From 9043cc6ad3e673abdf6884d3bac3b5210f298abd Mon Sep 17 00:00:00 2001 From: rafaela-soares Date: Wed, 22 Dec 2021 15:04:58 +0000 Subject: [PATCH] feat(bom): split encryption from accessibility --- assets/libraries/common.rego | 4 ++ .../queries/terraform/aws_bom/ebs/query.rego | 3 +- .../queries/terraform/aws_bom/efs/query.rego | 7 +++- .../terraform/aws_bom/efs/test/positive2.tf | 40 +++++++++++++++++++ .../efs/test/positive_expected_result.json | 6 +++ .../terraform/aws_bom/elasticache/query.rego | 1 + .../queries/terraform/aws_bom/mq/query.rego | 1 + .../terraform/aws_bom/mq/test/positive2.tf | 4 ++ .../queries/terraform/aws_bom/msk/query.rego | 3 +- .../terraform/aws_bom/s3_bucket/query.rego | 1 + .../aws_bom/s3_bucket/test/positive8.tf | 9 +++++ .../queries/terraform/aws_bom/sns/query.rego | 1 + .../terraform/aws_bom/sns/test/positive5.tf | 2 + .../queries/terraform/aws_bom/sqs/query.rego | 1 + .../terraform/aws_bom/sqs/test/positive5.tf | 2 + test/queries_test.go | 1 + 16 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 assets/queries/terraform/aws_bom/efs/test/positive2.tf diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego index e9ff495e051..dc9493cc412 100644 --- a/assets/libraries/common.rego +++ b/assets/libraries/common.rego @@ -343,6 +343,10 @@ get_encryption_if_exists(resource) = encryption { } else = encryption { valid_key(resource.encryption_info, "encryption_at_rest_kms_key_arn") encryption := "encrypted" +} else = encryption { + fields := {"sqs_managed_sse_enabled", "kms_master_key_id", "encryption_options", "server_side_encryption_configuration"} + valid_key(resource, fields[_]) + encryption := "encrypted" } else = encryption { encryption := "unencrypted" } diff --git a/assets/queries/terraform/aws_bom/ebs/query.rego b/assets/queries/terraform/aws_bom/ebs/query.rego index 0ccdcd3b9ca..79c53507f25 100644 --- a/assets/queries/terraform/aws_bom/ebs/query.rego +++ b/assets/queries/terraform/aws_bom/ebs/query.rego @@ -8,7 +8,8 @@ CxPolicy[result] { bom_output = { "resource_type": "aws_ebs_volume", "resource_name": common_lib.get_tag_name_if_exists(ebs_volume), - "resource_accessibility": common_lib.get_encryption_if_exists(ebs_volume), + "resource_accessibility": "unknown", + "resource_encryption": common_lib.get_encryption_if_exists(ebs_volume), "resource_vendor": "AWS", "resource_category": "Storage", } diff --git a/assets/queries/terraform/aws_bom/efs/query.rego b/assets/queries/terraform/aws_bom/efs/query.rego index d5d5fbe569c..f9e0c95f194 100644 --- a/assets/queries/terraform/aws_bom/efs/query.rego +++ b/assets/queries/terraform/aws_bom/efs/query.rego @@ -1,16 +1,21 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as terra_lib CxPolicy[result] { efs_file_system := input.document[i].resource.aws_efs_file_system[name] + info := terra_lib.get_accessibility(efs_file_system, name, "aws_efs_file_system_policy", "file_system_id") + bom_output = { "resource_type": "aws_efs_file_system", "resource_name": common_lib.get_tag_name_if_exists(efs_file_system), - "resource_accessibility": common_lib.get_encryption_if_exists(efs_file_system), + "resource_accessibility": info.accessibility, + "resource_encryption": common_lib.get_encryption_if_exists(efs_file_system), "resource_vendor": "AWS", "resource_category": "Storage", + "policy": info.policy, } result := { diff --git a/assets/queries/terraform/aws_bom/efs/test/positive2.tf b/assets/queries/terraform/aws_bom/efs/test/positive2.tf new file mode 100644 index 00000000000..df6afe20def --- /dev/null +++ b/assets/queries/terraform/aws_bom/efs/test/positive2.tf @@ -0,0 +1,40 @@ +resource "aws_efs_file_system" "positive2" { + creation_token = "my-product" + encrypted = true + + tags = { + Name = "MyProduct" + } +} + +resource "aws_efs_file_system_policy" "policy" { + file_system_id = aws_efs_file_system.positive2.id + + bypass_policy_lockout_safety_check = true + + policy = <