We are using SonarQube 9.2.4 and the latest version of sonar-scanner-cli to scan terraform projects (aws provider).
We want to scan based on selected .tfvar files because security issues may be generated depending on different configurations.
How do we configure the scan to use different (selected) tfvar files given that each of our projects has different environments with different configuration? I can’t find this in documentation…
We don’t support .tfvar files mainly because we don’t have strong use cases in mind where it would really help.
Would you be able to share some use cases where it would make a huge difference in the results?
Consider a terraform s3_bucket resource for example. This might have different rules & config for development, staging and production environments. For example they might have different canned ACLs populated by tfvars. This is just one of many potential examples…
If any of the values are populated by config, what do we do? A less experienced engineer might assume a bucket is safe, when in reality it could be a public acl being populated from config and producing a false negative.
Another example might be the use of versioning. I might choose to disable this in dev to save money and only enable it in prod where it is needed. If you are ignoring config set by tfvars, how does this get considered?
I see using config in tfvars as a very common practice in terraform, so i’m surprised this isn’t being labelled as a strong use case.