[BUG] Terraform plan flie is not automatically picked up when it has been included in the gitingore file
jperez3 opened this issue · comments
Describe the bug
While throwing together a proof of concept, I noticed that the generated tfplan.json
file is ignored by regula run
when tfplan.json
is included in the .gitignore
file. I'm not sure if this is the intention or not, but thought it's worth calling on or making a note of it in documentation. In general practice of putting regula
into a build pipeline, it's less of an issue since you're probably not committing code, but as a general practice I would like to keep plan outputs out of git because they might contain sensitive information.
How you're running Regula
Please include versions of all relevant tools. Some examples:
- I'm using Regula2.9.3, build a58739c, built with OPA v0.43.1 and a Terraform plan JSON input that I generated with Terraform v0.14.11
- I'm using Regula v2.9.3 as a CLI tool and my Terraform source code as an input:
regula run -i ./rules
.regula.yaml
environment-id: ""
exclude: [FG_R00355,FG_R00354,FG_R00275,FG_R00274,FG_R00101,FG_R00100]
format: table
input-type:
- tf
- tf-plan
no-built-ins: true
no-ignore: false
only: []
severity: critical
sync: false
var-file: []
Operating System
MacOS Monterey 12.6
Steps to reproduce
- Add
tfplan.json
to your repo's.gitignore
- Run
terraform init
- Run
terraform plan -out=tfplan
- Run
terraform show -json ./tfplan > tfplan.json
- Run
regula run -i ./rules
or specifying any other custom rules
The output should have reporting based on the terraform files, but not the tfplan.json
IaC Configuration
If applicable, please include a minimal configuration that we can use to reproduce the issue. Valid configurations save us a lot of time in troubleshooting. So please, try using what you post to reproduce the issue to verify that it demonstrates the problem.
resource "aws_s3_bucket" "tacos" {
bucket = "abcdefghijk-tacos"
}
resource "aws_security_group" "tacos" {
name = "tacos"
}
resource "aws_security_group_rule" "tacos" {
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
protocol = "tcp"
from_port = 443
to_port = 443
security_group_id = aws_security_group.tacos.id
}
resource "aws_iam_user" "joe" {
name = "joe"
path = "/"
}
Additional context
nothing other than thank you for building/maintaining this cool project 🙏🏽