Skip to content

Commit

Permalink
Revert "update resource type to map[string]bool (#992)" (#1001)
Browse files Browse the repository at this point in the history
This reverts commit 3e8d964.
  • Loading branch information
Cesar Rodriguez authored Aug 20, 2021
1 parent 3e8d964 commit 81495a9
Show file tree
Hide file tree
Showing 782 changed files with 5,908 additions and 7,905 deletions.
11 changes: 10 additions & 1 deletion pkg/filters/filter-specs.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@
package filters

import (
"strings"

"github.com/accurics/terrascan/pkg/policy"
"github.com/accurics/terrascan/pkg/utils"
"go.uber.org/zap"
Expand Down Expand Up @@ -49,7 +51,14 @@ func (rs ResourceTypeFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bo
return true
}

return r.ResourceType[rs.resourceType]
// temporary fix for kubernetes policies (https://github.com/accurics/terrascan/issues/946)
// TODO: modification in policy metadata (resource type (string) => resource type (map<string,bool))
// accordingly modify the filter specification
if r.PolicyType == "k8s" && strings.Contains(strings.ToLower(rs.resourceType), "kubernetes") {
return true
}

return rs.resourceType == r.ResourceType
}

// RerefenceIDFilterSpecification is reference ID based Filter Spec
Expand Down
10 changes: 5 additions & 5 deletions pkg/filters/filters_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -264,17 +264,17 @@ func TestRegoDataFilter_Filter(t *testing.T) {
testRegoDataMapWithResourceType := map[string]*policy.RegoData{
"Rule.1": {
Metadata: policy.RegoMetadata{
ResourceType: map[string]bool{"kubernetes_pod": true},
ResourceType: "kubernetes_pod",
},
},
"Rule.2": {
Metadata: policy.RegoMetadata{
ResourceType: map[string]bool{"ec2_instance": true},
ResourceType: "ec2_instance",
},
},
"Rule.3": {
Metadata: policy.RegoMetadata{
ResourceType: map[string]bool{"kubernetes_pod": true},
ResourceType: "kubernetes_pod",
},
},
}
Expand Down Expand Up @@ -323,12 +323,12 @@ func TestRegoDataFilter_Filter(t *testing.T) {
want: map[string]*policy.RegoData{
"Rule.1": {
Metadata: policy.RegoMetadata{
ResourceType: map[string]bool{"kubernetes_pod": true},
ResourceType: "kubernetes_pod",
},
},
"Rule.3": {
Metadata: policy.RegoMetadata{
ResourceType: map[string]bool{"kubernetes_pod": true},
ResourceType: "kubernetes_pod",
},
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "amiNotEncrypted",
"file": "amiNotEncrypted.rego",
"policy_type": "aws",
"resource_type": {
"aws_ami": true
},
"resource_type": "aws_ami",
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS AMI Encryption",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "amiSharedToMultipleAccounts",
"file": "amiSharedToMultipleAccounts.rego",
"policy_type": "aws",
"resource_type": {
"aws_ami_launch_permission": true
},
"resource_type": "aws_ami_launch_permission",
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,14 @@
"name": "apiGatewayAuthorizationDisabled",
"file": "apiGatewayAuthorizationDisabled.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_method": true
},
"resource_type": "aws_api_gateway_method",
"template_args": {
"prefix": ""
},
"severity": "LOW",
"description": "Ensure there is no open access to back-end resources through API",
"reference_id": "AWS.APGM.IS.LOW.0056",
"category": "Infrastructure Security",
"version": 1,
"id": "AC_AWS_0439"
"id": "AC_AWS_0439",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "apiGatewaySettingMetrics",
"file": "apiGatewaySettingMetrics.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_method_settings": true
},
"resource_type": "aws_api_gateway_method_settings",
"template_args": null,
"severity": "MEDIUM",
"description": "Enable Detailed CloudWatch Metrics for APIs",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "apiGatewayContentEncoding",
"file": "apiGatewayContentEncoding.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_rest_api": true
},
"resource_type": "aws_api_gateway_rest_api",
"template_args": null,
"severity": "MEDIUM",
"description": "Enable Content Encoding",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "apiGatewayEndpointConfig",
"file": "apiGatewayEndpointConfig.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_rest_api": true
},
"resource_type": "aws_api_gateway_rest_api",
"template_args": null,
"severity": "MEDIUM",
"description": "API Gateway Private Endpoints",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,14 @@
"name": "apiGatewayRestApiPolicyNotSecure",
"file": "apiGatewayRestApiPolicyNotSecure.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_rest_api_policy": true
},
"resource_type": "aws_api_gateway_rest_api_policy",
"template_args": {
"prefix": ""
},
"severity": "HIGH",
"description": "Ensure use of API Gateway endpoint policy, and no action wildcards are being used.",
"reference_id": "AWS.APGRAP.IAM.HIGH.0064",
"category": "Identity and Access Management",
"version": 1,
"id": "AC_AWS_0440"
"id": "AC_AWS_0440",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,7 @@
"name": "apiGatewayName",
"file": "apiGatewayName.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_stage": true,
"aws_cloudwatch_log_group": true
},
"resource_type": "aws_api_gateway_stage",
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS CloudWatch Logs for APIs",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "apiGatewayTracing",
"file": "apiGatewayTracing.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_stage": true
