fix(query): passwords and secrets improvements to "Avoiding TF resource access" allow rules (#7905)

cx-andre-pereira · cx-eduardo-semanas · cx-artur-ribeiro · web-flow · commit 1c3915cbc3ce · 2025-12-31T17:26:31.000Z
* initial fix

* improved support for index referencing

---------

Co-authored-by: Eduardo Semanas &lt;107848101+cx-eduardo-semanas@users.noreply.github.com&gt;
Co-authored-by: Artur Ribeiro &lt;153724638+cx-artur-ribeiro@users.noreply.github.com&gt;
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -7,15 +7,15 @@
       "allowRules": [
         {
           "description": "Avoiding TF resource access",
-          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*(([a-zA-z_]+(.))?[a-zA-z_]+\\s*(.)\\s*[a-zA-z_]+(.)[a-zA-z_]+)?(\\s*:\\s*null|null)$"
+          "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
         },
         {
           "description": "Avoiding description field",
           "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]"
         },
         {
           "description": "Avoiding Terraform 'optional' statement",
-          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"   
+          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"
         },
         {
           "description": "Avoiding Terraform 'try' statement",
@@ -29,14 +29,6 @@
           "description": "Avoiding Ansible playbook update_password",
           "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
         },
-        {
-          "description": "Allow passwords retrieved from Terraform data sources",
-          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.azurerm_key_vault_secret\\.[A-Za-z0-9_]+\\.value"
-        },
-        {
-          "description": "Allow passwords retrieved from AWS KMS Secrets",
-          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.aws_kms_secrets\\.[A-Za-z0-9_]+\\.plaintext\\[\"[A-Za-z0-9_]+\"\\]"
-        },
         {
           "description": "Allow placeholders",
           "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]"
@@ -70,7 +62,7 @@
         },
         {
           "description": "Avoiding TF resource access",
-          "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+          "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)"
         },
         {
           "description": "Avoiding Secrets Manager arn",
@@ -83,11 +75,11 @@
         {
           "description": "Avoiding Secrets from Azure Key Vault",
           "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
-        }, 
+        },
         {
           "description": "Allow secret retrieved from ARM parameters",
           "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
-        }, 
+        },
         {
           "description": "Allow secrets retrieved from Bicep getSecret built in function",
           "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative59.tf b/assets/queries/common/passwords_and_secrets/test/negative59.tf
@@ -0,0 +1,32 @@
+resource "aws_secretsmanager_secret_version" "secret_version" {
+  for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_secret[each.key].id                                                                                              # use of indexes
+  secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password.client_password[each.key].result })
+}
+
+resource "aws_secretsmanager_secret_version" "secret_version_2" {
+  for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_secret[each.key].id                                                                                              # use of indexes
+  secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password[each.key].client_password.result })
+}
+
+resource "aws_secretsmanager_secret_version" "secret_version_3" {
+  for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_secret[each.key].id                                                                                              # use of indexes
+  secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password["index"].client_password.result })
+}
+
+resource "aws_msk_scram_secret_association" "msk_secret_association" {
+  count           = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
+  cluster_arn     = aws_msk_cluster.kafka[0].arn
+  secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : secret.arn] # short reference
+}
+
+resource "aws_msk_scram_secret_association" "msk_secret_association_2" {
+  count           = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
+  cluster_arn     = aws_msk_cluster.kafka[0].arn
+  secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : null] # short reference
+}

