bug(misconf): Resolve attributes depending on conditions irrespective of placement

[nikpivkin]

Minimum reproducible example:

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id
  policy = false ? data.aws_iam_policy_document.s3_policy.json : data.aws_iam_policy_document.s3_policy_one.json
}

resource "aws_iam_role" "test_role" {
  name = "test_role"
  assume_role_policy = ""
}

data "aws_iam_policy_document" "s3_policy_one" {
  statement {
    actions   = ["s3:Get*"]
    resources = ["*"]
  }
}

data "aws_iam_policy_document" "s3_policy" {
  statement {
    actions   = ["s3:GetO*"]
    resources = ["*"]
  }
}

Discussed in #5680

^{Originally posted by SujithPS0604 November 29, 2023}

Description

defsec does not evaluate the second part of a conditional operator

Example:

resource "aws_iam_role_policy" "access_policy" {
  name   = "${local.service_name}_access_role_policy"
  role   = aws_iam_role.access_role.id
  policy = var.dry_run == "false"  ? data.aws_iam_policy_document.access_policy_document_prod.json : data.aws_iam_policy_document.access_policy_document.json
}

Here whatever the condition is, defsec is only scanning the configuration of the first part of the condition. Here it is analyzing data.aws_iam_policy_document.access_policy_document_prod.json .

Output:

trivy config . --severity "HIGH" -d

2023-11-29T18:08:46.173+0530	INFO	Misconfiguration scanning is enabled
2023-11-29T18:08:48.058+0530	INFO	Detected config files: 35

Here there is no failure, as the policy data.aws_iam_policy_document.access_policy_document_prod.json is clean from issues.

But if I move the second part to the first part, it is showing all the issues of data.aws_iam_policy_document.access_policy_document.json .

Example:

resource "aws_iam_role_policy" "access_policy" {
  name   = "${local.service_name}_access_role_policy"
  role   = aws_iam_role.access_role.id
  policy = var.dry_run == "true" ? data.aws_iam_policy_document.access_policy_document.json : data.aws_iam_policy_document.access_policy_document_prod.json 
}

Output:

trivy config . --severity "HIGH" -d

2023-11-29T18:09:15.574+0530	INFO	Misconfiguration scanning is enabled
2023-11-29T18:09:17.464+0530	INFO	Detected config files: 36

terraform/custom_role/custom_role.tf (terraform)

Tests: 27 (SUCCESSES: 1, FAILURES: 26, EXCEPTIONS: 0)
Failures: 26 (HIGH: 26)

HIGH: IAM policy document uses sensitive action 'autoscaling:AttachLoadBalancers' on wildcarded resource '*'

here, the number of config files scanned also increased, and is showing issues with the policy.

So, by default, is is always analyzing the first part of the condition only. Even if I switch the condition, it is still analyzing the first part.

Desired Behavior

It should analyze both the part of the condition, irrespective of the position at which it is in.

Actual Behavior

It is analyzing only the first part of the condition.

Reproduction Steps

1.In a terraform file, write a conditional expression, which will choose either one data block or the other data block.
2. Run the `trivy config` and observe it is showing the issues from the first part of the expression only

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2023-11-29T18:09:15.574+0530	INFO	Misconfiguration scanning is enabled
2023-11-29T18:09:17.464+0530	INFO	Detected config files: 36

terraform/custom_role/custom_role.tf (terraform)

Tests: 27 (SUCCESSES: 1, FAILURES: 26, EXCEPTIONS: 0)
Failures: 26 (HIGH: 26)

HIGH: IAM policy document uses sensitive action 'autoscaling:AttachLoadBalancers' on wildcarded resource '*'

Operating System

macOS Sonoma

Version

Version: 0.47.0
Vulnerability DB:
  Version: 2
Java DB:
  Version: 1

Checklist

• Run trivy image --reset
• Read the troubleshooting