Revert "update resource type to map[string]bool (#992)" (#1001)

This reverts commit 3e8d964.

pkg/filters/filter-specs.go

@@ -17,6 +17,8 @@
 package filters
 
 import (
+	"strings"
+
 	"github.com/accurics/terrascan/pkg/policy"
 	"github.com/accurics/terrascan/pkg/utils"
 	"go.uber.org/zap"
@@ -49,7 +51,14 @@ func (rs ResourceTypeFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bo
 		return true
 	}
 
-	return r.ResourceType[rs.resourceType]
+	// temporary fix for kubernetes policies (https://github.com/accurics/terrascan/issues/946)
+	// TODO: modification in policy metadata (resource type (string) => resource type (map<string,bool))
+	// accordingly modify the filter specification
+	if r.PolicyType == "k8s" && strings.Contains(strings.ToLower(rs.resourceType), "kubernetes") {
+		return true
+	}
+
+	return rs.resourceType == r.ResourceType
 }
 
 // RerefenceIDFilterSpecification is reference ID based Filter Spec

pkg/filters/filters_test.go

@@ -264,17 +264,17 @@ func TestRegoDataFilter_Filter(t *testing.T) {
 	testRegoDataMapWithResourceType := map[string]*policy.RegoData{
 		"Rule.1": {
 			Metadata: policy.RegoMetadata{
-				ResourceType: map[string]bool{"kubernetes_pod": true},
+				ResourceType: "kubernetes_pod",
 			},
 		},
 		"Rule.2": {
 			Metadata: policy.RegoMetadata{
-				ResourceType: map[string]bool{"ec2_instance": true},
+				ResourceType: "ec2_instance",
 			},
 		},
 		"Rule.3": {
 			Metadata: policy.RegoMetadata{
-				ResourceType: map[string]bool{"kubernetes_pod": true},
+				ResourceType: "kubernetes_pod",
 			},
 		},
 	}
@@ -323,12 +323,12 @@ func TestRegoDataFilter_Filter(t *testing.T) {
 			want: map[string]*policy.RegoData{
 				"Rule.1": {
 					Metadata: policy.RegoMetadata{
-						ResourceType: map[string]bool{"kubernetes_pod": true},
+						ResourceType: "kubernetes_pod",
 					},
 				},
 				"Rule.3": {
 					Metadata: policy.RegoMetadata{
-						ResourceType: map[string]bool{"kubernetes_pod": true},
+						ResourceType: "kubernetes_pod",
 					},
 				},
 			},

pkg/policies/opa/rego/aws/aws_ami/AWS.EC2.Encryption&KeyManagement.Medium.0688.json

@@ -2,9 +2,7 @@
     "name": "amiNotEncrypted",
     "file": "amiNotEncrypted.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_ami": true
-    },
+    "resource_type": "aws_ami",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS AMI Encryption",

pkg/policies/opa/rego/aws/aws_ami_launch_permission/AWS.AMI.NS.Medium.1040.json

@@ -2,9 +2,7 @@
     "name": "amiSharedToMultipleAccounts",
     "file": "amiSharedToMultipleAccounts.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_ami_launch_permission": true
-    },
+    "resource_type": "aws_ami_launch_permission",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_api_gateway_method/AWS.APGM.IS.LOW.0056.json

@@ -2,16 +2,14 @@
     "name": "apiGatewayAuthorizationDisabled",
     "file": "apiGatewayAuthorizationDisabled.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_method": true
-    },
+    "resource_type": "aws_api_gateway_method",
     "template_args": {
         "prefix": ""
     },
     "severity": "LOW",
     "description": "Ensure there is no open access to back-end resources through API",
     "reference_id": "AWS.APGM.IS.LOW.0056",
     "category": "Infrastructure Security",
-    "version": 1,
-    "id": "AC_AWS_0439"
+    "id": "AC_AWS_0439",
+    "version": 1
 }

pkg/policies/opa/rego/aws/aws_api_gateway_method_settings/AWS.API Gateway.Logging.Medium.0569.json

@@ -2,9 +2,7 @@
     "name": "apiGatewaySettingMetrics",
     "file": "apiGatewaySettingMetrics.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_method_settings": true
-    },
+    "resource_type": "aws_api_gateway_method_settings",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable Detailed CloudWatch Metrics for APIs",

pkg/policies/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Medium.0568.json

@@ -2,9 +2,7 @@
     "name": "apiGatewayContentEncoding",
     "file": "apiGatewayContentEncoding.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_rest_api": true
-    },
+    "resource_type": "aws_api_gateway_rest_api",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable Content Encoding",

pkg/policies/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Network Security.Medium.0570.json

@@ -2,9 +2,7 @@
     "name": "apiGatewayEndpointConfig",
     "file": "apiGatewayEndpointConfig.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_rest_api": true
-    },
+    "resource_type": "aws_api_gateway_rest_api",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "API Gateway Private Endpoints",

pkg/policies/opa/rego/aws/aws_api_gateway_rest_api_policy/AWS.APGRAP.IAM.HIGH.0064.json

