[BUG] FG_R00041 causing false positive

[dkoder20]

Describe the bug
FG_R00041 is working is as expected if you are creating a new stack. But if you try updating an existing stack which has resource aws_security_group then it'll flag FG_R00041 as a false positive.

Some investigation on my end has revealed that for an existing stack where "address": "aws_security_group.alb", there are ingress definitions defined within the aws_security_group resource in the plan despite the definitions done by aws_security_group_rule resource.

• This is not being handled well by regula and is generating a false positive

How you're running Regula
Please include versions of all relevant tools. Some examples:

• Regula v3.1.0
• TF v0.13.4
• AWS v4.55.0

Operating System
Mac

Steps to reproduce
Copy the following terraform configuration to re-create the error:

main.tf

variable "ingress_cidrs" {
  type = list(string)
  default = ["0.0.0.0/0"]
}

variable "vpc_id" {
  type = string
  default = vpc-12345678abcdefgh
}

resource "aws_security_group" "alb" {
  vpc_id = var.vpc_id
}

resource "aws_security_group_rule" "http" {
  security_group_id = aws_security_group.alb.id
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
}

Then run:

terraform init
terraform plan -input=false -out=tfplan.txt
terraform show -json tfplan.txt > plan.json
regula run # you will notice there are no issues

# now apply these changes and create a stack
terraform apply -auto-approve

After the stack is created, again run

terraform plan -input=false -out=tfplan.txt
terraform show -json tfplan.txt > plan.json
regula run # you will notice FG_R00041 is raised against `plan.json`

[jbrule]

Is it a "known after apply" value? You should see an after unknown section in the plan file for values that cannot be determined until after apply.