Issues with outline scenario and aws provider credentials

[mjseid]

Description :
I am testing the hardcoded credentials example shown here:
https://terraform-compliance.com/pages/Examples/aws_credentials.html and terraform compliance is skipping the provider saying "SKIPPING: Skipping the step since provider type does not have access_key property."

To Reproduce
1.

provider "aws" {
  region     = "us-west-2"
  access_key = "AKIAIOSFODNN7EXAMPLE"
  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  alias  = "us-west-2"
}

2. terraform-compliance --no-ansi -f . -p tf.plan
3. python package 1.0.51

Feature: Credentials should not be within the code  # /Users/s0045379/develop/terraform-compliance-rules/credentials.feature
    In order to prevent any credentials leakage
    As engineers
    We'll enforce credentials will not be hardcoded

    Scenario Outline: AWS Credentials should not be hardcoded
        Given I have aws provider configured
        When it contains <key>
        Then its value must not match the "<regex>" regex

    Examples:
        | key        | regex                                                   |
	SKIPPING: Skipping the step since provider type does not have access_key property.
        | access_key | (?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])                   |
	SKIPPING: Skipping the step since provider type does not have secret_key property.
        | secret_key | (?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) |

5. <Your feature/scenario/steps>

Scenario Outline: AWS Credentials should not be hardcoded
    Given I have aws provider configured
    When it contains <key>
    Then its value must not match the "<regex>" regex

    Examples:
        | key        | regex                                                      |
        | access_key | (?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])                      |
        | secret_key | (?<![A-Za-z0-9\/+=])[A-Za-z0-9\/+=]{40}(?![A-Za-z0-9\/+=]) |

Expected behavior :
I expected to have the rule fail due to hardcoded access_key and secret_key being present which match the given regex

Tested versions :

• terraform-compliance v1.0.51 initiated
• Terraform v0.12.10, provider.aws v2.33.0
• Python 3.7.3

[mjseid]

