[BUG] The policy FG_R00274 doesn't work with the new syntax (provider aws 4.x)

Question

[BUG] The policy FG_R00274 doesn't work with the new syntax (provider aws 4.x)

rsareth opened this issue 2 years ago · comments

Describe the bug
After upgrading the provider aws from the series 3.x to series 4.x, we observe that the policy FG_R00274 doesn't work anymore. In the code, we can clearly see that the resource aws_s3_bucket_logging is handled. We had to disable the policy and write our own code handling only the new tf resource.

How you're running Regula

I'm using Regula >= v2.9.3

Operating System
Mac OS and Linux

Steps to reproduce

Step 1 - Create the TF file with this content:

# OK
resource "aws_s3_bucket" "bucket_old_syntax" {
  bucket = "bucket_old_syntax"
  logging {
    target_bucket = aws_s3_bucket.logbucket.id
    target_prefix = "log/"
  }
}

resource "aws_s3_bucket" "logbucket" {
  bucket        = "my-log-bucket"
  acl           = "log-delivery-write"

  logging {
    target_bucket = "my-log-bucket"
    target_prefix = "log/"
  }
}

# KO
resource "aws_s3_bucket" "bucket_new_syntax" {
  bucket = "bucket_new_syntax"
}

resource "aws_s3_bucket_logging" "bucket_new_syntax" {
  bucket = aws_s3_bucket.bucket_new_syntax.id

  target_bucket = aws_s3_bucket.logbucket.id
  target_prefix = "log/"
}

Step 2 - Running regula

$ regula run .
[...]
FG_R00274: S3 bucket access logging should be enabled [Medium]
           https://docs.fugue.co/FG_R00274.html

  [1]: aws_s3_bucket.bucket_new_syntax
       in s3.tf:21:1
[...]

We shouldn't see this alert.

Thank you in advance to look at that.

Rasmey