Scanning terraform resources with variables

Hello all,
I would appreciate if someone could provide some light about the following issue :slight_smile:

As far as I know, the SonarQube scanner for the terraform language is able to analyze code with AWS, GCP and Azure resources. In order to do that, the scanner checks whether the VALUES used are secure or not.
My question is, how can we spot those issues when variables are used for instantiate those resources? The use of variables is a mainstream practice of terraform, for instance when using modules or workspaces.
Here an example:
For the rule RSPEC-6333:
If we had the following resource configuration the sonar scanner will rise a non-compliant issue

resource "aws_api_gateway_method" "noncompliantapi" {
  authorization = "NONE" # Sensitive
  http_method   = "GET"
}

But how this can be detected when we use variables?

resource "aws_api_gateway_method" "noncompliantapi" {
  authorization = var.authorization
  http_method   = var.http_method
}

Related questions:

Thank you.

Hello @mvillanueva

Welcome to Sonar Community and thank you for the report.

Your request is valid, we have a ticket for that SONARIAC-568. Please follow it to be notified when it will be implemented.

Best!

Dear Marcin,
I got an idea regarding this issue… in the same way that SonarQube requires building java code in order to use java binaries for the analysis, could be a solution of this problem with variables, to analyze the file tfplan that generates terraform after executing terraform plan?

Thank you for your response.

Hi @mvillanueva,

That’s a good idea. Indeed, we could try to include the tfplan into the analysis to get a clue about the resolved variable value. However, we avoid depending on generated files as we can not expect users to build an application or generate the configuration before scanning the source files. We will try to simulate the generation of the tfplan instead. Please stay tuned; it’s on the agenda.

Best,
Nils

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.