Original file line number	Diff line number	Diff line change
`@@ -7,15 +7,15 @@`
`7`	`7`	`"allowRules": [`
`8`	`8`	`{`
`9`	`9`	`"description": "Avoiding TF resource access",`
`10`		`- "regex": "(?i)['\"]?password['\"]?\\s=\\s(([a-zA-z_]+(.))?[a-zA-z_]+\\s(.)\\s[a-zA-z_]+(.)[a-zA-z_]+)?(\\s:\\snull\|null)$"`
	`10`	`+ "regex": "(?i)['\"]?password['\"]?\\s[:=]\\s(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.\|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.\|\\d+)\\])?)\\s([\\[\\.\\)\\]\\}\\$]\|(:\\snull))\|null)"`
`11`	`11`	`},`
`12`	`12`	`{`
`13`	`13`	`"description": "Avoiding description field",`
`14`	`14`	`"regex": "(?i)['\"]?description['\"]?\\s=\\s['\"].*['\"]"`
`15`	`15`	`},`
`16`	`16`	`{`
`17`	`17`	`"description": "Avoiding Terraform 'optional' statement",`
`18`		`- "regex": "(?i)['\"]?password['\"]?\\s=\\soptional\\((string\|number\|sensitive\\(string\\)\|map\\(string\\)\|set\\(string\\)\|any)\\)$"`
	`18`	`+ "regex": "(?i)['\"]?password['\"]?\\s=\\soptional\\((string\|number\|sensitive\\(string\\)\|map\\(string\\)\|set\\(string\\)\|any)\\)$"`
`19`	`19`	`},`
`20`	`20`	`{`
`21`	`21`	`"description": "Avoiding Terraform 'try' statement",`
`@@ -29,14 +29,6 @@`
`29`	`29`	`"description": "Avoiding Ansible playbook update_password",`
`30`	`30`	`"regex": "['\"]?update_password['\"]?\\s[:=]\\s['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"`
`31`	`31`	`},`
`32`		`- {`
`33`		`- "description": "Allow passwords retrieved from Terraform data sources",`
`34`		`- "regex": "(?i)['\"]?password['\"]?\\s=\\sdata\\.azurerm_key_vault_secret\\.[A-Za-z0-9_]+\\.value"`
`35`		`- },`
`36`		`- {`
`37`		`- "description": "Allow passwords retrieved from AWS KMS Secrets",`
`38`		`- "regex": "(?i)['\"]?password['\"]?\\s=\\sdata\\.aws_kms_secrets\\.[A-Za-z0-9_]+\\.plaintext\\[\"[A-Za-z0-9_]+\"\\]"`
`39`		`- },`
`40`	`32`	`{`
`41`	`33`	`"description": "Allow placeholders",`
`42`	`34`	`"regex": "(?i)['\"]?password['\"]?\\s[:=]\\s['\"](\\$\\(\|\\$?\\{\\{)\\s\\w+\\s(\\)\|\\}\\})['\"]"`
`@@ -70,7 +62,7 @@`
`70`	`62`	`},`
`71`	`63`	`{`
`72`	`64`	`"description": "Avoiding TF resource access",`
`73`		`- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s=\\s([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"`
	`65`	`+ "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s[:=]\\s(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.\|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.\|\\d+)\\])?)\\s([\\.\\)\\]\\$]\|(:\\snull))\|null)"`
`74`	`66`	`},`
`75`	`67`	`{`
`76`	`68`	`"description": "Avoiding Secrets Manager arn",`
`@@ -83,11 +75,11 @@`
`83`	`75`	`{`
`84`	`76`	`"description": "Avoiding Secrets from Azure Key Vault",`
`85`	`77`	`"regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s(:\|=)\\s['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"`
`86`		`- },`
	`78`	`+ },`
`87`	`79`	`{`
`88`	`80`	`"description": "Allow secret retrieved from ARM parameters",`
`89`	`81`	`"regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s[:=]\\s['\"]?\\[\\sparameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]['\"]\\s\\)\\s\\]"`
`90`		`- },`
	`82`	`+ },`
`91`	`83`	`{`
`92`	`84`	`"description": "Allow secrets retrieved from Bicep getSecret built in function",`
`93`	`85`	`"regex": "(?i)['\"]?secret[_]?(key\|value)?['\"]?\\s(:\|=)\\s[a-zA-Z]\\.getSecret\\(\\s[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"`