Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct point in time recovery for DynamoDB still leads to violation #838

Closed
HorizonNet opened this issue Jun 5, 2021 · 4 comments
Closed

Correct point in time recovery for DynamoDB still leads to violation #838

HorizonNet opened this issue Jun 5, 2021 · 4 comments
Assignees
@harkirat22
Labels
policy Issue concerning policy maintainers.

Comments

@HorizonNet
Copy link
Contributor

HorizonNet commented Jun 5, 2021
edited
Loading

  • terrascan version: v1.6.0
  • Operating System: MacOs

Description

When having point in time recovery configured for DynamoDB Terrascan still complaints about a violation.

What I Did

Having the following Terraform snippet

resource "aws_dynamodb_table" "table" {
  name           = "table"
  hash_key       = "LockID"
  read_capacity  = 20
  write_capacity = 20

  attribute {
    name = "LockID"
    type = "S"
  }

  point_in_time_recovery {
    enabled = true
  }

  server_side_encryption {
    enabled = true
  }

  tags = var.default-tags
}

After running Terrascan via

terrascan scan -t aws

it still leads to the following output

Violation Details -
    
        Description    :        Ensure Point In Time Recovery is enabled for DynamoDB Tables
        File           :        main.tf
        Line           :        58
        Severity       :        MEDIUM
        -----------------------------------------------------------------------

The expected behavior is that with the Terraform configuration above the rule is not triggered.
@HorizonNet HorizonNet changed the title Correct Point in time Correct point in time recovery for DynamoDB still leads to violation Jun 5, 2021
@HorizonNet
Copy link
Contributor Author

HorizonNet commented Jun 5, 2021
edited
Loading

The same does not seem to happen on master, even when using the same policy set.

Below with the build based on the latest master

./bin/terrascan scan -f main.tf -p ~/terrascan/pkg/policies/opa/rego


Violation Details -
    
	Description    :	Ensure S3 buckets have access logging enabled.
	File           :	main.tf
	Module Name    :	root
	Line           :	29
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
	

Scan Summary -

	File/Folder         :	main.tf
	IaC Type            :	terraform
	Scanned At          :	2021-06-05 14:44:43.474022 +0000 UTC
	Policies Validated  :	11
	Violated Policies   :	1
	Low                 :	0
	Medium              :	1
	High                :	0

And below with v1.6.0 installed via brew

terrascan scan -f main.tf -p ~/terrascan/pkg/policies/opa/rego 


Violation Details -
    
	Description    :	Ensure S3 buckets have access logging enabled.
	File           :	main.tf
	Line           :	29
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
	
	Description    :	Ensure Point In Time Recovery is enabled for DynamoDB Tables
	File           :	main.tf
	Line           :	58
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
	

Scan Summary -

	File/Folder         :	main.tf
	IaC Type            :	terraform
	Scanned At          :	2021-06-05 14:44:50.499964 +0000 UTC
	Policies Validated  :	613
	Violated Policies   :	2
	Low                 :	0
	Medium              :	2
	High                :	0

@devang-gaur devang-gaur added the policy Issue concerning policy maintainers. label Jun 5, 2021
@harkirat22 harkirat22 self-assigned this Jun 9, 2021
@harkirat22 harkirat22 mentioned this issue Jun 9, 2021
Merged
@harkirat22
Copy link
Contributor

harkirat22 commented Jun 9, 2021
edited
Loading

@HorizonNet thanks for raising the issue. I have fixed the policy and raised the PR. This should be resolved. Please verify, then I will close the issue.

@harkirat22 harkirat22 reopened this Jun 9, 2021
@DavidSanchezAlvarez
Copy link

Hello all.

This bug seems to be still present in version 1.10.0. We will test it out with 1.13.0.

@DavidSanchezAlvarez
Copy link

DavidSanchezAlvarez commented Jan 13, 2022
edited
Loading

Tested out with version 1.13, and the bug is still present. Results of the test.

resource "aws_dynamodb_table" "dynamodb-table" {
arn = (known after apply)
billing_mode = "PROVISIONED"
hash_key = "cod_err"
id = (known after apply)
name = "uat_t_errors"
range_key = "typ_err"
read_capacity = 5
stream_arn = (known after apply)
stream_enabled = false
stream_label = (known after apply)
stream_view_type = (known after apply)
tags = {
"ApplicationID" = "data_dynamodb_t_errors"
"Environment" = "uat"
"Name" = "uat_t_errors"
"Project" = "kin"
"Workstream" = "Data"
}
write_capacity = 5
attribute {
name = "cod_err"
type = "S"
}
attribute {
name = "typ_err"
type = "S"
}
point_in_time_recovery {
enabled = true
}
server_side_encryption {
enabled = true
kms_key_arn = (known after apply)
}
ttl {
enabled = false
}
}

Even with that code, a violation is launched.

Violation Details -

Description    :	Ensure Point In Time Recovery is enabled for DynamoDB Tables
File           :	git::ssh:/git@********/terraform/modules/aws/dynamodb.git/main.tf
Module Name    :	dynamoDB
Plan Root      :	./
Line           :	4
Severity       :	MEDIUM
Rule Name      :	dynamoderecovery_enabled
Rule ID        :	AC_AWS_0458
Resource Name  :	dynamodb-table
Resource Type  :	aws_dynamodb_table
Category       :	Resilience

-----------------------------------------------------------------------

Scan Summary -

File/Folder         :	/home/jenkins/agent/workspace/NOSQL/DynamoDB/dynamodb_t_errors/uat
IaC Type            :	all
Scanned At          :	2022-01-11 16:27:33.536694784 +0000 UTC
Policies Validated  :	2
Violated Policies   :	1
Low                 :	0
Medium              :	1
High                :	0

Must this issue be reopened or should I have to open a new one pointing to this?

@DavidSanchezAlvarez DavidSanchezAlvarez mentioned this issue Jan 13, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harkirat22 harkirat22

Labels
policy Issue concerning policy maintainers.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@HorizonNet @devang-gaur @harkirat22 @DavidSanchezAlvarez