Scanning terraform resources with variables

mvillanueva · March 27, 2023, 11:35am

Hello all,
I would appreciate if someone could provide some light about the following issue

As far as I know, the SonarQube scanner for the terraform language is able to analyze code with AWS, GCP and Azure resources. In order to do that, the scanner checks whether the VALUES used are secure or not.
My question is, how can we spot those issues when variables are used for instantiate those resources? The use of variables is a mainstream practice of terraform, for instance when using modules or workspaces.
Here an example:
For the rule RSPEC-6333:
If we had the following resource configuration the sonar scanner will rise a non-compliant issue

resource "aws_api_gateway_method" "noncompliantapi" {
  authorization = "NONE" # Sensitive
  http_method   = "GET"
}

But how this can be detected when we use variables?

resource "aws_api_gateway_method" "noncompliantapi" {
  authorization = var.authorization
  http_method   = var.http_method
}

Related questions:

Thank you.

Marcin_Stachniuk · April 4, 2023, 12:06pm

Hello @mvillanueva

Welcome to Sonar Community and thank you for the report.

Your request is valid, we have a ticket for that SONARIAC-568. Please follow it to be notified when it will be implemented.

Best!

mvillanueva · April 5, 2023, 9:16am

Dear Marcin,
I got an idea regarding this issue… in the same way that SonarQube requires building java code in order to use java binaries for the analysis, could be a solution of this problem with variables, to analyze the file tfplan that generates terraform after executing terraform plan?

Thank you for your response.

Nils_Werner · April 6, 2023, 11:21am

Hi @mvillanueva,

That’s a good idea. Indeed, we could try to include the tfplan into the analysis to get a clue about the resolved variable value. However, we avoid depending on generated files as we can not expect users to build an application or generate the configuration before scanning the source files. We will try to simulate the generation of the tfplan instead. Please stay tuned; it’s on the agenda.

Best,
Nils

system · April 13, 2023, 11:22am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using selected tfvar files in Terraform Scanning SonarQube Server / Community Build security , terraform	2	953	February 25, 2022
Unchanged Terraform files are not scanned SonarQube Server / Community Build scanner , iac , terraform , self-solve	1	553	August 28, 2023
Terraform configuration scanning SonarQube Server / Community Build iac , terraform	9	2552	March 30, 2022
SonarCloud can scan Terraform and CloudFormation files + cfn-lint support Sonar Updates security , iac , terraform , cloudformation , aws	10	5101	January 28, 2022
Terraform Rule not Detected in Scan SonarQube Cloud terraform	1	319	September 25, 2023

Scanning terraform resources with variables

Related topics