[Terraform] resolve attributes depending on conditions

[SujithPS0604]

Description

defsec does not evaluate the second part of a conditional operator

Example:

resource "aws_iam_role_policy" "access_policy" {
  name   = "${local.service_name}_access_role_policy"
  role   = aws_iam_role.access_role.id
  policy = var.dry_run == "false"  ? data.aws_iam_policy_document.access_policy_document_prod.json : data.aws_iam_policy_document.access_policy_document.json
}

Here whatever the condition is, defsec is only scanning the configuration of the first part of the condition. Here it is analyzing data.aws_iam_policy_document.access_policy_document_prod.json .

Output:

trivy config . --severity "HIGH" -d

2023-11-29T18:08:46.173+0530	INFO	Misconfiguration scanning is enabled
2023-11-29T18:08:48.058+0530	INFO	Detected config files: 35

Here there is no failure, as the policy data.aws_iam_policy_document.access_policy_document_prod.json is clean from issues.

But if I move the second part to the first part, it is showing all the issues of data.aws_iam_policy_document.access_policy_document.json .

Example:

resource "aws_iam_role_policy" "access_policy" {
  name   = "${local.service_name}_access_role_policy"
  role   = aws_iam_role.access_role.id
  policy = var.dry_run == "true" ? data.aws_iam_policy_document.access_policy_document.json : data.aws_iam_policy_document.access_policy_document_prod.json 
}

Output:

trivy config . --severity "HIGH" -d

2023-11-29T18:09:15.574+0530	INFO	Misconfiguration scanning is enabled
2023-11-29T18:09:17.464+0530	INFO	Detected config files: 36

terraform/custom_role/custom_role.tf (terraform)

Tests: 27 (SUCCESSES: 1, FAILURES: 26, EXCEPTIONS: 0)
Failures: 26 (HIGH: 26)

HIGH: IAM policy document uses sensitive action 'autoscaling:AttachLoadBalancers' on wildcarded resource '*'

here, the number of config files scanned also increased, and is showing issues with the policy.

So, by default, is is always analyzing the first part of the condition only. Even if I switch the condition, it is still analyzing the first part.

Desired Behavior

It should analyze both the part of the condition, irrespective of the position at which it is in.

Actual Behavior

It is analyzing only the first part of the condition.

Reproduction Steps

1.In a terraform file, write a conditional expression, which will choose either one data block or the other data block.
2. Run the `trivy config` and observe it is showing the issues from the first part of the expression only

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2023-11-29T18:09:15.574+0530	INFO	Misconfiguration scanning is enabled
2023-11-29T18:09:17.464+0530	INFO	Detected config files: 36

terraform/custom_role/custom_role.tf (terraform)

Tests: 27 (SUCCESSES: 1, FAILURES: 26, EXCEPTIONS: 0)
Failures: 26 (HIGH: 26)

HIGH: IAM policy document uses sensitive action 'autoscaling:AttachLoadBalancers' on wildcarded resource '*'

Operating System

macOS Sonoma

Version

Version: 0.47.0
Vulnerability DB:
  Version: 2
Java DB:
  Version: 1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[nikpivkin]

Hi @SujithPS0604 !

The right-hand side of the conditional statement is also evaluated:

resource "github_repository" "name" {
  name        = "example"
  description = "My awesome codebase"

  visibility = false ? "public" : "private"
}

For example in this case visibility would be private.

Could you please share the configurations so that I can investigate this. Do you have the var.dry_run variable set?

[SujithPS0604]

Hello @nikpivkin :)
Here is the config:

resource "aws_iam_role_policy" "access_policy" {
  name   = "${local.service_name}_access_role_policy"
  role   = aws_iam_role.access_role.id
  policy = false ? data.aws_iam_policy_document.access_policy_document_infra.json : data.aws_iam_policy_document.access_policy_document.json
}

#This is getting skipped
data "aws_iam_policy_document" "access_policy_document" {
  statement {
    effect = "Allow"

    actions = [
      "autoscaling:AttachLoadBalancers"
    ]

    resources = [
      "*"
    ]
  }

  statement {
    effect = "Allow"

    actions = [
      "ecs:*",
    ]

    resources = [
      "*"
    ]
  }
}

#This is getting evaluated
#trivy:ignore:AVD-AWS-0057
data "aws_iam_policy_document" "access_policy_document_infra" {
  statement {
    actions = [
      "ecr:CreateRepository",
      "ecr:PutImageTagMutability"
    ]

    resources = [
    "arn:aws:ecr:*"]
  }
}

even if I simply use false instead of dry_run=true/false. It is just evaluating/analyzing the left-hand side of the conditional statement irrespective of true/false.

[SujithPS0604]

trivy_conditional-exp.mov

provider.tf

provider "aws" {
  region = "eu-central-1"

  assume_role {
    role_arn = "arn:aws:iam::some:role/pipeline_pipeline_role"
  }
}

sample.tf

resource "aws_iam_role_policy" "test_policy" {
 	name = "test_policy"
 	role = aws_iam_role.test_role.id
 
 	policy = true ? data.aws_iam_policy_document.s3_policy.json : data.aws_iam_policy_document.s3_policy_one.json
 }
 
 resource "aws_iam_role" "test_role" {
 	name = "test_role"
 	assume_role_policy = jsonencode({
 		Version = "2012-10-17"
 		Statement = [
 		{
 			Action = "sts:AssumeRole"
 			Effect = "Allow"
 			Sid    = ""
 			Principal = {
 			Service = "s3.amazonaws.com"
 			}
 		},
 		]
 	})
 }
 
 data "aws_iam_policy_document" "s3_policy" {
   statement {
     principals {
       type        = "AWS"
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions   = ["s3:GetO*"]
     resources = ["*"]
   }
 }


 data "aws_iam_policy_document" "s3_policy_one" {
   statement {
     principals {
       type        = "AWS"
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions   = ["s3:Get*"]
     resources = ["*"]
   }
 }

variables.tf

variable "environment" {
  default = "live"
}

[nikpivkin]

Thanks @SujithPS0604 !

I created issue #5686