tfsec: bug: False positive about missing S3 public access block

Describe the bug We’re having an S3 bucket with a s3_public_access_block. Last week this was not detected, now it is causing multiple HIGH level potential problems. The 1.0.3 fix earlier today did remove some of the problems but other similar problems still remain.

To Reproduce This is part of the code. The var.create_module is either true or false since the bucket shall only be created for specific environments. `resource “aws_s3_bucket” “s3_bucket” { count = var.create_module ? 1 : 0 bucket = “${var.bucket_name}” acl = “private”

logging { target_bucket = aws_s3_bucket.log_bucket[0].id }

versioning { enabled = true }

server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = “AES256” } } } }

resource “aws_s3_bucket_public_access_block” “s3_public_access_block” { count = var.create_module ? 1 : 0 bucket = aws_s3_bucket.s3_bucket[0].id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }`

Version tfsec v1.0.4

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 3
  • Comments: 30 (13 by maintainers)

Most upvoted comments

@liamg I have the same issue but I’m not using a self written module. I’ll use the module https://github.com/terraform-aws-modules/terraform-aws-s3-bucket in version v2.13.0 The error still exist for me and I receive false postive about missing s3 public access block.

v1.0.11 building now 👍

I reproduced it! 🎉 🎉 🎉

Will dig into it and try and have a fix out later today.

That’s also really strange as GoReleaser allegedly copies the same built binary into the docker container as the one it publishes as a release artifact. I’m about to do a release v1.0.10 that forces GoReleaser to use the vendored dependencies to rule it out so it’d be cool if you could try that once it’s available (later today.)

@PB-TW Thanks for the example, I’ll take a look at this first thing tomorrow.