Terraform AWS Provider Support
Support and limitations for the Terraform AWS provider.
Version 4.0.0 of the AWS Terraform Provider introduced changes in how S3 services are defined. With v4.0 the definition of S3 services is now spread across several resource blocks within Terraform. If you defined an instance of a S3 bucket across multiple files this update is a breaking change and may have negatively impacted your security results from Snyk IaC.

Summary

From the Terraform documentation: To help distribute the management of S3 bucket settings via independent resources, various arguments and attributes in the aws_s3_bucket resource have become read-only. Configurations dependent on these arguments should be updated to use the corresponding aws_s3_bucket_* resource.
In order to migrate to Terraform v4.0.0 you will need to refactor and re-import your S3 service definitions. Depending on how you choose to do this, it may limit your coverage of security findings.
Please see the Terraform V4 upgrade guide from Hashicorp for more details

Example

Consider the following example of defining an S3 bucket with an ACL using Terraform v3.x.x in a file named s3.tf
s3.tf
1
resource "aws_s3_bucket" "example" {
2
# ... other configuration ...
3
acl = "public-read-write"
4
}
Copied!
The definition of the S3 bucket is in one resource block. If you scanned this file using snyk iac test s3.tf you would get a security finding for the permissive ACL settings.
With v4.0.0 of the provider, certain S3 bucket properties are now defined in their own resources. Continuing the example from above, the ACL property has moved to its own resource so the refactored Terraform would look as follows.
s3.tf
1
resource "aws_s3_bucket" "example" {
2
# ... other configuration ...
3
}
4
5
resource "aws_s3_bucket_acl" "example" {
6
bucket = aws_s3_bucket.example.id
7
acl = "public-read-write"
8
}
Copied!
If you scan this file with snyk iac test s3.tf you will get the same results as before for the permissive ACL settings.

Limitations

You may choose to structure your code differently, for example having the S3 bucket definition and its associated properties in separate Terraform files. e.g.
s3_bucket.tf
1
resource "aws_s3_bucket" "example" {
2
# ... other configuration ...
3
}
Copied!
s3_acl.tf
1
resource "aws_s3_bucket_acl" "example" {
2
bucket = aws_s3_bucket.example.id
3
acl = "public-read-write"
4
}
Copied!
If you scanned these files you will either not currently not receive a security issue, or may receive a false positive for the permissive ACL, this is because we cannot currently link the two resources together.
We are currently working on adding support for this additional use-case to the product.
An interim workaround is to define the resources in a single Terraform file.
Export as PDF
Copy link
Edit on GitHub