    r2         = "22.4.0.0/16"
        }

  sg = {
  "test" = [
    "r1",
    "r2"
  ]
}

}

resource "aws_security_group" "test" {
  name        = "testshubham"
  vpc_id      = "vpc-xxxxxxxxx"

  dynamic "ingress" {
    for_each = local.sg.test
    content {
      from_port = 80
      to_port   = 80
      protocol  = "tcp"
      cidr_blocks = split(",", lookup(local.map, ingress.value, ingress.value))
    }
  }
}

Error (Truncated)

Processed on 05/06/2020 at 11:49
Results (took 0.92 seconds):

Failures: (0)

Errors: (1)
[high] Traceback (most recent call last):
  File "/home/shubham/myterrascan/terrascan/terrascan/embedded/terraform_validate/terraform_validate.py", line 573, in readDir
    self.loadFileByDir(fileName, relativeFileName, d, d, terraform_string)
  File "/home/shubham/myterrascan/terrascan/terrascan/embedded/terraform_validate/terraform_validate.py", line 586, in loadFileByDir
    hclSubDirDict[path] = hcl.loads(terraform_string)
  File "/home/shubham/.local/lib/python3.6/site-packages/hcl/api.py", line 81, in loads
    return HclParser().parse(s, export_comments=export_comments)
  File "/home/shubham/.local/lib/python3.6/site-packages/hcl/parser.py", line 643, in parse
    s, lexer=Lexer(export_comments=export_comments), debug=DEBUG
  File "/home/shubham/.local/lib/python3.6/site-packages/hcl/ply/yacc.py", line 503, in parse
    tok = self.errorfunc(errtoken)
  File "/home/shubham/.local/lib/python3.6/site-packages/hcl/parser.py", line 634, in p_error
    raise ValueError(msg)
ValueError: Line 26, column 407: unexpected LEFTPAREN; expected ASTERISK_PERIOD, RIGHTBRACKET, COMMA, RIGHTPAREN, ADD, MINUS, MULTIPLY, DIVIDE

Hi, recently I use terrascan for my terraform project and I found that logging_and_monitoring not support aws_lb access_logs yet.

In terraform docs mention that

Note: aws_alb is known as aws_lb. The functionality is identical.
So I want add one feature for aws_lb access_logs check, I'm not sure is this idea is ok or not?

If you think it's fine to add then I will sent PR for feature/logging_and_monitoring_aws_lb this branch.

If there any question or suggestion plz let me know.

Thank you.

feature/logging_and_monitoring_aws_lb
aws_lb ref

• terrascan version: 0.11.13
• Python version: 3.6.5
• Operating System: Centos 7

Description

Running terrascan on .tf files that reference modules which pull input values from a .tfvars file located in another directory.

What I Did

terrascan --location . --tests all
All tests apparently passed, even though In the terrascan command I could not do a -var-file="../test,tfvars" for the input values.

Any help on this would be great.

• terrascan version:
• Python version:
• Operating System:

Description

i tried to create two .tf files in one location, and when i run terrascan against that location (e.g. terrascan -l path/to/.tf -t all (and the path has two .tf files).. it seems that it only scan one of the file, and ignore the rest?

What I Did

Paste the command(s) you ran and the output.
If there was a crash, please include the traceback here.

https://github.com/cesar-rodriguez/terrascan/blob/b4e8922a7a388a3f0351c9b0ae52d8d95cf7a95f/terrascan/checks/security_group.py#L53

Per
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html load balancers need a source of 0.0.0.0/0 for public traffic. This test also fails for instances running VPN services, such as OpenVPN. Is there another recommended way of opening public ingress for legitimate traffic for HTTP, HTTPS, and other network protocols like OpenVPN?

• terrascan version: latest
• Operating System: GitLab CI/CD pipeline runner

Description

GitLab's runners run job within the context of a specified container, don't currently allow the UID to execute as to be overridden.

The Alpine-based accurics/terrascan image doesn't include the 'git' binary, which is often necessary to download additional modules when performing terraform init - and, since the container-user isn't root by default, no further packages can be installed from the image when run without any overrides.

