tfsec: bug: tfsec --exclude-downloaded-modules doesn't work for submodules in external modules (since 1.16)
Describe the bug
Since 1.16 the --exclude-downloaded-modules argument doesn’t work anymore on submodules in external modules.
To Reproduce
> tfsec-test $tree
.
├── external-module
│ ├── sns.tf
│ └── submodule
│ └── aws_sns_topic.tf
└── root
└── main.tf
3 directories, 3 files
> tfsec-test $cat root/main.tf
module "test" {
source = "git::/mnt/c/work/Bitbucket/tfsec-test/external-module"
}
> tfsec-test $cat external-module/sns.tf
module "submodule" {
source = "./submodule"
}
> tfsec-test $cat external-module/submodule/aws_sns_topic.tf
resource "aws_sns_topic" "this" {
name = "test"
}
Expected behavior
The issues found in the external module are excluded.
Screenshots/Output
> tfsec-test $tfsec --version
v1.18.0
> tfsec-test $tfsec root/ --exclude-downloaded-modules --concise-output
Result #1 HIGH Topic does not have encryption enabled.
─────────────────────────────────────────────────────────────────
.terraform/modules/test/submodule/aws_sns_topic.tf Lines 1-3
───────┬─────────────────────────────────────────────────────────
1 │ resource "aws_sns_topic" "this" {
2 │ name = "test"
3 │ }
───────┴─────────────────────────────────────────────────────────
ID aws-sns-enable-topic-encryption
Impact The SNS topic messages could be read if compromised
Resolution Turn on SNS Topic encryption
More Information
- https://aquasecurity.github.io/tfsec/v1.18.0/checks/aws/sns/enable-topic-encryption/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
─────────────────────────────────────────────────────────────────
System Info
- tfsec version:
v1.18.0 - terraform version:
v0.14.0 - OS:
20.04.4 LTS (Focal Fossa)(WSL2)
Example Code
See above
Additional context
TFsec tests are passing with versions below 1.16:
> tfsec-test $tfsec --version
v1.15.4
> tfsec-test $tfsec root/ --exclude-downloaded-modules --concise-output
No problems detected!
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 3
- Comments: 18 (6 by maintainers)
Commits related to this issue
- Resolves #1705 Resolves #1677 — committed to aquasecurity/tfsec by liamg 2 years ago
- fix: Fix module handling via update to defsec v0.65.0 (#1787) Resolves #1705 Resolves #1677 — committed to aquasecurity/tfsec by liamg 2 years ago
@liamg I was at a business trip last week. I’ll have a look this week! Thank you!
Hi @ragchuck - I think this is actually working as intended.
If you point tfsec at the
rootdirectory in your example, the--exclude-downloaded-moduleswill work as you expected - I’ve just verified this on Windows.Unless you point tfsec at a specific directory directly containing
*.tffiles, tfsec has to figure out which directories are root modules - is does this by recursing down until it finds directories containing*.tffiles. Once it finds them, it won’t recurse further into those directories.In your example above, it finds two directories to treat as project roots:
external-moduleandroot. That meansexternal-moduleis being parsed as a local root module, regardless of the--exclude-downloaded-modulesflag.If you point tfsec exclusively at the
rootdirectory, it will only parse that directory as a root module, and theexternal-moduledirectory can only be loaded as an external module, meaning the flag will be respected.@liamg sure! as brew doesn’t provide 1.25.1 yet I used the master branch (–HEAD)
tfsec . --concise-output --debugI wonder if this is a Windows specific issue as I can’t reproduce it here. I’ll try to set this up on Windows and see if the behaviour is different.