Auto Remediation

Overview

The Auto Remediation feature in Prancer provides an easy way to fix policy issues in template files or cloud resources. To fix issues on cloud resources, Prancer connects directly to the cloud and updates the configuration, provided the connector has the required permissions. To fix issues in IaC template files, Prancer creates a new branch, commits the fixes in the new branch, and creates a pull request for the source branch. To use Auto Remediation, the user can click on the blue circle in the Remediate column of any failed test case in the Infra Findings screen or click on the failed test case to see it in detail and then click on Remediate. However, there are unsupported scenarios in Terraform and ARM template remediations, such as updating data source block values, dynamic block properties, nested block parameters, and Github/Git repositories in module sources.

  • Remediation feature provides an easy way to fix the policy issue in a template file or on cloud resources.

  • To fix the issue on the cloud resource, the prancer directly connects to the cloud and updates the configuration on the cloud resource.

Note: The credentials defined in the connector should have proper permission to update the cloud resource.

  • To fix the issue in the IaC template file, the prancer creates the new branch from the existing branch and commits the fixes in the new branch. Then it creates the PR for the source branch.

How to do Auto Remediation

  • Go to the Infra Findings screen. Click on the blue circle in Remediate column of any fail test cases as shown below.

../img/remediation/remediation.png)

  • User can also remediate by clicking on the failed testcase to see it in detail and then clicking on Remediate as shown below.

../img/remediation/remediation_detail.png)

Unsupported scenarios in terraform remediations

  1. Data Source block. Finding the issues and updating the value in the data source block is not working.

  2. Updating resource properties created using dynamic block.

  3. Module source with github/git repository is not supported for remediation.

  4. Multi-depth block update is not stable; sometimes, it fails.

Unsupported scenarios in arm template remediations

1) Updating the value in nested block of parameter value is not supporting.

  • At the time of remediation, if required to update the value in the parameter field, remediation can only replace the default value of the parameter field. If the default value is a nested block and wants to update only a particular nested field, then currently, it is not supported.