Mondoo Inc
How to check in terraform aws buckets have a server-side encryption enabled? #734
-
|
This question is from John Anderson, who asked on our Slack the following question: Hey! I'm looking to see if I can use cnspec to to do terraform policies instead of what I'm doing today. The one thing I'm not finding in the docs is a way to traverse relationships. Lets say I have 2 blocks: resource "aws_s3_bucket" "aes-encrypted-bucket" {
bucket = "my-aes-encrypted-bucket"
tags = {
Environment = "dev"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "aes-encrypted-configuration" {
bucket = aws_s3_bucket.aes-encrypted-bucket.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
# sse_algorithm = "aws:kms"
}
}
}Is there a way to say "Get all s3 buckets with tag Environment: dev and then find if there are any aws_s3_bucket_server_side_encryption_configuration attached to them"? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Yes you can do that with the current query capabilities. When you create a cnspec shell terraform example.tf In the shell you can ask for all resources define in the terraform HCL file: cnspec> terraform.resources { * }
terraform.resources: [
0: {
type: "resource"
end: terraform.fileposition id = file.position/example.tf/1/1
labels: [
0: "aws_s3_bucket"
1: "aes-encrypted-bucket"
]
nameLabel: "aws_s3_bucket"
blocks: []
arguments: {
bucket: "my-aes-encrypted-bucket"
tags: {
Environment: "dev"
}
}
start: terraform.fileposition id = file.position/example.tf/1/1
attributes: {
bucket: {
type: "string"
value: "my-aes-encrypted-bucket"
}
tags: {
type: "object({Environment=string})"
value: {
Environment: "dev"
}
}
}
}
1: {
type: "resource"
end: terraform.fileposition id = file.position/example.tf/8/1
labels: [
0: "aws_s3_bucket_server_side_encryption_configuration"
1: "aes-encrypted-configuration"
]
nameLabel: "aws_s3_bucket_server_side_encryption_configuration"
blocks: [
0: terraform.block id = terraform.block/example.tf/11/3
]
arguments: {
bucket: "aws_s3_bucket.aes-encrypted-bucket.bucket"
}
start: terraform.fileposition id = file.position/example.tf/8/1
attributes: {
bucket: {
type: "any"
value: "aws_s3_bucket.aes-encrypted-bucket.bucket"
}
}
}
]
cnspec> We see both resources are available and we can further filter down the resources. In the first case we search for the defined buckets and want to display their resource name and the bucket name: cnspec> terraform.resources.where ( nameLabel == "aws_s3_bucket" && arguments["tags"]["Environment"] == "dev" ) {
attributes["bucket"]["value"]
labels[1]
}It will result in just the bucket resource that we are interested in: terraform.resources.where: [
0: {
labels[1]: "aes-encrypted-bucket"
attributes[bucket][value]: "my-aes-encrypted-bucket"
}
]As a next step we want to find the related resource. We start looking for the encryption config to better understand the query we need: cnspec> terraform.resources.where( nameLabel == "aws_s3_bucket_server_side_encryption_configuration" ) { arguments["bucket"] }
terraform.resources.where: [
0: {
arguments[bucket]: "aws_s3_bucket.aes-encrypted-bucket.bucket"
}
]The previous queries all resources that match the requirement. In our case we want to ensure that one exists. We use the cnspec> terraform.resources.one( nameLabel == "aws_s3_bucket_server_side_encryption_configuration" && arguments["bucket"] == "aws_s3_bucket.aes-encrypted-bucket.bucket" )
[ok] value: trueIn this case we manually ensured that the
|
Beta Was this translation helpful? Give feedback.
Yes you can do that with the current query capabilities. When you create a
.tffile with the above content, start the cnspec shell via:In the shell you can ask for all resources define in the terraform HCL file: