Ignoring specific values for terraform files when using for_each and modules

[felipeng]

Description

Hey,

can we have this feature , which is ignore specific values, but for terraform modules as well?

Is better to explain with an example of use case:

This terraform code creates a AWS Security Groups rules
locals.tf

locals {
  aws-sg = {
    service1 = {
      ingress_with_cidr_blocks = [
        {
          description = "HTTP"
          from_port   = 80
          to_port     = 80
          protocol    = "tcp"
          cidr_blocks = "0.0.0.0/0"
        }
      ]
    }
  }
}

with this terraform code that uses security-group module to create rules: sg.tf

module "aws-security-groups" {
  source   = "terraform-aws-modules/security-group/aws"
  version  = "~> 4.16.2"
  for_each = local.aws-sg

  name                     = each.key
  vpc_id                   = "vpc-123"
  ingress_with_cidr_blocks = try(each.value.ingress_with_cidr_blocks, null)
}

In this case, trivy will report: CRITICAL: Security group rule allows ingress from public internet.

trivy config .
2023-06-08T10:47:41.491-0400    INFO    Misconfiguration scanning is enabled
2023-06-08T10:47:41.896-0400    INFO    Detected config files: 1

terraform-aws-modules/security-group/aws/main.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows ingress from public internet.
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
 terraform-aws-modules/security-group/aws/main.tf:197-204
 191   resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
 ...   
 197 ┌   cidr_blocks = split(
 198 │     ",",
 199 │     lookup(
 200 │       var.ingress_with_cidr_blocks[count.index],
 201 │       "cidr_blocks",
 202 │       join(",", var.ingress_cidr_blocks),
 203 └     ),
 ... 

So, since we really need to allow traffic from 0.0.0.0/0 to TCP/80 (HTTP), let's ignore it adding the #trivy:ignore:aws-ec2-no-public-ingress-sgr

#trivy:ignore:aws-ec2-no-public-ingress-sgr <- HERE
module "aws-security-groups" {
  source   = "terraform-aws-modules/security-group/aws"
  version  = "~> 4.16.2"
  for_each = local.aws-sg

  name                     = each.key
  vpc_id                   = "vpc-123"
  ingress_with_cidr_blocks = try(each.value.ingress_with_cidr_blocks, null)
}

And it works as expected, trivy ignores this check. However, let's say that I add another service and rule for SSH. BUT I forgot to restrict the FROM traffic and added 0.0.0.0/0 like so:

locals {
  aws-sg = {
    service1 = {
      ingress_with_cidr_blocks = [
        {
          description = "HTTP"
          from_port   = 80
          to_port     = 80
          protocol    = "tcp"
          cidr_blocks = "0.0.0.0/0"
        }
      ]
    }
    service2 = {
      ingress_with_cidr_blocks = [
        {
          description = "SSH"
          from_port   = 22
          to_port     = 22
          protocol    = "tcp"
          cidr_blocks = "0.0.0.0/0"
        }
      ]
    }
  }
}

In this case trivy completely ignores the aws-ec2-no-public-ingress-sgr checks.

trivy config .
2023-06-08T10:55:42.316-0400    INFO    Misconfiguration scanning is enabled
2023-06-08T10:55:42.748-0400    INFO    Detected config files: 1

It would be nice to be able to ignore based on the value, something like #trivy:ignore:aws-ec2-no-public-ingress-sgr[locals.aws-sg.service1], because there are situation that we don't want to fully ignore a check but only for some configuration.

Target

None

Scanner

Misconfiguration

[simar7]

Thanks for explaining well. I understand the need and I think it'll be nice to have. I'll convert this discussion into an issue to track it.

[simar7]

Track #6137