This means that in such a pipeline, the only options are:

• Build a new, private container FROM accurics/terrascan:latest which either runs as root or pre-installs git - which adds an additional maintenance burden and takes away from the simplicity of being about to run terrascan simply by pulling an image;
• Run dind as the job container image, and then manually launch the terrascan image with a different container-user;
• Pre-cache any terraform modules and mount this volume within the job container (... which would also likely require dind - I've not investigated this option).

At the cost of increasing the default image size a little, please add git to the terrascan container image (or introduce an additional terrascan-git image which does incorporate this)?

I'm currently exploring available Terraform static analysis tools, and stumbled across Terrascan and was wondering if it could be used against a code base that's using Terragrunt and remote backends.

Our Terraform code is organised in the suggested module layout:

terraform/
├── README.md
├── gcp/
│   ├── README.md
│   ├── backend.tf
│   ├── main.tf
│   ├── outputs.tf
│   ├── providers.tf
│   ├── variables.tf
│   ├── modules/
│   │   ├── database/
│   │   │   ├── main.tf
│   │   │   ├── outputs.tf
│   │   │   └── variables.tf
...

But when directing terrascan at the folder I get an IndexError: string index out of range exception.

Has anyone run Terrascan this way?

• terrascan version:0.1.0
• Python version:2.7
• Operating System:ubuntu

Description

After installing terrascan couldn't execute the command or anyhting related to terrascan .

What I Did

Ran the command on the term .

$ terrascan -h
terrascan: command not found

Do I need to clone the repo or something , can't make out what I am missing here ?

• terrascan version: 0.1.0
• Python version: 2.7.5
• Operating System: CentOS 7.2

Description

Error running to tool for the first time. Unable to locate modules.

$ sudo terrascan --location . --tests all
Traceback (most recent call last):
  File "/bin/terrascan", line 7, in <module>
    from terrascan.__main__ import main
  File "/usr/lib/python2.7/site-packages/terrascan/__main__.py", line 5, in <module>
    from .terrascan import main
  File "/usr/lib/python2.7/site-packages/terrascan/terrascan.py", line 10, in <module>
    from terrascan.checks.security_group import TestSecurityGroups
ImportError: No module named checks.security_group

$ ls /usr/lib/python2.7/site-packages/terrascan
checks  __init__.py  __init__.pyc  __main__.py  __main__.pyc  terrascan.py  terrascan.pyc

What I Did to resolve this issue

In /usr/lib/python2.7/site-packages/terrascan/terrascan.py simply remove .terrascan on lines 10-13.

Change from..

from terrascan.checks.security_group import TestSecurityGroups
from terrascan.checks.encryption import TestEncryption
from terrascan.checks.logging_and_monitoring import TestLoggingAndMonitoring
from terrascan.checks.public_exposure import TestPublicExposure

To ...

from .checks.security_group import TestSecurityGroups
from .checks.encryption import TestEncryption
from .checks.logging_and_monitoring import TestLoggingAndMonitoring
from .checks.public_exposure import TestPublicExposure

Hi 👊

This is my first visit to this fine repo, but it seems you have been working hard to keep all dependencies updated so far.

Once you have closed this issue, I'll create separate pull requests for every update as soon as I find one.

That's it for now!

Happy merging! 🤖

I was trying to test terrscan following the documentation, and I couldn't understand why the instructions seem so off with what I was getting. Finally, I realized that the Docker image runs version v0.2.3 and the docs are for the 1.0 (I assume). I've switched to using the binary and was able to follow the docs.

Please update the Docker image or add a warning to the docs :)

• terrascan version:
• Python version:
• Operating System:

Description

it doen't work on terraform 0.12 syntax

What I Did

terrascan --location . --tests security_group
error: SyntaxError: Unexpected identi

The rule accurics.gcp.IAM.145 is currently located under gcp, which isn't intuitive as it is targeting the GitHub provider and not GCP. It would be better to move its own policy set.

• terrascan version: N/A
• Python version: N/A
• Operating System: N/A

Description

I want to integrate it with SonarQube, for it I need structure output - Json preferred, but anything that it machine readable will be fine.