{"format_version":"0.1","terraform_version":"0.12.10","variables":{"region":{"value":"us-east-1"}},"planned_values":{"root_module":{"resources":[{"address":"aws_db_instance.default","mode":"managed","type":"aws_db_instance","name":"default","provider_name":"aws","schema_version":0,"values":{"allocated_storage":20,"allow_major_version_upgrade":null,"auto_minor_version_upgrade":true,"copy_tags_to_snapshot":false,"deletion_protection":null,"domain":null,"domain_iam_role_name":null,"enabled_cloudwatch_logs_exports":null,"engine":"mysql","final_snapshot_identifier":null,"iam_database_authentication_enabled":null,"instance_class":"db.t2.micro","iops":null,"max_allocated_storage":null,"monitoring_interval":0,"name":"mydb","password":"foobarbaz","performance_insights_enabled":false,"publicly_accessible":false,"replicate_source_db":null,"s3_import":[],"security_group_names":null,"skip_final_snapshot":false,"snapshot_identifier":null,"storage_encrypted":null,"tags":null,"timeouts":null,"username":"foo"}},{"address":"aws_ebs_volume.test_volume","mode":"managed","type":"aws_ebs_volume","name":"test_volume","provider_name":"aws","schema_version":0,"values":{"availability_zone":"us-east-1a","size":40,"tags":null}},{"address":"aws_s3_bucket.test_bucket","mode":"managed","type":"aws_s3_bucket","name":"test_bucket","provider_name":"aws","schema_version":0,"values":{"acl":"private","bucket":"my-tf-test-bucket","bucket_prefix":null,"cors_rule":[],"force_destroy":false,"lifecycle_rule":[],"logging":[],"object_lock_configuration":[],"policy":null,"replication_configuration":[],"server_side_encryption_configuration":[],"tags":null,"website":[]}}]}},"resource_changes":[{"address":"aws_db_instance.default","mode":"managed","type":"aws_db_instance","name":"default","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"allocated_storage":20,"allow_major_version_upgrade":null,"auto_minor_version_upgrade":true,"copy_tags_to_snapshot":false,"deletion_protection":null,"domain":null,"domain_iam_role_name":null,"enabled_cloudwatch_logs_exports":null,"engine":"mysql","final_snapshot_identifier":null,"iam_database_authentication_enabled":null,"instance_class":"db.t2.micro","iops":null,"max_allocated_storage":null,"monitoring_interval":0,"name":"mydb","password":"foobarbaz","performance_insights_enabled":false,"publicly_accessible":false,"replicate_source_db":null,"s3_import":[],"security_group_names":null,"skip_final_snapshot":false,"snapshot_identifier":null,"storage_encrypted":null,"tags":null,"timeouts":null,"username":"foo"},"after_unknown":{"address":true,"apply_immediately":true,"arn":true,"availability_zone":true,"backup_retention_period":true,"backup_window":true,"ca_cert_identifier":true,"character_set_name":true,"db_subnet_group_name":true,"endpoint":true,"engine_version":true,"hosted_zone_id":true,"id":true,"identifier":true,"identifier_prefix":true,"kms_key_id":true,"license_model":true,"maintenance_window":true,"monitoring_role_arn":true,"multi_az":true,"option_group_name":true,"parameter_group_name":true,"performance_insights_kms_key_id":true,"performance_insights_retention_period":true,"port":true,"replicas":true,"resource_id":true,"s3_import":[],"status":true,"storage_type":true,"timezone":true,"vpc_security_group_ids":true}}},{"address":"aws_ebs_volume.test_volume","mode":"managed","type":"aws_ebs_volume","name":"test_volume","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"availability_zone":"us-east-1a","size":40,"tags":null},"after_unknown":{"arn":true,"encrypted":true,"id":true,"iops":true,"kms_key_id":true,"snapshot_id":true,"type":true}}},{"address":"aws_s3_bucket.test_bucket","mode":"managed","type":"aws_s3_bucket","name":"test_bucket","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"acl":"private","bucket":"my-tf-test-bucket","bucket_prefix":null,"cors_rule":[],"force_destroy":false,"lifecycle_rule":[],"logging":[],"object_lock_configuration":[],"policy":null,"replication_configuration":[],"server_side_encryption_configuration":[],"tags":null,"website":[]},"after_unknown":{"acceleration_status":true,"arn":true,"bucket_domain_name":true,"bucket_regional_domain_name":true,"cors_rule":[],"hosted_zone_id":true,"id":true,"lifecycle_rule":[],"logging":[],"object_lock_configuration":[],"region":true,"replication_configuration":[],"request_payer":true,"server_side_encryption_configuration":[],"versioning":true,"website":[],"website_domain":true,"website_endpoint":true}}}],"prior_state":{"format_version":"0.1","terraform_version":"0.12.10","values":{"root_module":{"resources":[{"address":"data.aws_caller_identity.current","mode":"data","type":"aws_caller_identity","name":"current","provider_name":"aws","schema_version":0,"values":{"account_id":"860696212293","arn":"arn:aws:sts::860696212293:assumed-role/AWSReservedSSO_AdministratorAccess_c069b7aa41bb611f/[email protected]","id":"2019-10-29 19:49:48.584447 +0000 UTC","user_id":"AROAI2EWLDMROVERCAZNE:[email protected]"}}]}}},"configuration":{"provider_config":{"aws":{"name":"aws","expressions":{"region":{"references":["var.region"]}}},"aws.us-west-2":{"name":"aws","alias":"us-west-2","expressions":{"access_key":{"constant_value":"AKIAIOSFODNN7EXAMPLE"},"region":{"constant_value":"us-west-2"},"secret_key":{"constant_value":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"}}}},"root_module":{"resources":[{"address":"aws_db_instance.default","mode":"managed","type":"aws_db_instance","name":"default","provider_config_key":"aws","expressions":{"allocated_storage":{"constant_value":20},"engine":{"constant_value":"mysql"},"instance_class":{"constant_value":"db.t2.micro"},"name":{"constant_value":"mydb"},"password":{"constant_value":"foobarbaz"},"username":{"constant_value":"foo"}},"schema_version":0},{"address":"aws_ebs_volume.test_volume","mode":"managed","type":"aws_ebs_volume","name":"test_volume","provider_config_key":"aws","expressions":{"availability_zone":{"constant_value":"us-east-1a"},"size":{"constant_value":40}},"schema_version":0},{"address":"aws_s3_bucket.test_bucket","mode":"managed","type":"aws_s3_bucket","name":"test_bucket","provider_config_key":"aws","expressions":{"acl":{"constant_value":"private"},"bucket":{"constant_value":"my-tf-test-bucket"}},"schema_version":0},{"address":"data.aws_caller_identity.current","mode":"data","type":"aws_caller_identity","name":"current","provider_config_key":"aws","schema_version":0}],"variables":{"region":{"description":"The AWS Region that this script will be run at."}}}}}

