Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update resource type to map[string]bool #992

Merged
merged 2 commits into from
Aug 20, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
11 changes: 1 addition & 10 deletions pkg/filters/filter-specs.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@
package filters

import (
"strings"

"github.com/accurics/terrascan/pkg/policy"
"github.com/accurics/terrascan/pkg/utils"
"go.uber.org/zap"
Expand Down Expand Up @@ -51,14 +49,7 @@ func (rs ResourceTypeFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bo
return true
}

// temporary fix for kubernetes policies (https://github.com/accurics/terrascan/issues/946)
// TODO: modification in policy metadata (resource type (string) => resource type (map<string,bool))
// accordingly modify the filter specification
if r.PolicyType == "k8s" && strings.Contains(strings.ToLower(rs.resourceType), "kubernetes") {
return true
}

return rs.resourceType == r.ResourceType
return r.ResourceType[rs.resourceType]
}

// RerefenceIDFilterSpecification is reference ID based Filter Spec
Expand Down
10 changes: 5 additions & 5 deletions pkg/filters/filters_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -264,17 +264,17 @@ func TestRegoDataFilter_Filter(t *testing.T) {
testRegoDataMapWithResourceType := map[string]*policy.RegoData{
"Rule.1": {
Metadata: policy.RegoMetadata{
ResourceType: "kubernetes_pod",
ResourceType: map[string]bool{"kubernetes_pod": true},
},
},
"Rule.2": {
Metadata: policy.RegoMetadata{
ResourceType: "ec2_instance",
ResourceType: map[string]bool{"ec2_instance": true},
},
},
"Rule.3": {
Metadata: policy.RegoMetadata{
ResourceType: "kubernetes_pod",
ResourceType: map[string]bool{"kubernetes_pod": true},
},
},
}
Expand Down Expand Up @@ -323,12 +323,12 @@ func TestRegoDataFilter_Filter(t *testing.T) {
want: map[string]*policy.RegoData{
"Rule.1": {
Metadata: policy.RegoMetadata{
ResourceType: "kubernetes_pod",
ResourceType: map[string]bool{"kubernetes_pod": true},
},
},
"Rule.3": {
Metadata: policy.RegoMetadata{
ResourceType: "kubernetes_pod",
ResourceType: map[string]bool{"kubernetes_pod": true},
},
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "amiNotEncrypted",
"file": "amiNotEncrypted.rego",
"policy_type": "aws",
"resource_type": "aws_ami",
"resource_type": {
"aws_ami": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS AMI Encryption",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "amiSharedToMultipleAccounts",
"file": "amiSharedToMultipleAccounts.rego",
"policy_type": "aws",
"resource_type": "aws_ami_launch_permission",
"resource_type": {
"aws_ami_launch_permission": true
},
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@
"name": "apiGatewayAuthorizationDisabled",
"file": "apiGatewayAuthorizationDisabled.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_method",
"resource_type": {
"aws_api_gateway_method": true
},
"template_args": {
"prefix": ""
},
"severity": "LOW",
"description": "Ensure there is no open access to back-end resources through API",
"reference_id": "AWS.APGM.IS.LOW.0056",
"category": "Infrastructure Security",
"id": "AC_AWS_0439",
"version": 1
"version": 1,
"id": "AC_AWS_0439"
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewaySettingMetrics",
"file": "apiGatewaySettingMetrics.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_method_settings",
"resource_type": {
"aws_api_gateway_method_settings": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable Detailed CloudWatch Metrics for APIs",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewayContentEncoding",
"file": "apiGatewayContentEncoding.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_rest_api",
"resource_type": {
"aws_api_gateway_rest_api": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable Content Encoding",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewayEndpointConfig",
"file": "apiGatewayEndpointConfig.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_rest_api",
"resource_type": {
"aws_api_gateway_rest_api": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "API Gateway Private Endpoints",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@
"name": "apiGatewayRestApiPolicyNotSecure",
"file": "apiGatewayRestApiPolicyNotSecure.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_rest_api_policy",
"resource_type": {
"aws_api_gateway_rest_api_policy": true
},
"template_args": {
"prefix": ""
},
"severity": "HIGH",
"description": "Ensure use of API Gateway endpoint policy, and no action wildcards are being used.",
"reference_id": "AWS.APGRAP.IAM.HIGH.0064",
"category": "Identity and Access Management",
"id": "AC_AWS_0440",
"version": 1
"version": 1,
"id": "AC_AWS_0440"
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@
"name": "apiGatewayName",
"file": "apiGatewayName.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"resource_type": {
"aws_api_gateway_stage": true,
