tfsec: bug: Lots of false positives for S3 with 1.27.2

Describe the bug 1.27.2 shows lots of false positives like for example https://github.com/aquasecurity/tfsec/issues/1863 1.27.1 works fine.

To Reproduce Use 1.27.2

Expected behavior No false positives.

System Info

  • tfsec version: 1.27.2
  • terraform version: 1.2.6
  • OS: ubuntu-20.04

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 15 (6 by maintainers)

Most upvoted comments

Thanks for this, I’ve found the problem. I’ve added a test for the above example to prevent regression too. Release coming shortly.

+2
liamg on Aug 22, 2022

I do have similar issues with latest versions

resource "aws_s3_bucket" "this" {
  bucket        = local.resource_name
  force_destroy = var.deployment.delete_buckets
}

resource "aws_s3_bucket_acl" "this" {
  bucket = aws_s3_bucket.this.id
  acl    = "private"
}

resource "aws_s3_bucket_public_access_block" "this" {
  bucket = aws_s3_bucket.this.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

results in

  • Result # 1 HIGH No public access block so not blocking public acls
  • Result # 2 HIGH No public access block so not blocking public policies
  • Result # 3 HIGH No public access block so not ignoring public acls
  • Result # 4 HIGH No public access block so not restricting public buckets
+2
jccguimaraes on Aug 22, 2022

Thanks, fix incoming (ETA 10 mins).

+2
liamg on Aug 22, 2022

can confirm on my side 🙇🏼‍♂️

+1
jccguimaraes on Aug 22, 2022

v1.27.5 is working now. Thanks @liamg for the quick reaction!

+1
rreich on Aug 22, 2022
Read more comments on GitHub
← tfsec: bug: False positive about missing S3 public access block
tfsec: bug: non-deterministic behavior/results due to for_each processing for v1+ releases →