snyk · eliecharra · Feb 15, 2021 · Feb 15, 2021 · Feb 15, 2021
@@ -11,3 +11,10 @@
 - Terraform version >= 0.12 is supported
 - Terraform AWS provider version >= 3.x is supported
 
+## Terraform Resources
+
+### AWS
+
+- aws_security_group and aws_security_group_rule:
+
+For security group that has in-line egress or ingress rules, driftctl will output an alert message at the end of the scan to warn you that those rules are falsely unmanaged. The explanation is that we can't distinct, based only on the Terraform state, rules created in the console and rules created in-line in either egress or ingress blocks.
@@ -4,6 +4,8 @@ import (
 	"reflect"
 	"sort"
 
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
 	"github.com/cloudskiff/driftctl/pkg/alerter"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/r3labs/diff/v2"
@@ -77,6 +79,13 @@ func (a Analyzer) Analyze(remoteResources, resourcesFromState []resource.Resourc
 		}
 	}
 
+	if a.hasUnmanagedSecurityGroupRules(filteredRemoteResource) {
+		a.alerter.SendAlert("",
+			alerter.Alert{
+				Message: "You have unmanaged security group rules that could be false positives, find out more at https://github.com/cloudskiff/driftctl/blob/main/doc/LIMITATIONS.md#terraform-resources",
+			})
+	}
+
 	if haveComputedDiff {
 		a.alerter.SendAlert("",
 			alerter.Alert{
@@ -148,3 +157,14 @@ func (a Analyzer) hasNestedFields(t reflect.Type) bool {
 		return t.Kind() == reflect.Struct
 	}
 }
+
+// hasUnmanagedSecurityGroupRules returns true if we find at least one unmanaged
+// security group rule
+func (a Analyzer) hasUnmanagedSecurityGroupRules(unmanagedResources []resource.Resource) bool {
+	for _, res := range unmanagedResources {
+		if res.TerraformType() == resourceaws.AwsSecurityGroupRuleResourceType {
+			return true
+		}
+	}
+	return false
+}
@@ -15,6 +15,7 @@ import (
 
 	"github.com/cloudskiff/driftctl/pkg/alerter"
 	"github.com/cloudskiff/driftctl/pkg/resource"
+	"github.com/cloudskiff/driftctl/pkg/resource/aws"
 
 	"github.com/r3labs/diff/v2"
 
@@ -882,6 +883,47 @@ func TestAnalyze(t *testing.T) {
 			},
 			hasDrifted: true,
 		},
+		{
+			name: "Test alert on unmanaged security group rules",
+			iac: []resource.Resource{
+				&aws.AwsSecurityGroup{
+					Id: "managed security group",
+				},
+			},
+			cloud: []resource.Resource{
+				&aws.AwsSecurityGroup{
+					Id: "managed security group",
+				},
+				&aws.AwsSecurityGroupRule{
+					Id: "unmanaged rule",
+				},
+			},
+			expected: Analysis{
+				managed: []resource.Resource{
+					&aws.AwsSecurityGroup{
+						Id: "managed security group",
+					},
+				},
+				unmanaged: []resource.Resource{
+					&aws.AwsSecurityGroupRule{
+						Id: "unmanaged rule",
+					},
+				},
+				summary: Summary{
+					TotalResources: 2,
+					TotalManaged:   1,
+					TotalUnmanaged: 1,
+				},
+				alerts: alerter.Alerts{
+					"": {
+						{
+							Message: "You have unmanaged security group rules that could be false positives, find out more at https://github.com/cloudskiff/driftctl/blob/main/doc/LIMITATIONS.md#terraform-resources",
+						},
+					},
+				},
+			},
+			hasDrifted: true,
+		},
 	}
 
 	for _, c := range cases {