Terraform v0.13 has been GA for more than a month now and supports the automatic installation of third-party providers and for_each for modules and some other extensions, which break Terrascan when used. You can read about the new features here.

Meanwhile, v0.14 is in alpha testing now, but it doesn't have such big changes.

The GitHub provider has a resource github_organization_webhook, which can be used to setup a webhook for an organization. In the configuration it allows several options. One of the them is insecure_ssl, which is not recommended to be set to true. The new policy for the github policy set should check this configuration and report a violation if this option was set to true.

The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.

• terrascan version: n/a
• Python version: n/a
• Operating System: n/a

Description

Be able to pass parameters like: [--xml-report dir] or [--html-report dir] and generate these reports

Use a wrapper to allow clients to invoke Terrascan with arguments.

Example: https://github.com/jason-tyler/terrascan/tree/feature/main_args

If you agree with this method, create a "feature/main_args" branch and I'll PR a start at this into your repo.

There doesn't appear to be the capability to ignore checks in terrascan.
Would it be possible to add the ability to add comments to code blocks to trigger terrascan to ignore specific error codes for that block?
Similar to how tfsec implements this capability
https://github.com/liamg/tfsec#ignoring-warnings

I've notices that terraform-validate doesn't properly handle the use case of multiple properties with the same name:

resource "aws_elb" "foo" {
  listener {
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = "${var.certificate_arn}"
  }
  listener {
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = "${var.certificate_arn}"
  }
}

I've seen this issue in:

• aws_cloudfront_distribution
• aws_elb
• aws_redshift_parameter_group

• terrascan version:
• Python version:
• Operating System:

Description

Describe what you were trying to get done.
Tell us what happened, what went wrong, and what you expected to happen.

What I Did

Paste the command(s) you ran and the output.
If there was a crash, please include the traceback here.

• terrascan version: v1.1.0
• Operating System: Mac OS and on Github Actions Ubuntu

Description

When running superlinter I believe this has flagged a false positive on the s3 bucket being able to be accessed by all AWS accounts

What I Did

I ran terrascan scan -t aws on a main.tf file containing this:

resource "aws_s3_bucket" "example" {
  bucket = "example_bucket"
  acl    = "private"
  versioning {enabled = true}
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
  policy = <<EOF
  {
    "Version":"2012-10-17",
    "Statement":[
      {
        "Sid":"DenyAllAccountAccess",
        "Effect":"Deny",
        "Action":["*"],
        "Resource":["*"]
      }
    ]
  }
EOF
}

then received the following error:

results:
  violations:
  - rule_name: s3EnforceUserACL
    description: S3 bucket Access is allowed to all AWS Account Users.
    rule_id: AWS.S3Bucket.DS.High.1043
    severity: HIGH
    category: S3
    resource_name: example
    resource_type: aws_s3_bucket
    file: main.tf
    line: 1
  count:
    low: 0
    medium: 0
    high: 1
    total: 1

When searching online I was unable to find instructions on how to fix or anymore details on the error message,
Thanks in advance for any help
James

• terrascan version: latest
• Python version: 2.6.9
• Operating System: Docker Image cwill747/alpine-python2.

Description

I am trying to run Terrascan but I am getting a dependency error output

What I Did

The volume mapped was pointing to a Terraform project (I run the container inside this directory) with these files:

-rw-r--r--    1 1000     1000           813 Jul  5 20:12 README.md
-rw-r--r--    1 1000     1000           885 Jul 12 16:50 main.tf
-rw-r--r--    1 1000     1000           410 Jul  5 20:12 outputs.tf
-rw-r--r--    1 1000     1000          2554 Jul 11 22:38 terraform.plan
-rw-r--r--    1 1000     1000           298 Jul  5 20:12 vars.tf

First I started a docker container:

$ docker run  -it   -v $(pwd):/data cwill747/alpine-python2.6  /bin/sh 

Then I installed Terrascan as described at the documentation (README.md):

$ pip install terrascan

Run the scan

terrascan -location /data --test all

Output log

/data # terrascan -location /data --test all
Traceback (most recent call last):
  File "/usr/bin/terrascan", line 7, in <module>
    from terrascan.__main__ import main
  File "/usr/lib/python2.6/site-packages/terrascan/__main__.py", line 5, in <module>
    from .terrascan import main
  File "/usr/lib/python2.6/site-packages/terrascan/terrascan.py", line 10, in <module>
    from terrascan.checks.security_group import TestSecurityGroups
ImportError: No module named checks.security_group

Terrascan should detect any modules in the terraform templates and scan them.

