False Positive terraform:S6281

Rules and Languages Report False-positive / False-negative...
, ,
1

Make sure to read this post before raising a thread here:

Then tell us:

  • What language is this for?
    Terraform
  • Which rule?
    Make sure not preventing permissive ACL/policies to be set is safe here.
    Allowing public ACLs or policies on a S3 bucket is security-sensitive[terraform:S6281]
  • Why do you believe it’s a false-positive/false-negative?
    Adding the magic directive count will cause the rule report a false positive
  • Are you using
    • SonarQube Server Enterprise Edition v10.7
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
    The following code caused an issue:
resource "aws_s3_bucket" "log_bucket" {
  count  = var.bucket_logs_enabled || var.bucket_trails_enabled? 1 : 0
  bucket = join("-", [local.bucket_name, "logs"])
  force_destroy = true
  tags          = local.tags
  
}
resource "aws_s3_bucket_public_access_block" "log_bucket" {
  count  = var.bucket_logs_enabled || var.bucket_trails_enabled? 1 : 0
  bucket = aws_s3_bucket.log_bucket[0].id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Thanks

4

Hello Pilar, welcome to the community!

First of all, thank you for your very clear post! You’re right, this is a false-positive as we’re currently not supporting the count meta-argument. We will work on supporting it in a future effort.

If you find more false positives, please let us know! Feedback is very valuable to improve our products :grinning_face_with_smiling_eyes: