Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to check for access log bucket pointing to itself #631

Open
ozmodiar192 opened this issue Jun 30, 2022 · 1 comment
Open

Unable to check for access log bucket pointing to itself #631

ozmodiar192 opened this issue Jun 30, 2022 · 1 comment
Assignees
@eerkunt
Labels
bug

Comments

@ozmodiar192
Copy link

Description

I am attempting to validate that a bucket with access logging enabled is not pointing to itself as the target_bucket.

To Reproduce

Create an s3 bucket with a separate aws_s3_bucket_logging resource. Set the target_bucket to the same bucket you're creating. This is a terrible idea so don't apply it. Try to verify the value for "target_bucket" is not the same bucket you're creating.

Feature File:

Feature: S3 related general feature
	
    # check if at least one s3 has logging enabled, because logging will require another s3
    @noskip_at_line_21
    Scenario: S3 must have access logging enabled 
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_logging defined
        Then it must have bucket
        Then it must be in {aws_s3_bucket_logging.values.bucket}

    @noskip_at_line_28
    Scenario: Data stored in S3 has versioning enabled
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_versioning defined
        Then it must have bucket
        Then it must be in {aws_s3_bucket_versioning.values.bucket}

    @noskip_at_line_36
    Scenario: S3 access log must not log to itself
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_logging defined
        Then it must have target_bucket
        Then it must not be in {aws_s3_bucket_logging.values.bucket}

Plan File:

# aws_s3_bucket.security_bucket will be created
  + resource "aws_s3_bucket" "security_bucket" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "chhec-s3-access-log-bucket"
      + bucket_domain_name          = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)


  # aws_s3_bucket_logging.security_access_log[0] will be created
  + resource "aws_s3_bucket_logging" "security_access_log" {
      + bucket        = (known after apply)
      + id            = (known after apply)
      + target_bucket = "chhec-s3-access-log-bucket"
      + target_prefix = "chhec-s3-access-log-bucket/"
    }

Sample Terraform Code:

resource "aws_s3_bucket" "security_bucket" {
  bucket = var.log_bucket
}

resource "aws_s3_bucket_logging" "security_access_log" {
  count = var.access_logging_enabled && var.access_log_bucket != "" ? 1 : 0
  bucket = aws_s3_bucket.security_bucket.id

  target_bucket = aws_s3_bucket.security_bucket.id
  target_prefix = "${var.log_bucket}/"
}

Error Output:

Expected Behavior:
I would expect it to fail, but it succeeds:

    Scenario: S3 access log must not log to itself
        Given I have aws_s3_bucket defined
        Given I have aws_s3_bucket_logging defined
        Then it must have target_bucket
        Then it must not be in {aws_s3_bucket_logging.values.bucket}

Tested Versions:

  • terraform-compliance version: 1.3.32
  • terraform version: 1.1.l7
  • python version: 3.10

Additional Context:
I just started using terraform-compliance and it's entirely likely I'm doing something wrong.
@ozmodiar192
Copy link
Author

It looks like "target_bucket" is not in the stash:

            "aws_s3_bucket_logging": [
                {
                    "expected_bucket_owner": null,
                    "target_grant": [],
                    "target_prefix": "chhec-s3-access-log-bucket/",
                    "terraform-compliance.mounted": true
                },
                {
                    "expected_bucket_owner": null,
                    "target_grant": [],
                    "target_prefix": "chhec-s3-access-log-bucket/",
                    "terraform-compliance.mounted": true
                },
                {
                    "expected_bucket_owner": null,
                    "target_grant": [],
                    "target_prefix": "chhec-s3-access-log-bucket/",
                    "terraform-compliance.mounted": true
                },
                {
                    "expected_bucket_owner": null,
                    "target_grant": [],
                    "target_prefix": "chhec-s3-access-log-bucket/",
                    "terraform-compliance.mounted": true
                }
            ],
            ```

@murcikan-scottlogic murcikan-scottlogic mentioned this issue Aug 25, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eerkunt eerkunt

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ozmodiar192 @eerkunt