Managing false-positives caused by conditional configuration?

[acdha]

I have some resources which are configured using variables. This means that I get errors like aws-vpc-no-public-ingress-sgr reported on basically every such resource using tfsec v1.1.5.

It feels like this should either be an outright bug unless the variable resolves to something like 0.0.0.0/0 (or maybe using minimum CIDR mask?) or the wording should indicate that this is triggered for any traffic from the internet since the documentation currently says this is for /0.

It also looks like the value-specific ignore syntax for at least this rule does not work as described in the documentation using either a variable names or the value it would resolve to:

https://aquasecurity.github.io/tfsec/v1.1.5/getting-started/configuration/ignores/

[acdha]

I opened https://github.com/aquasecurity/tfsec/issues/1638 since this also happens with blocks which have only literal /32 CIDR ranges so it's not just related to variables.

[liamg]

The latest version will no longer flag occurrences like this when a variable cannot be resolved by tfsec.