-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: replace Go checks with Rego #7867
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
name: "IgnoreForImpliedIAMResource", | ||
inputOptions: ` | ||
terraform { | ||
required_version = "~> 1.1.6" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 3.48" | ||
} | ||
} | ||
} | ||
|
||
# Retrieve an IAM group defined outside of this Terraform config. | ||
|
||
# tfsec:ignore:aws-iam-enforce-mfa | ||
data "aws_iam_group" "externally_defined_group" { | ||
group_name = "group-name" # tfsec:ignore:aws-iam-enforce-mfa | ||
} | ||
|
||
# Create an IAM policy and attach it to the group. | ||
|
||
# tfsec:ignore:aws-iam-enforce-mfa | ||
resource "aws_iam_policy" "test_policy" { | ||
name = "test-policy" # tfsec:ignore:aws-iam-enforce-mfa | ||
policy = data.aws_iam_policy_document.test_policy.json # tfsec:ignore:aws-iam-enforce-mfa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The AVD-AWS-0123
(aws-iam-enforce-mfa
) check will never be triggered for this input even without ignore rules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is that? If so is the case, was the assertion incorrect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aws-iam-enforce-mfa
checks that the condition key is aws:MultiFactorAuthPresent
. but the test data does not contain this. I also ran trivy on the test case, but it didn't produce any results:
trivy conf main.tf
2024-11-11T15:36:25+06:00 INFO [misconfig] Misconfiguration scanning is enabled
2024-11-11T15:36:26+06:00 INFO [terraform scanner] Scanning root module file_path="."
2024-11-11T15:36:26+06:00 INFO Detected config files num=1
name: "TrivyIgnoreForImpliedIAMResource", | ||
inputOptions: ` | ||
terraform { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above.
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Description
Part of #7718
Checklist