...to receive PR when work is ready for review. Feature currently being implemented at:

https://github.com/jason-tyler/terrascan/tree/feature/aws_load_balancer_policy

Is there still a way to run terrascan with pre-commit? I noticed there was mention of an example .pre-commit-config.yaml in older docs but it's no longer mentioned anywhere now.

• terrascan version: Latest (2c964d5)
• Operating System: OS X (Darwin MacBook-Pro.local 18.7.0 Darwin Kernel Version 18.7.0: Mon Aug 31 20:53:32 PDT 2020; root:xnu-4903.278.44~1/RELEASE_X86_64 x86_64)

Description

I have a situation where I am using several modules together. For simplicity, we will just call them m1, m2, and m3. m1 is consumed from my main terraform template and it consumes m2 and m3. When I try and run terrascan, it incorrectly parsers the directory in the module as relative to absRootDir instead of relative to the location of m1.

The file system would look like this
/tf/template.tf
/tf/modules/m1/main.tf
/tf/modules/m2/main.tf

/tf/template.tf contains a call like:

module "m1" {
    source "./modules/m1/"
}

/tf/modules/m1/main.tf contains a call like

module "m2" {
    source "../m2/"
}

That works just fine in terraform and it parses them correctly. 

What I Did

When I run terrascan on the directory though, I get the following error

$ terrascan scan -t aws 
2020-10-29T10:08:46.046-0700	error	v12/load-dir.go:110	failed to build unified config. errors:
<nil>: Failed to read module directory; Module directory /tf/m2 does not exist or cannot be read.

I tossed some debugging in to see how it is parsing it internally into the module walker function:

2020/10/29 10:16:11 req.Path.String(), is m1
2020/10/29 10:16:11 req.SourceAddr, is ./modules/m1
2020/10/29 10:16:11 Created path to module as  /tf/modules/m1
2020/10/29 10:16:11 processing local module "./modules/m1"
2020/10/29 10:16:11 req.Path.String(), is m1.m2
2020/10/29 10:16:11 req.SourceAddr, is ../m2
2020/10/29 10:16:11 Created path to module as  /tf/m3
2020/10/29 10:16:11 processing local module "../m2"

The code added at the end of the if statement at line 84 in pkg/iac-providers/terraform/v12/load-dir.go to generate the above is:

log.Println("req.Path.String(), is", req.Path.String())
log.Println("req.SourceAddr, is", req.SourceAddr)
log.Println("Created path to module as ", pathToModule)
log.Printf("processing local module %q", req.SourceAddr)

I think the mistake is this code here (still in the if statement that starts at 84):

pathArr := strings.Split(req.Path.String(), ".")
pathArr = pathArr[:len(pathArr)-1]
pathToModule = filepath.Join(absRootDir, filepath.Join(pathArr...), req.SourceAddr)

Instead of looking at the req.Path.String, it should be looking at req.Parent.SourceAddr. If that were used instead, it would result in pathToModules containing the following values:

absRootDir = "/tf/"
req.Parrent.SourceAddr = "./modules/m1"
req.SourceAddr = "../m2"

which would get combined with the filepath.Join to result in

pathToModule = "/tf/modules/m2"

Example:
user_data = <<EOF
#! /bin/bash
sudo apt-get update
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY
export AWS_DEFAULT_REGION=us-west-2
EOF

I deliberately ran the above, terrascan did not detected this violation. Later, I checked the rego policies of terrascan and found there is no such policy for checking the above violation.

When using data sources, terraform-validate fails tests.

