Giters

fugue / regula

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego

Home Page:https://regula.dev/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] Terraform plan flie is not automatically picked up when it has been included in the gitingore file

jperez3 opened this issue · comments

commented

Describe the bug
While throwing together a proof of concept, I noticed that the generated tfplan.json file is ignored by regula run when tfplan.json is included in the .gitignore file. I'm not sure if this is the intention or not, but thought it's worth calling on or making a note of it in documentation. In general practice of putting regula into a build pipeline, it's less of an issue since you're probably not committing code, but as a general practice I would like to keep plan outputs out of git because they might contain sensitive information.

How you're running Regula
Please include versions of all relevant tools. Some examples:

  • I'm using Regula2.9.3, build a58739c, built with OPA v0.43.1 and a Terraform plan JSON input that I generated with Terraform v0.14.11
  • I'm using Regula v2.9.3 as a CLI tool and my Terraform source code as an input:
regula run -i ./rules

.regula.yaml

environment-id: ""
exclude: [FG_R00355,FG_R00354,FG_R00275,FG_R00274,FG_R00101,FG_R00100]
format: table
input-type:
- tf
- tf-plan
no-built-ins: true
no-ignore: false
only: []
severity: critical
sync: false
var-file: []

Operating System
MacOS Monterey 12.6

Steps to reproduce

  1. Add tfplan.json to your repo's .gitignore
  2. Run terraform init
  3. Run terraform plan -out=tfplan
  4. Run terraform show -json ./tfplan > tfplan.json
  5. Run regula run -i ./rules or specifying any other custom rules

The output should have reporting based on the terraform files, but not the tfplan.json

IaC Configuration
If applicable, please include a minimal configuration that we can use to reproduce the issue. Valid configurations save us a lot of time in troubleshooting. So please, try using what you post to reproduce the issue to verify that it demonstrates the problem.

resource "aws_s3_bucket" "tacos" {
  bucket = "abcdefghijk-tacos"
}

resource "aws_security_group" "tacos" {
  name = "tacos"
}

resource "aws_security_group_rule" "tacos" {
  type        = "ingress"
  cidr_blocks = ["0.0.0.0/0"]
  protocol = "tcp"
  from_port = 443
  to_port = 443
  security_group_id = aws_security_group.tacos.id
}


resource "aws_iam_user" "joe" {
  name = "joe"
  path = "/"
}

Additional context
nothing other than thank you for building/maintaining this cool project 🙏🏽