[eerkunt]

Could you please have a try with 1.0.53 version ?

[mjseid]

Looks like there is a certain scenario (the one I was using) it still fails. I am defining two providers, the first one didn't have an alias or keys defined since it was inheriting creds from shell variables. The second provider had an alias (since its required for providers after the first) and had keys set. In that scenario things are still broken, but if I either add keys to both providers or add alias to both providers it works as expected. Test TF and resulting plan json shown below

Works as expected

provider "aws" {
  region = "${var.region}"
  access_key = "AKIAIOSFODNN7EXAMPLE"
  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

provider "aws" {
  region = "us-west-2"
  alias  = "should-fail"
  access_key = "AKIAIOSFODNN7EXAMPLE"
  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

  "configuration": {
    "provider_config": {
      "aws": {
        "name": "aws",
        "expressions": {
          "access_key": {
            "constant_value": "AKIAIOSFODNN7EXAMPLE"
          },
          "region": {
            "references": [
              "var.region"
            ]
          },
          "secret_key": {
            "constant_value": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
          }
        }
      },
      "aws.should-fail": {
        "name": "aws",
        "alias": "should-fail",
        "expressions": {
          "access_key": {
            "constant_value": "AKIAIOSFODNN7EXAMPLE"
          },
          "region": {
            "constant_value": "us-west-2"
          },
          "secret_key": {
            "constant_value": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
          }
        }
      }
    },

Works as expected

provider "aws" {
  region = "${var.region}"
  alias  = "should-pass"
}

provider "aws" {
  region = "us-west-2"
  alias  = "should-fail"
  access_key = "AKIAIOSFODNN7EXAMPLE"
  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

  "configuration": {
    "provider_config": {
      "aws.should-fail": {
        "name": "aws",
        "alias": "should-fail",
        "expressions": {
          "access_key": {
            "constant_value": "AKIAIOSFODNN7EXAMPLE"
          },
          "region": {
            "constant_value": "us-west-2"
          },
          "secret_key": {
            "constant_value": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
          }
        }
      },
      "aws.should-pass": {
        "name": "aws",
        "alias": "should-pass",
        "expressions": {
          "region": {
            "references": [
              "var.region"
            ]
          }
        }
      }
    },

Does not work as expected: test skipped saying no providers have key/secret defined

provider "aws" {
  region = "${var.region}"
}

provider "aws" {
  region = "us-west-2"
  alias  = "should-fail"
  access_key = "AKIAIOSFODNN7EXAMPLE"
  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

  "configuration": {
    "provider_config": {
      "aws": {
        "name": "aws",
        "expressions": {
          "region": {
            "references": [
              "var.region"
            ]
          }
        }
      },
      "aws.should-fail": {
        "name": "aws",
        "alias": "should-fail",
        "expressions": {
          "access_key": {
            "constant_value": "AKIAIOSFODNN7EXAMPLE"
          },
          "region": {
            "constant_value": "us-west-2"
          },
          "secret_key": {
            "constant_value": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
          }
        }
      }
    },

[eerkunt]

One of my test case was this while I was debugging the problem. Let me check again.

[eerkunt]

Ah yes, found the problem. It looks like I tested everything except if there is an AWS provider (defined in the first place) that doesn't have any alias.

Now this is also fixed. Releasing 1.0.54 in few

[mjseid]

Worked like a charm.

Thanks for the quick turn around on this.