I would appreciate if someone could provide some light about the following issue
As far as I know, the SonarQube scanner for the terraform language is able to analyze code with AWS, GCP and Azure resources. In order to do that, the scanner checks whether the VALUES used are secure or not.
My question is, how can we spot those issues when variables are used for instantiate those resources? The use of variables is a mainstream practice of terraform, for instance when using modules or workspaces.
Here an example:
For the rule RSPEC-6333:
If we had the following resource configuration the sonar scanner will rise a non-compliant issue
I got an idea regarding this issue… in the same way that SonarQube requires building java code in order to use java binaries for the analysis, could be a solution of this problem with variables, to analyze the file tfplan that generates terraform after executing terraform plan?
That’s a good idea. Indeed, we could try to include the tfplan into the analysis to get a clue about the resolved variable value. However, we avoid depending on generated files as we can not expect users to build an application or generate the configuration before scanning the source files. We will try to simulate the generation of the tfplan instead. Please stay tuned; it’s on the agenda.