[Question] How can we access resources property from resource_changes section in terraform plan json ?
ninjaSec7 opened this issue · comments
Describe the bug
In some of the resources during the plan some input values we get (known after apply) value , In all those cases we fail some of the checks and in those cases we wanted to grab those details from resource_changes section in the plan output how that can be achieved ?
I was trying to take the after_unknown values from terraform json plan but was not able to get those resource I was trying below commands
import data.fugue
import input as tfplan
has_transport_encryption {
# the below set of line fails the policy seems like due to the fact that it's now able to get the resource_changes
tfplan.resource_changes[0].change.after_unknown.transit_encryption_enabled
}
Sometimes in our tfplan.json
we have some values in after_unknown which falls under resource_changes key, as a result sometimes regula gives false positive results as well.
So I need a way or workaround that we can look into resource_changes of tfplan.json so that we can grab after_unknown values as well and write custom policy too.
One of such policy I was trying to modify is below but it always pass no matter what the tfplan looks like kindly help 🙇
#
package rules.tf_aws_elasticache_encryption
import data.fugue
__rego__metadoc__ := {
"custom": {
"controls": {},
"severity": "Medium"
},
"description": "ElastiCache transport encryption should be enabled. In-transit encryption should be enabled for ElastiCache replication groups. Encryption protects data from unauthorized access when it is moved from one location to another, such as from a primary node to a read replica mode in a replication group or between a replication group and application.",
"id": "FG_R00105",
"title": "ElastiCache transport encryption should be enabled"
}
is_after(repgroup)
{
repgroup.change.after.transit_encryption_enabled
}
is_after(repgroup)
{
repgroup.change.after_unknown.transit_encryption_enabled
}
valid_resource(resource){
resource > 0
}
resource_type := "aws_elasticache_replication_group"
default deny = false
deny
{
resources := [r | r:= input.resource_changes[_]; r.type == "aws_elasticache_replication_group"]
count(resources)>0
repgroup := [res | res:= resources[_]; is_after(res)]
missing_resource := count(resources) - count(repgroup)
valid_resource(missing_resource)
}
I'm not a rep from fugue but I was able to access resource changes by first importing data.fugue
and then I was able to use fugue.plan.resource_changes
to access the changes. Here's a snippet of a rule which returns a set with all resource changes that have the delete action
resource_changes_with_delete_action = delete_resource_changes {
resource_changes = fugue.plan.resource_changes
delete_resource_changes = { resource_change | resource_change := resource_changes[_]; "delete" in resource_change.change.actions }
}
@Muhammada3178 it gave me the error with unexpected ident token: expected \n or ; or }