fix(misconf): Check values wholly prior to evalution (#8604)

2025-12-05 20:40:16 -08:00 · 2025-03-27 01:19:31 -06:00
parent c76764ef5d
commit ad58cf4457
2 changed files with 88 additions and 10 deletions
--- a/pkg/iac/scanners/terraform/executor/executor.go
+++ b/pkg/iac/scanners/terraform/executor/executor.go
@@ -135,9 +135,10 @@ func writeBlock(tfBlock *terraform.Block, block *hclwrite.Block, causeRng types.
 		}

 		value := attr.Value()
-		if !value.IsKnown() || value.IsNull() {
+		if !value.IsWhollyKnown() {
 			continue
 		}
+
 		block.Body().SetAttributeValue(attr.Name(), value)
 		found = true
 	}
--- a/pkg/iac/scanners/terraform/scanner_test.go
+++ b/pkg/iac/scanners/terraform/scanner_test.go
@@ -997,7 +997,7 @@ deny contains res if {

 func TestRenderedCause(t *testing.T) {

-	check := `# METADATA
+	s3check := `# METADATA
 # title: S3 Data should be versioned
 # custom:
 #   id: AVD-AWS-0090
@@ -1014,15 +1014,46 @@ deny contains res if {
 		bucket.versioning.enabled
 	)
 }
+`
+	iamcheck := `# METADATA
+# title: Service accounts should not have roles assigned with excessive privileges
+# custom:
+#   id: AVD-GCP-0007
+#   avd_id: AVD-GCP-0007
+package user.google.iam.google0007
+
+import rego.v1
+
+import data.lib.google.iam
+
+deny contains res if {
+	some member in iam.all_members
+	print(member)
+	iam.is_service_account(member.member.value)
+	iam.is_role_privileged(member.role.value)
+	res := result.new("Service account is granted a privileged role.", member.role)
+}
+
+deny contains res if {
+	some binding in iam.all_bindings
+	iam.is_role_privileged(binding.role.value)
+	some member in binding.members
+	iam.is_service_account(member.value)
+	res := result.new("Service account is granted a privileged role.", member)
+}
 `

 	tests := []struct {
-		name     string
-		fsys     fstest.MapFS
-		expected string
+		name              string
+		inputCheck        string
+		fsys              fstest.MapFS
+		expected          string
+		expectedStartLine int
+		expectedEndLine   int
 	}{
 		{
-			name: "just misconfigured resource",
+			name:       "just misconfigured resource",
+			inputCheck: s3check,
 			fsys: fstest.MapFS{
 				"main.tf": &fstest.MapFile{Data: []byte(`
 locals {
@@ -1045,7 +1076,8 @@ resource "aws_s3_bucket" "test" {
 }`,
 		},
 		{
-			name: "misconfigured resource instance",
+			name:       "misconfigured resource instance",
+			inputCheck: s3check,
 			fsys: fstest.MapFS{
 				"main.tf": &fstest.MapFile{Data: []byte(`
 locals {
@@ -1069,7 +1101,8 @@ resource "aws_s3_bucket" "test" {
 }`,
 		},
 		{
-			name: "misconfigured resource instance in the module",
+			name:       "misconfigured resource instance in the module",
+			inputCheck: s3check,
 			fsys: fstest.MapFS{
 				"main.tf": &fstest.MapFile{Data: []byte(`
 module "bucket" {
@@ -1097,6 +1130,45 @@ resource "aws_s3_bucket" "test" {
  }
 }`,
 		},
+		{
+			name:       "misconfigured resource",
+			inputCheck: iamcheck,
+			fsys: fstest.MapFS{`main.tf`: &fstest.MapFile{Data: []byte(`
+resource "google_storage_bucket_iam_binding" "service-a" {
+  bucket = google_storage_bucket.service-a.name
+  role   = "roles/storage.objectAdmin"
+
+  members = [
+    "serviceAccount:service-a@example-project.iam.gserviceaccount.com"
+  ]
+}`),
+			}},
+			expectedStartLine: 6,
+			expectedEndLine:   8,
+		},
+		{
+			name:       "dont panic on unknown value",
+			inputCheck: iamcheck,
+			fsys: fstest.MapFS{
+				"main.tf": &fstest.MapFile{Data: []byte(`
+resource "google_storage_bucket_iam_binding" "service-a" {
+  bucket = google_storage_bucket.service-a.name
+  role   = "roles/storage.objectAdmin"
+
+  members = [
+    "serviceAccount:service-a@example-project.iam.gserviceaccount.com",
+    data.google_storage_transfer_project_service_account.production.member,
+  ]
+}
+
+data "google_storage_transfer_project_service_account" "production" {
+  project = local.project_id
+}
+`)},
+			},
+			expectedStartLine: 6,
+			expectedEndLine:   9,
+		},
 	}

 	for _, tt := range tests {
@@ -1104,7 +1176,7 @@ resource "aws_s3_bucket" "test" {
 			scanner := New(
 				ScannerWithAllDirectories(true),
 				rego.WithEmbeddedLibraries(true),
-				rego.WithPolicyReader(strings.NewReader(check)),
+				rego.WithPolicyReader(strings.NewReader(tt.inputCheck)),
 				rego.WithPolicyNamespaces("user"),
 			)

@@ -1115,7 +1187,12 @@ resource "aws_s3_bucket" "test" {

 			assert.Len(t, failed, 1)

-			assert.Equal(t, tt.expected, failed[0].Flatten().RenderedCause.Raw)
+			if tt.expected != "" {
+				assert.Equal(t, tt.expected, failed[0].Flatten().RenderedCause.Raw)
+			} else {
+				assert.Equal(t, tt.expectedStartLine, failed[0].Flatten().Location.StartLine)
+				assert.Equal(t, tt.expectedEndLine, failed[0].Flatten().Location.EndLine)
+			}
 		})
 	}
 }