"aws_cloudwatch_log_group": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS CloudWatch Logs for APIs",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewayTracing",
"file": "apiGatewayTracing.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"resource_type": {
"aws_api_gateway_stage": true
},
"template_args": null,
"severity": "LOW",
"description": "Ensure AWS API Gateway has active xray tracing enabled",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewayLogging",
"file": "apiGatewayLogging.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"resource_type": {
"aws_api_gateway_stage": true
},
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewaySslCertificate",
"file": "apiGatewaySslCertificate.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"resource_type": {
"aws_api_gateway_stage": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable SSL Client Certificate",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@
"name": "apiGatewayMiconfiguredCors",
"file": "apiGatewayMiconfiguredCors.rego",
"policy_type": "aws",
"resource_type": "aws_apigatewayv2_api",
"resource_type": {
"aws_apigatewayv2_api": true
},
"template_args": null,
"severity": "Medium",
"description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
"reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
"category": "Security Best Practices",
"id": "AC_AWS_0441",
"version": 2
"version": 2,
"id": "AC_AWS_0441"
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@
"name": "apiGatewayNoAccessLogs",
"file": "apiGatewayNoAccessLogs.rego",
"policy_type": "aws",
"resource_type": "aws_apigatewayv2_stage",
"resource_type": {
"aws_apigatewayv2_stage": true
},
"template_args": null,
"severity": "Low",
"description": "AWS API Gateway V2 Stage is missing access logs",
"reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
"category": "Logging and Monitoring",
"id": "AC_AWS_0442",
"version": 2
"version": 2,
"id": "AC_AWS_0442"
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@
"name": "athenaDatabaseEncrypted",
"file": "athenaDatabaseEncrypted.rego",
"policy_type": "aws",
"resource_type": "aws_athena_database",
"resource_type": {
"aws_athena_database": true
},
"template_args": {
"prefix": ""
},
"severity": "MEDIUM",
"description": "Ensure Athena Database is encrypted at rest",
"reference_id": "AWS.ADB.DP.MEDIUM.016",
"category": "Data Protection",
"id": "AC_AWS_0443",
"version": 2
"version": 2,
"id": "AC_AWS_0443"
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "awsCloudFormationInUse",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": "aws_cloudformation_stack",
"resource_type": {
"aws_cloudformation_stack": true
},
"template_args": {
"name": "awsCloudFormationInUse",
"property": "template_url"
Expand All @@ -11,6 +13,6 @@
"description": "AWS CloudFormation Not In Use",
"reference_id": "AWS.CloudFormation.Medium.0599",
"category": "Security Best Practices",
"id": "AC_AWS_0444",
"version": 1
"version": 1,
"id": "AC_AWS_0444"
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudFormationStackNotifs",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": "aws_cloudformation_stack",
"resource_type": {
"aws_cloudformation_stack": true
},
"template_args": {
"name": "cloudFormationStackNotifs",
"property": "notification_arns"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudFormationStackPolicy",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": "aws_cloudformation_stack",
"resource_type": {
"aws_cloudformation_stack": true
},
"template_args": {
"name": "cloudFormationStackPolicy",
"property": "policy_url"
Expand All @@ -11,6 +13,6 @@
"description": "AWS CloudFormation Stack Policy",
"reference_id": "AWS.CloudFormation.Medium.0604",
"category": "Security Best Practices",
"id": "AC_AWS_0445",
"version": 1
"version": 1,
"id": "AC_AWS_0445"
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@
"name": "cloudFormationTerminationProtection",
"file": "cloudFormationTerminationProtection.rego",
"policy_type": "aws",
"resource_type": "aws_cloudformation_stack",
"resource_type": {
"aws_cloudformation_stack": true,
"aws_cloudformation_stack_set_instance": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS CloudFormation Stack Termination Protection",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudfrontNoGeoRestriction",
"file": "cloudfrontNoGeoRestriction.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "noWafEnabled",
"file": "noWafEnabled.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": null,
"severity": "Medium",
"description": "Ensure that cloud-front has web application firewall enabled",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudfrontNoHTTPSTraffic",
"file": "cloudfrontNoHTTPSTraffic.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudfrontNoSecureCiphers",
"file": "cloudfrontNoSecureCiphers.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudfrontNoLogging",
"file": "cloudfrontNoLogging.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": {
"prefix": ""
},
Expand Down
Loading