Running Regula against OPA 0.1x vs 0.2x

[parvez84]

Hi,

I was testing some rules against some terraform code and noticed two different behaviors. Realized that the OPA version was different in my environments.

simple rules like rules.ebs_volume_encrypted fail in OPA 0.20.0 and 0.21.0 and the same work fine in version 0.19.0

`# New resource for the S3 bucket.

provider "aws" {
region = "us-east-1"

}

resource "aws_s3_bucket" "bucket" {

NOTE: S3 bucket names must be unique across all AWS accounts.

bucket = "sometest"
acl = "private"
versioning {
enabled = true
}

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
tags = {
Name = "regulatest"
}
}

resource "aws_ebs_volume" "example" {
availability_zone = "us-west-2a"
size = 40
encrypted = true

tags = {
Name = "regulatest"
}
}

DB

resource "aws_db_instance" "default" {
allocated_storage = 5
identifier = "demodb-postgres"
engine = "postgres"
engine_version = "9.6.9"
instance_class = "db.t2.large"
name = "demodb"
username = "demouser"
password = "demotest1234"
vpc_security_group_ids = ["sg-0b9e83bf4e0062cf5"]
skip_final_snapshot = true
storage_encrypted = true
db_subnet_group_name = "pc-0076debee908b9286-dbsubnetgroup"

tags = {
Name = "regulatest"
}
}

output "aws_db_address" {
value = "${aws_db_instance.default.address}"
}

Security Rule

resource "aws_security_group_rule" "example" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "sg-0461a30232b33c576"
}

resource "aws_security_group" "allow_tls" {
name = "allow_rdp"
description = "Allow TLS inbound traffic"
vpc_id = "vpc-0732dd645e9e3167b"

ingress {
description = "TLS from VPC"
from_port = 3389
to_port = 3389
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
}

tags = {
Name = "allow_tls"
}
}`

[alleynec]

I've noticed the same thing with version .20 and .21 and the security group rules.

[jaspervdj-luminal]

Thanks for reporting this! I've been able to reproduce this issue and it seems like there is a possible regression in OPA 0.20. I've created a bug upstream, but I'll also see if I can provide a workaround in regula so we can get this closed sooner.

[parvez84]

Thank you for your quick response , Jasper. I am more certainly interested in finding a workaround for the security group rules if you can. I was able to create rules for other resources like ebs using the advanced rule document. something like this" # Rules still must be located in the `rules` package. package rules.ebs_volume_encrypted # Advanced rules typically use functions from the `fugue` library. import data.fugue # We mark an advanced rule by setting `resource_type` to `MULTIPLE`. resource_type = "MULTIPLE" # `fugue.resources` is a function that allows querying for resources of a # specific type. ebs_volumes = fugue.resources("aws_ebs_volume") # Auxiliary function. is_encrypted(resource) { resource.encrypted == true } # Regula expects advanced rules to contain a `policy` rule that holds a set # of _judgements_. policy[p] { resource = ebs_volumes[_] is_encrypted(resource) p = fugue.allow_resource(resource) } { resource = ebs_volumes[_] not is_encrypted(resource) p = fugue.deny_resource(resource) }

…

On Fri, Jun 26, 2020 at 3:00 PM Jasper Van der Jeugt < ***@***.***> wrote: Thanks for reporting this! I've been able to reproduce this issue and it seems like there is a possible regression in OPA 0.20. I've created a bug upstream, but I'll also see if I can provide a workaround in regula so we can get this closed sooner. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#51 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AH2C32N35KGYIS5CK3LXVBLRYULBNANCNFSM4OJTPOVA> .