Replies: 6 comments 1 reply
-
Moving this to a discussion as I don't think this is something we'd pursue right now but want to leave it somewhere where people who want this can weigh in. The issue is this:
This is not a primary supported use of TFLint. TFLint is a static checker, designed to catch issues early, based only on the configuration. It is not a policy enforcement tool for Terraform resources. Policy enforcement (e.g., all S3 buckets must have a When you attempt to use static analysis for enforcement you end up with logic that is easily defeated by a bit of dynamic code, which the analyzer has to ignore if it can't handle. The only security uses for TFLint would be in looking for risky configuration, e.g. And even then, you're thinking about ways to hard-block users from doing things, but that's a fraught path. All it takes to bypass a rule is indirecting through a module: module "my_dangerous_thing" {
source = "ns/dangerous-things/null
} This could be a workaround but it could entirely innocuous. So then you need to forbid users from sourcing any un-trusted module to prevent this workaround. This type of enforcement thus becomes a cascading effort of locking down functionality to prevent workarounds. I don't want TFLint engaged in "performative security," i.e. the appearance of strong guarantees that in practice are trivially defeated. A good place to start building your case would be to share the rules you've authored where you think you want to enforce this. |
Beta Was this translation helpful? Give feedback.
-
Separately, there's little need to integrate this with the TFLint lifecycle, and you could easily enforce this yourself with custom tooling. It doesn't really make sense for TFLint to run, produce issues, and then have to confront the fact that an issue is being raised whose ruleset doesn't want it being ignored. Instead, you could just go through your configuration files up front and error if an annotation exists for a rule you don't want ignored. It doesn't really matter whether that annotation is actually suppressing an issue, it's invalid for it to be declared at all. Waiting until it's "triggered" to then ignore the issue and warn is awkward. Certainly not as convenient as TFLint doing all the work for you but it's an option you can pursue today. |
Beta Was this translation helpful? Give feedback.
-
So a couple of points to respond to in there- First, we already have lint rules enforcing that all modules come from a trusted module source, that is one of the rules where we would like to use this new option. As far as other use cases where a policy enforcement tool would not work, we have several of those related to extremely dangerous Terraform Yes, there are workaround that we could do with custom tooling, such as scanning the configuration files upfront. And we are pursing that course of action. But I think that, particularly for the dangerous |
Beta Was this translation helpful? Give feedback.
-
Thanks, this is helpful.
The issue is more that these risks are numerous and hard to identify than a need for maximally strict enforcement. There is nothing inherently wrong or unsafe with using the external data source. It is only truly dangerous when executing untrusted code. Most organizations do not operate this way and effectively trust their employees, especially in a CI environment where an approver is not required to achieve execution. To the extent they are even implementing any security checks at all, they're generally going to be warnings that the user can choose to dismiss or override with an annotation. I'd be interested to see any other examples of tools that implement similarly strict policy protections, as I can't come up with any examples. Even on the server side, GitHub allows anyone with push access to dismiss secret scanner warnings: I've never encountered a static analysis tool that supports inline ignores but can also offers an option for rejecting ignores. https://github.com/aquasecurity/tfsec#ignoring-warnings Given the niche audience, the likelihood of the much larger task of expanding the plugin protocol to accommodate this is very low, but we could consider a contribution to the config for the core CLI. Something like this: config {
annotations {
ignore {
forbidden = ["my_org_dangerous_resource"]
}
}
} If you have access to the configuration you can shut off the plugin entirely so protecting this file via branch protection with required code owner approval would be required anyway in your scenario. |
Beta Was this translation helpful? Give feedback.
-
Interesting discussion. I basically agree with Ben, but I believe TFLint should be able to support more cases than just possible errors. Indeed, TFLint's current evaluation system design is more focused on "proving incorrectness rather than correctness", such as ignoring unknown values instead of raising errors. This does not lend itself to policy enforcement. However, I believe TFLint should be a framework for all your desires to perform inspections on Terraform's configuration files. Parsing the Terraform language is a complex task, and developing another tool would probably be hard work. I would like to expand the plugin ecosystem to support more cases, and tflint-ruleset-opa is one of those experiments. In this regard, I think it would be a good idea to implement rules for annotations, as Ben also suggested. The Ruby linter RuboCop also has rules that satisfy similar needs. I'm not sure if this should be provided by TFLint core (maybe in tflint-ruleset-terraform, but I'm not sure if it's appropriate), but you can start as a custom rule first. |
Beta Was this translation helpful? Give feedback.
-
@wata727 I wanted to get a bit of clarity on this. Are you saying that there is a way today that we can disable annotation on a specific custom rule without any changes to the core TFLint functionality? If so, how could we do that? |
Beta Was this translation helpful? Give feedback.
-
Introduction
We have a custom ruleset that we maintain. For some of those rules, we are fine with people putting annotations on violating resources/data sources to ignore the lint rule for their use case. However, there are other situations where no one at our company under any circumstances should be allowed to violate the lint rule. Examples of this can include lint rules that prevent security vulnerabilities.
Proposal
Allow a way for the creators of rulesets to specify that a given rule cannot be disabled by annotations. This could potentially also prevent disabling via config file, but that is a bit of an open question and not as vital since config files are generally easier to control with CODEOWNERS and other mechanisms vs annotations in random
.tf
files.References
Beta Was this translation helpful? Give feedback.
All reactions