tfsec: bug: unable to ignore aws-rds-enable-deletion-protection

Describe the bug

I am unable to locally ignore aws-rds-enable-deletion-protection in my modules. None of these work

# tfsec:ignore:aws-rds-enable-deletion-protection
 module "rds" {
   source = "../../modules/rds"

  deletion_protection = false

 module "rds" {
   source = "../../modules/rds"

  deletion_protection = false # tfsec:ignore:aws-rds-enable-deletion-protection

 module "rds" {
   source = "../../modules/rds"

  # tfsec:ignore:aws-rds-enable-deletion-protection
  deletion_protection = false

The rule is ignored if I exclude it from the global config.yml file

exclude:
  - aws-rds-enable-deletion-protection

Output of your tfsec command with --debug flag

Result #1 MEDIUM Instance does not have Deletion Protection enabled
────────────────────────────────────────────────────────────────────────────────
  modules/rds/rds.tf:46
────────────────────────────────────────────────────────────────────────────────
   46      deletion_protection      = var.deletion_protection
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

It also does not report the rule name, so perhaps aws-rds-enable-deletion-protection is not correct. Do Rego packages need a different ignore syntax?

System Info

tfsec version: v1.28.1
terraform version: v1.3.1
OS: Linux

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 27
Comments: 22 (3 by maintainers)

Most upvoted comments

same with Result #1 MEDIUM Instance does not have IAM Authentication enabled

does not give an ignorable ID, but

 Rego Package builtin.aws.rds.aws0176
     Rego Rule deny

+31

chbiel on Oct 26, 2022

We’ve improved the trivyignore capabilities in the latest release of trivy, you can find more details here https://aquasecurity.github.io/trivy/v0.45/docs/configuration/filtering/#trivyignoreyaml

simar7 on Sep 1, 2023

Do Rego packages need a different ignore syntax?

No they don’t. For example, to ignore the RDS deletion protection check, you can refer to it by any of the following IDs:

aws-rds-enable-deletion-protection
AVD-AWS-0177
enable-deletion-protection

itaysk on Nov 24, 2022

same with Result #1 MEDIUM Instance does not have IAM Authentication enabled

does not give an ignorable ID, but
 Rego Package builtin.aws.rds.aws0176
     Rego Rule deny

Same issue here.

dkgrayson on Nov 3, 2022

This somehow seems to be related to #1936. Whenever I try to test my terraform code that uses the terraform-aws-modules/rds/aws module, it fails with the error:

Result #1 MEDIUM Instance does not have Deletion Protection enabled
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  ../../../../../../terraform-aws-modules/rds/aws/Users/phylu/terraform/folder_1/folder_2/folder_3/.terraform/modules/mssql.db/modules/db_instance/main.tf:93
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  Failed to render code: failed to read file from result filesystem (&extrafs.filesystem{root:"/", underlying:"/"}): open //terraform-aws-modules/rds/aws/Users/janosch.maier/terraform/folder_1/folder_2/folder_3/.terraform/modules/mssql.db/modules/db_instance/main.tf: no such file or directory──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny

If I try to disable the rule, none of the following works:

# tfsec:ignore:enable-deletion-protection
# tfsec:ignore:AVD-AWS-0177
# tfsec:ignore:aws-rds-enable-deletion-protection
# tfsec:ignore:aws0177

When I change line 93 in the corresponding file in the .terraform/modules folder manually to the following, I don’t get the error anymore:

  deletion_protection      = true

Phylu on Nov 28, 2022

Same here! Honestly I was coming to github to make an issue about how there’s only the id aws0176 instead of the rule name so that I can do tfsec:ignore:iam-auth-blahblah

seanturner026 on Nov 10, 2022

After struggeling for a couple of hours with this issue, i turned out the simple fix would be to downgrade the tfsec version from 1.28.1 to 1.28.0. But why tho? the tfsec version 1.28.0 was using the version v0.76.0 of [defsec](https://github.com/aquasecurity/defsec) while tfsec version 1.28.1 is using version v0.82.2 of defsec. It’s worth mentioning that AWS rego scanning support was added defsec in version [v0.77.0](https://github.com/aquasecurity/defsec/releases/tag/v0.77.0). since this change happened, tfsec version 1.28.1 was by default evaluating rego rules including aws.0177 and aws.0176

Even though i tried ignoring these two rules with what has been mentioned above

#tfsec:ignore:aws-rds-enable-deletion-protection
#tfsec:ignore:AVD-AWS-0177
#tfsec:ignore:enable-deletion-protection

It didn’t work. ALSO there is no tfsec rule for enable-deletion-protection sooooo there’s that !

khalilkasmiheyjobs on Jan 18, 2023

@whyman10x tfsec merged into Trivy and it has been being maintained and evolved there https://github.com/aquasecurity/trivy

itaysk on Oct 20, 2023

downgrade the tfsec version from 1.28.1 to 1.28.0

did you try to downgrade the tfsec version from 1.28.1 to 1.28.0

khalilkasmiheyjobs on Mar 9, 2023