Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug(terraform): inline ignore doesn't work in remote modules #6941

Closed
nikpivkin opened this issue Jun 14, 2024 · 0 comments · Fixed by #6945
Closed

bug(terraform): inline ignore doesn't work in remote modules #6941

nikpivkin opened this issue Jun 14, 2024 · 0 comments · Fixed by #6945
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone

Comments

@nikpivkin
Copy link
Contributor

Original issue #6629 (comment)

Example:
main.tf

module "vpc" {
  source = "git::https://github.com/nikpivkin/test-tf-module"
}

Remote module:

resource "aws_security_group" "test" {
  description = "test"
  egress {
    description = "EC2 Egress"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    #tfsec:ignore:aws-vpc-no-public-egress-sgr
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Output:

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/nikpivkin/test-tf-module/main.tf:9
   via git::https:/github.com/nikpivkin/test-tf-module/main.tf:3-10 (egress)
    via git::https:/github.com/nikpivkin/test-tf-module/main.tf:1-11 (aws_security_group.test)
     via main.tf:3-5 (module.vpc)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   resource "aws_security_group" "test" {
   2     description = "test"
   3     egress {
   4       description = "EC2 Egress"
   5       from_port   = 0
   6       to_port     = 0
   7       protocol    = "-1"
   8       #tfsec:ignore:aws-vpc-no-public-egress-sgr
   9 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jun 14, 2024
@nikpivkin nikpivkin self-assigned this Jun 14, 2024
@simar7 simar7 added this to the v0.53.0 milestone Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants