aquasecurity · simar7 · Aug 27, 2024 · Aug 27, 2024 · Aug 27, 2024
@@ -1,8 +1,9 @@
 
 Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
+
 ### Impact
-Your port is exposed to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,10 @@
 
 Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
-
 You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.
 
+
 ### Impact
-Your inbound traffic is not protected
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
 
+
 ### Impact
-The port is exposed for ingress from the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 When working with a server, you’ll likely spend most of your time in a terminal session connected to your server through SSH. A more secure alternative to password-based logins, SSH keys use encryption to provide a secure way of logging into your server and are recommended for all users.
 
+
 ### Impact
-Logging in with username and password is easier to compromise
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 While upgrading your cluster, workloads will temporarily be moved to new nodes. A small cost will follow, but as a bonus, you won't experience downtime.
 
+
 ### Impact
-Upgrades may influence availability of your Kubernetes cluster
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -2,7 +2,7 @@
 
 
 ### Impact
-Not running the latest security patches on your Kubernetes cluster can make it a target for penetration.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -22,12 +22,13 @@ var CheckAutoUpgrade = rules.Register(
 			"https://docs.digitalocean.com/products/kubernetes/resources/best-practices/",
 		},
 		Terraform: &scan.EngineMetadata{
-			GoodExamples:        terraformKubernetesClusterAutoUpgradeGoodExample,
-			BadExamples:         terraformKubernetesClusterAutoUpgradeBadExample,
+			GoodExamples:        terraformKubernetesClusterAutoUpgradeGoodExamples,
+			BadExamples:         terraformKubernetesClusterAutoUpgradeBadExamples,
 			Links:               terraformKubernetesClusterAutoUpgradeLinks,
 			RemediationMarkdown: terraformKubernetesAutoUpgradeMarkdown,
 		},
-		Severity: severity.Critical,
+		Severity:   severity.Critical,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, kc := range s.DigitalOcean.Compute.KubernetesClusters {

@@ -0,0 +1,40 @@
+# METADATA
+# title: Kubernetes clusters should be auto-upgraded to ensure that they always contain the latest security patches.
+# description: |
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.digitalocean.com/products/kubernetes/resources/best-practices/
+# custom:
+#   id: AVD-DIG-0008
+#   avd_id: AVD-DIG-0008
+#   provider: digitalocean
+#   service: compute
+#   severity: CRITICAL
+#   short_code: kubernetes-auto-upgrades-not-enabled
+#   recommended_action: Set maintenance policy deterministically when auto upgrades are enabled
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: compute
+#             provider: digitalocean
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/kubernetes_cluster#auto-upgrade-example
+#     good_examples: checks/cloud/digitalocean/compute/auto_upgrade_no_maintenance_policy.tf.go
+#     bad_examples: checks/cloud/digitalocean/compute/auto_upgrade_no_maintenance_policy.tf.go
+package builtin.digitalocean.compute.digitalocean0008
+
+import rego.v1
+
+deny contains res if {
+	some cluster in input.digitalocean.compute.kubernetesclusters
+	isManaged(cluster)
+	not cluster.autoupgrade.value
+	res := result.new(
+		"Kubernetes cluster does not have auto-upgrades enabled.",
+		object.get(cluster, "autoupgrade", cluster),
+	)
+}
@@ -1,6 +1,6 @@
 package compute
 
-var terraformKubernetesClusterAutoUpgradeBadExample = []string{
+var terraformKubernetesClusterAutoUpgradeBadExamples = []string{
 	`
 resource "digitalocean_kubernetes_cluster" "foo" {
 	name    	 = "foo"
@@ -19,7 +19,7 @@ resource "digitalocean_kubernetes_cluster" "foo" {
 `,
 }
 
-var terraformKubernetesClusterAutoUpgradeGoodExample = []string{
+var terraformKubernetesClusterAutoUpgradeGoodExamples = []string{
 	`
 resource "digitalocean_kubernetes_cluster" "foo" {
 	name    	 = "foo"

@@ -0,0 +1,18 @@
+package builtin.digitalocean.compute.digitalocean0008_test
+
+import rego.v1
+
+import data.builtin.digitalocean.compute.digitalocean0008 as check
+import data.lib.test
+
+test_deny_auto_upgrade_disabled if {
+	inp := {"digitalocean": {"compute": {"kubernetesclusters": [{"autoupgrade": {"value": false}}]}}}
+
+	test.assert_count(check.deny, 1) with input as inp
+}
+
+test_allow_auto_upgrade_enabled if {
+	inp := {"digitalocean": {"compute": {"kubernetesclusters": [{"autoupgrade": {"value": true}}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
@@ -29,7 +29,8 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
 			Links:               terraformEnforceHttpsLinks,
 			RemediationMarkdown: terraformEnforceHttpsRemediationMarkdown,
 		},
-		Severity: severity.Critical,
+		Severity:   severity.Critical,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, lb := range s.DigitalOcean.Compute.LoadBalancers {

@@ -0,0 +1,45 @@
+# METADATA
+# title: The load balancer forwarding rule is using an insecure protocol as an entrypoint
+# description: |
+#   Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
+#   You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.digitalocean.com/products/networking/load-balancers/
+# custom:
+#   id: AVD-DIG-0002
+#   avd_id: AVD-DIG-0002
+#   provider: digitalocean
+#   service: compute
+#   severity: CRITICAL
+#   short_code: enforce-https
+#   recommended_action: Switch to HTTPS to benefit from TLS security features
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: compute
+#             provider: digitalocean
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/loadbalancer
+#     good_examples: checks/cloud/digitalocean/compute/enforce_https.tf.go
+#     bad_examples: checks/cloud/digitalocean/compute/enforce_https.tf.go
+package builtin.digitalocean.compute.digitalocean0002
+
+import rego.v1
+
+deny contains res if {
+	some lb in input.digitalocean.compute.loadbalancers
+	not is_redirect_http_to_https(lb)
+	some rule in lb.forwardingrules
+	rule.entryprotocol.value == "http"
+	res := result.new(
+		"Load balancer has aforwarding rule which uses HTTP instead of HTTPS.",
+		rule.entryprotocol,
+	)
+}
+
+is_redirect_http_to_https(lb) := lb.redirecthttptohttps.value