Example:

variable "environment" {}
variable "vpc_id" {}
variable "port" {}

data "aws_vpc" "selected" {
  id = "${var.vpc_id}"
}

resource "aws_security_group" "sg" {
  name        = "test"
  description = "test security group"
  vpc_id      = "${var.vpc_id}"

  ingress {
    from_port = "${var.port}"
    to_port   = "${var.port}"
    protocol  = "tcp"

    cidr_blocks = ["${data.aws_vpc.selected.cidr_block}"]
  }
}

Results:
ERROR: test_aws_security_group_inline_rule_open (terrascan.test_security_group.TestSecurityGroups)

Traceback (most recent call last):
File "/tmp/build/51a4a4ac/terrascan/terrascan/test_security_group.py", line 45, in test_aws_security_group_inline_rule_open
'cidr_blocks').list_should_not_contain('0.0.0.0/0')
File "/usr/local/lib/python3.6/site-packages/terraform_validate/terraform_validate.py", line 167, in list_should_not_contain
actual_property_value = self.validator.substitute_variable_values_in_string(property.property_value)
File "/usr/local/lib/python3.6/site-packages/terraform_validate/terraform_validate.py", line 504, in substitute_variable_values_in_string
variable_default_value = self.get_terraform_variable_value(a.variable)
File "/usr/local/lib/python3.6/site-packages/terraform_validate/terraform_validate.py", line 493, in get_terraform_variable_value
raise TerraformVariableException("There is no Terraform variable '{0}'".format(variable))
terraform_validate.terraform_validate.TerraformVariableException: There is no Terraform variable ''

• terrascan version: v1.1.0
• Operating System: Ubuntu 20.04.1

Description

Terrascan wrongly reports a violation of accurics.gcp.IAM.122.

The name of the property changed in the latest release of the Google Cloud Terraform provider, from bucket_policy_only to uniform_bucket_level_access.

Description

I would like to 'print out' the rules that things test for in a comprehensive format (csv, json, yaml) so I can put into CMDB and manage 'centrally' for my auditors etc. The function definitions in the test modules are somewhat hard to read. Some examples of desired types of output:

types of output

CSV:
aws_ami_copy, 'Assert resources are encrypted', 'Property: encrypted', 'expected: kms_key_id"

Markdown:

Rule Name Assert Resources are Encrypted

Test: Checks to see if aws_AMI_copy' property 'encrypted' equals "kms_key_id"

• terrascan version: 0.1.0 (development mode)
• Python version: 3.6.1
• Operating System: OS X 10.13.6

Description

Trying to run tests against terraform templates with terrascan set up in development

What I Did

terrascan -l . -t all

This is one of many similar tracebacks

ERROR: test_aws_security_group_rule_open (terrascan.checks.security_group.TestSecurityGroups)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/zachary.zeid/github/terrascan/terrascan/.eggs/terraform_validate-2.5.0-py3.6.egg/terraform_validate/terraform_validate.py", line 464, in parse_terraform_directory
    hcl.loads(new_terraform)
  File "/Users/zachary.zeid/github/terrascan/terrascan/.eggs/pyhcl-0.3.10-py3.6.egg/hcl/api.py", line 61, in loads
    if isHcl(s):
  File "/Users/zachary.zeid/github/terrascan/terrascan/.eggs/pyhcl-0.3.10-py3.6.egg/hcl/api.py", line 39, in isHcl
    raise ValueError("No HCL object could be decoded")
ValueError: No HCL object could be decoded

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/zachary.zeid/github/terrascan/terrascan/terrascan/checks/security_group.py", line 21, in setUp
    self.v = terraform_validate.Validator(self.path)
  File "/Users/zachary.zeid/github/terrascan/terrascan/.eggs/terraform_validate-2.5.0-py3.6.egg/terraform_validate/terraform_validate.py", line 431, in __init__
    self.terraform_config = self.parse_terraform_directory(path)
  File "/Users/zachary.zeid/github/terrascan/terrascan/.eggs/terraform_validate-2.5.0-py3.6.egg/terraform_validate/terraform_validate.py", line 466, in parse_terraform_directory
    raise TerraformSyntaxException("Invalid terraform configuration in {0}\n{1}".format(os.path.join(directory,file),e))
terraform_validate.terraform_validate.TerraformSyntaxException: Invalid terraform configuration in /Users/zachary.zeid/github/terrascan/terrascan/variables.tf
No HCL object could be decoded

----------------------------------------------------------------------
Ran 5 tests in 0.036s

FAILED (errors=5)  ```

• terrascan version: 1.0.0
• Operating System: Ubuntu 20.04

Description

Terrascan reports a violation of the accurics.gcp.NS.130 rule (rule code is in checkIpForward.rego), and it should not.

