Detect deletion of resources in terraform plan

[fisey]

Question

Hi there,

I'm currently trying to use trivy to check my terraform plan output for resources that are deleted. I already checked the documentation and created a policy in REGO that works with OPA and conftest but not with trivy.

# METADATA
# title: Deletion of resources
# description: AWS SQS will be deleted
# custom:
#   id: ID001
package user.terraform.ID001

# Deny deletion of AWS SQS queues
deny[msg] {
    resource := input.resource_changes[_]  # Directly iterate over resource changes
    resource.type == "aws_sqs_queue"
    resource.change.actions[_] == "delete"
    msg := sprintf("Deletion of AWS SQS queue '%s' is not allowed", [resource.address])
}

When I use this command to check, it runs all other checks, but I don't see my check in the output, although the plan shows the deletion of an AWS SQS queue.
trivy conf --policy /tmp/trivy.rego --namespaces user ./test/tfplan
It doesn't matter if I execute it against tfplan or tfplan.json because both are not working. I guess I'm missing something here.

Best
Fabian

Target

None

Scanner

None

Output Format

None

Mode

None

Operating System

Ubuntu 22.04

Version

Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-12 06:11:04.117882312 +0000 UTC
  NextUpdate: 2024-04-12 12:11:04.117881932 +0000 UTC
  DownloadedAt: 2024-04-12 11:22:49.896792926 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-04-12 11:07:06.160036667 +0000 UTC

[nikpivkin]

Hi @fisey !

We don't pass raw Terraform Plan JSON as Rego input, we convert it. You can learn how to write custom checks here .

[fisey]

@nikpivkin so if I understand it correctly then, trivy wouldn't be the right tool for my use case, right?

[nikpivkin]

That's right

[jcamu]

Is there any plan to do it ? Other tools using rego policies permit it

Using the parsed input of trivy would make these policies untestable with other Tools like OPA.
We lose the advantage of the rego language to be able to share it across multiple tools.
We would have to define specific rules, usable from trivy only .

Additionally, there's a lack of documentation on how to write custom checks for Terraform plans.

[simar7]

@jcamu at the moment there's no plan and I'm not sure if Trivy will be the right fit for this use case. Trivy has to parse and adapt a variety of formats into a common format that it can work against. Terraform is not special in anyway as compared to the other formats that Trivy supports today.