},
"resource_type": "aws_api_gateway_stage",
"template_args": null,
"severity": "LOW",
"description": "Ensure AWS API Gateway has active xray tracing enabled",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "apiGatewayLogging",
"file": "apiGatewayLogging.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_stage": true
},
"resource_type": "aws_api_gateway_stage",
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "apiGatewaySslCertificate",
"file": "apiGatewaySslCertificate.rego",
"policy_type": "aws",
"resource_type": {
"aws_api_gateway_stage": true
},
"resource_type": "aws_api_gateway_stage",
"template_args": null,
"severity": "MEDIUM",
"description": "Enable SSL Client Certificate",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,12 @@
"name": "apiGatewayMiconfiguredCors",
"file": "apiGatewayMiconfiguredCors.rego",
"policy_type": "aws",
"resource_type": {
"aws_apigatewayv2_api": true
},
"resource_type": "aws_apigatewayv2_api",
"template_args": null,
"severity": "Medium",
"description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
"reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
"category": "Security Best Practices",
"version": 2,
"id": "AC_AWS_0441"
"id": "AC_AWS_0441",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,12 @@
"name": "apiGatewayNoAccessLogs",
"file": "apiGatewayNoAccessLogs.rego",
"policy_type": "aws",
"resource_type": {
"aws_apigatewayv2_stage": true
},
"resource_type": "aws_apigatewayv2_stage",
"template_args": null,
"severity": "Low",
"description": "AWS API Gateway V2 Stage is missing access logs",
"reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
"category": "Logging and Monitoring",
"version": 2,
"id": "AC_AWS_0442"
"id": "AC_AWS_0442",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,14 @@
"name": "athenaDatabaseEncrypted",
"file": "athenaDatabaseEncrypted.rego",
"policy_type": "aws",
"resource_type": {
"aws_athena_database": true
},
"resource_type": "aws_athena_database",
"template_args": {
"prefix": ""
},
"severity": "MEDIUM",
"description": "Ensure Athena Database is encrypted at rest",
"reference_id": "AWS.ADB.DP.MEDIUM.016",
"category": "Data Protection",
"version": 2,
"id": "AC_AWS_0443"
"id": "AC_AWS_0443",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "awsCloudFormationInUse",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudformation_stack": true
},
"resource_type": "aws_cloudformation_stack",
"template_args": {
"name": "awsCloudFormationInUse",
"property": "template_url"
Expand All @@ -13,6 +11,6 @@
"description": "AWS CloudFormation Not In Use",
"reference_id": "AWS.CloudFormation.Medium.0599",
"category": "Security Best Practices",
"version": 1,
"id": "AC_AWS_0444"
"id": "AC_AWS_0444",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "cloudFormationStackNotifs",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudformation_stack": true
},
"resource_type": "aws_cloudformation_stack",
"template_args": {
"name": "cloudFormationStackNotifs",
"property": "notification_arns"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "cloudFormationStackPolicy",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudformation_stack": true
},
"resource_type": "aws_cloudformation_stack",
"template_args": {
"name": "cloudFormationStackPolicy",
"property": "policy_url"
Expand All @@ -13,6 +11,6 @@
"description": "AWS CloudFormation Stack Policy",
"reference_id": "AWS.CloudFormation.Medium.0604",
"category": "Security Best Practices",
"version": 1,
"id": "AC_AWS_0445"
"id": "AC_AWS_0445",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,7 @@
"name": "cloudFormationTerminationProtection",
"file": "cloudFormationTerminationProtection.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudformation_stack": true,
"aws_cloudformation_stack_set_instance": true
},
"resource_type": "aws_cloudformation_stack",
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS CloudFormation Stack Termination Protection",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "cloudfrontNoGeoRestriction",
"file": "cloudfrontNoGeoRestriction.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudfront_distribution": true
},
"resource_type": "aws_cloudfront_distribution",
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "noWafEnabled",
"file": "noWafEnabled.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudfront_distribution": true
},
"resource_type": "aws_cloudfront_distribution",
"template_args": null,
"severity": "Medium",
"description": "Ensure that cloud-front has web application firewall enabled",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "cloudfrontNoHTTPSTraffic",
"file": "cloudfrontNoHTTPSTraffic.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudfront_distribution": true
},
"resource_type": "aws_cloudfront_distribution",
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "cloudfrontNoSecureCiphers",
"file": "cloudfrontNoSecureCiphers.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudfront_distribution": true
},
"resource_type": "aws_cloudfront_distribution",
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
"name": "cloudfrontNoLogging",
"file": "cloudfrontNoLogging.rego",
"policy_type": "aws",
"resource_type": {
"aws_cloudfront_distribution": true
},
"resource_type": "aws_cloudfront_distribution",
"template_args": {
"prefix": ""
},
Expand Down
Loading

0 comments on commit 81495a9

Please sign in to comment.