What I Did

Here's my google_compute_instance. Adding a can_ip_forward = false doesn't make any difference.

resource "google_compute_instance" "development-workstation" {
  name             = var.development_workstation_name
  machine_type     = var.development_workstation_machine_type
  min_cpu_platform = var.development_workstation_min_cpu_platform

  boot_disk {
    initialize_params {
      image = "${google_compute_image.dev-workstation-image-ubuntu-2004.family}/${google_compute_image.dev-workstation-image-ubuntu-2004.name}"
      type  = "pd-ssd"
    }
  }

  network_interface {
    network = "default"

    access_config {
      // Ephemeral IP
    }
  }
}

What am I doing wrong?

• terrascan version: v1.1.0
• Operating System: Ubuntu 20.04.1

Description

Hardening your cluster security recommends to disable client certificates. Why is Terrascan suggesting the opposite?

Thanks!

• terrascan version: 1.1.0
• Operating System: macOS

Description

When I define a aws_vpc and aws_flow_log, vpcFlowLogsNotEnabled gives a level medium violation.

What I Did

$ cat vpc.tf
resource "aws_vpc" "example" {
   cidr_block = "xxx.xx.xxx.xxx/xx"
}

resource "aws_flow_log" "example" {
  log_destination      = data.aws_s3_bucket.example.arn
  log_destination_type = "s3"
  traffic_type         = "ALL"
  vpc_id               = aws_vpc.example.id
}

$ terrascan scan -t aws -f vpc.tf
results: results:
   violations:
   --rule_name: vpcFlowLogsNotEnabled
     description: Ensure VPC flow logging is enabled in all VPCs
     rule_id: AWS.VPC.Logging.Medium.0470
     severity: MEDIUM
     category: Logging
     resource_name: example
     resource_type: aws_vpc
     file: vpc.tf
     line: 1
   count:
     low: 0
     medium: 1
     high: 0
     total: 1

• terrascan version: 0.2.0
• Python version: 3.6.10
• Operating System: Linux Mint 18.3 Sylvia x86_64

Description

ERROR: terrascan 0.2.0 has requirement pyhcl==0.4.0, but you'll have pyhcl 0.4.4 which is incompatible.

What I Did

pip3.6 --no-cache-dir install --upgrade terrascan

• terrascan version: version: v1.1.0
• Operating System: Mac Catilina & Amazon Linux 2

Description

On Mac, installed via brew.
Linux, terrascan added to path

What I Did

> terrascan scan -t aws -o yaml
2020-09-17T01:59:19.003+0100	error	v12/load-dir.go:85	failed to build unified config. errors:
<nil>: Failed to read module directory; Module directory /Users/bwhyte/git_repos/infa/terraform/aws/test/eks/terraform-aws-modules/eks/aws does not exist or cannot be read., and 1 other diagnostic(s)

Actual repo path with tf files is /Users/bwhyte/git_repos/infa/terraform/aws/test/eks/ so I'm not sure why it's tagging on terraform-aws-modules/eks/aws

If i create the x2 "missing" folder I get a working scan.

> mkdir -p /Users/bwhyte/git_repos/infa/terraform/aws/test/eks/terraform-aws-modules/eks/aws
> mkdir -p /Users/bwhyte/git_repos/infa/terraform/aws/test/eks/terraform-aws-modules/vpc/aws
> ~/g/i/t/a/t/eks (master)> terrascan scan -t aws -o yaml
results:
  violations:
  - rule_name: s3EnforceUserACL
    description: S3 bucket Access is allowed to all AWS Account Users.
    rule_id: AWS.S3Bucket.DS.High.1043
    severity: HIGH
    category: S3
    resource_name: aws_flow_log
    resource_type: aws_s3_bucket
    file: vpc.tf
    line: 45
  count:
    low: 0
    medium: 0
    high: 1
    total: 1