SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Implementing Snyk in your teams
Getting started
Snyk Web UI
Snyk CLI
Snyk API
Snyk for IDEs
Snyk Apps
Snyk Integrations
SNYK PRODUCTS
Snyk Open Source
Snyk Code
Snyk Container
Snyk Infrastructure as Code
Getting started with Snyk Infrastructure as Code (IaC)
Using Snyk IaC via web
Scan Terraform files
Configure your integration to find security issues in your Terraform files
Scan and fix security issues in Terraform files
Terraform variables support
Terraform AWS Provider Support
Scan CloudFormation files
Scan Kubernetes configuration files
Scan ARM configuration files
Snyk Infrastructure as code for self-hosted git (with Broker)
Snyk CLI for Infrastructure as Code
Jira Integration
View Infrastructure as Code issue reports
Build your own custom rules
Detect drift and manually created resources
Share CLI results with the Snyk Web UI
Disable IaC Scans
USING SNYK
Snyk Broker
User and group management
Fixing and prioritizing issues
Reports
Snyk Tools
SNYK INFO
Disclosing vulnerabilities
How Snyk handles your data
Snyk Partner workshops
Powered By GitBook
Terraform AWS Provider Support
Support and limitations for the Terraform AWS provider.
Version 4.0.0 of the AWS Terraform Provider introduced changes in how S3 services are defined. With v4.0 the definition of S3 services is now spread across several resource blocks within Terraform. If you defined an instance of a S3 bucket across multiple files this update is a breaking change and may have negatively impacted your security results from Snyk IaC.

Summary

From the Terraform documentation: To help distribute the management of S3 bucket settings via independent resources, various arguments and attributes in the aws_s3_bucket resource have become read-only. Configurations dependent on these arguments should be updated to use the corresponding aws_s3_bucket_* resource.
In order to migrate to Terraform v4.0.0 you will need to refactor and re-import your S3 service definitions. Depending on how you choose to do this, it may limit your coverage of security findings.
Please see the Terraform V4 upgrade guide from Hashicorp for more details

Example

Consider the following example of defining an S3 bucket with an ACL using Terraform v3.x.x in a file named s3.tf
s3.tf
1
resource "aws_s3_bucket" "example" {
2
# ... other configuration ...
3
acl = "public-read-write"
4
}
Copied!
The definition of the S3 bucket is in one resource block. If you scanned this file using snyk iac test s3.tf you would get a security finding for the permissive ACL settings.
With v4.0.0 of the provider, certain S3 bucket properties are now defined in their own resources. Continuing the example from above, the ACL property has moved to its own resource so the refactored Terraform would look as follows.
s3.tf
1
resource "aws_s3_bucket" "example" {
2
# ... other configuration ...
3
}
4
​
5
resource "aws_s3_bucket_acl" "example" {
6
bucket = aws_s3_bucket.example.id
7
acl = "public-read-write"
8
}
Copied!
If you scan this file with snyk iac test s3.tf you will get the same results as before for the permissive ACL settings.

Limitations

You may choose to structure your code differently, for example having the S3 bucket definition and its associated properties in separate Terraform files. e.g.
s3_bucket.tf
1
resource "aws_s3_bucket" "example" {
2
# ... other configuration ...
3
}
Copied!
s3_acl.tf
1
resource "aws_s3_bucket_acl" "example" {
2
bucket = aws_s3_bucket.example.id
3
acl = "public-read-write"
4
}
Copied!
If you scanned these files you will either not currently not receive a security issue, or may receive a false positive for the permissive ACL, this is because we cannot currently link the two resources together.
We are currently working on adding support for this additional use-case to the product.
An interim workaround is to define the resources in a single Terraform file.
Previous
Terraform variables support
Next
Scan CloudFormation files
Last modified 8d ago
Export as PDF
Copy link
Edit on GitHub
Contents
Summary
Example
Limitations