@@ -2,16 +2,14 @@
     "name": "apiGatewayRestApiPolicyNotSecure",
     "file": "apiGatewayRestApiPolicyNotSecure.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_rest_api_policy": true
-    },
+    "resource_type": "aws_api_gateway_rest_api_policy",
     "template_args": {
         "prefix": ""
     },
     "severity": "HIGH",
     "description": "Ensure use of API Gateway endpoint policy, and no action wildcards are being used.",
     "reference_id": "AWS.APGRAP.IAM.HIGH.0064",
     "category": "Identity and Access Management",
-    "version": 1,
-    "id": "AC_AWS_0440"
+    "id": "AC_AWS_0440",
+    "version": 1
 }

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json

@@ -2,10 +2,7 @@
     "name": "apiGatewayName",
     "file": "apiGatewayName.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_stage": true,
-        "aws_cloudwatch_log_group": true
-    },
+    "resource_type": "aws_api_gateway_stage",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS CloudWatch Logs for APIs",

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0571.json

@@ -2,9 +2,7 @@
     "name": "apiGatewayTracing",
     "file": "apiGatewayTracing.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_stage": true
-    },
+    "resource_type": "aws_api_gateway_stage",
     "template_args": null,
     "severity": "LOW",
     "description": "Ensure AWS API Gateway has active xray tracing enabled",

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0572.json

@@ -2,9 +2,7 @@
     "name": "apiGatewayLogging",
     "file": "apiGatewayLogging.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_stage": true
-    },
+    "resource_type": "aws_api_gateway_stage",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Network Security.Medium.0565.json

@@ -2,9 +2,7 @@
     "name": "apiGatewaySslCertificate",
     "file": "apiGatewaySslCertificate.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_api_gateway_stage": true
-    },
+    "resource_type": "aws_api_gateway_stage",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable SSL Client Certificate",

pkg/policies/opa/rego/aws/aws_apigatewayv2_api/AWS.ApiGatewayV2Api.AccessControl.Medium.0630.json

@@ -2,14 +2,12 @@
     "name": "apiGatewayMiconfiguredCors",
     "file": "apiGatewayMiconfiguredCors.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_apigatewayv2_api": true
-    },
+    "resource_type": "aws_apigatewayv2_api",
     "template_args": null,
     "severity": "Medium",
     "description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
     "reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
     "category": "Security Best Practices",
-    "version": 2,
-    "id": "AC_AWS_0441"
+    "id": "AC_AWS_0441",
+    "version": 2
 }

pkg/policies/opa/rego/aws/aws_apigatewayv2_stage/AWS.ApiGatewayV2Stage.Logging.Low.0630.json

@@ -2,14 +2,12 @@
     "name": "apiGatewayNoAccessLogs",
     "file": "apiGatewayNoAccessLogs.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_apigatewayv2_stage": true
-    },
+    "resource_type": "aws_apigatewayv2_stage",
     "template_args": null,
     "severity": "Low",
     "description": "AWS API Gateway V2 Stage is missing access logs",
     "reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
     "category": "Logging and Monitoring",
-    "version": 2,
-    "id": "AC_AWS_0442"
+    "id": "AC_AWS_0442",
+    "version": 2
 }

pkg/policies/opa/rego/aws/aws_athena_database/AWS.ADB.DP.MEDIUM.016.json

@@ -2,16 +2,14 @@
     "name": "athenaDatabaseEncrypted",
     "file": "athenaDatabaseEncrypted.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_athena_database": true
-    },
+    "resource_type": "aws_athena_database",
     "template_args": {
         "prefix": ""
     },
     "severity": "MEDIUM",
     "description": "Ensure Athena Database is encrypted at rest",
     "reference_id": "AWS.ADB.DP.MEDIUM.016",
     "category": "Data Protection",
-    "version": 2,
-    "id": "AC_AWS_0443"
+    "id": "AC_AWS_0443",
+    "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0599.json

@@ -2,9 +2,7 @@
     "name": "awsCloudFormationInUse",
     "file": "cloudFormationNullCheck.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudformation_stack": true
-    },
+    "resource_type": "aws_cloudformation_stack",
     "template_args": {
         "name": "awsCloudFormationInUse",
         "property": "template_url"
@@ -13,6 +11,6 @@
     "description": "AWS CloudFormation Not In Use",
     "reference_id": "AWS.CloudFormation.Medium.0599",
     "category": "Security Best Practices",
-    "version": 1,
-    "id": "AC_AWS_0444"
+    "id": "AC_AWS_0444",
+    "version": 1
 }

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0603.json

@@ -2,9 +2,7 @@
     "name": "cloudFormationStackNotifs",
     "file": "cloudFormationNullCheck.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudformation_stack": true
-    },
+    "resource_type": "aws_cloudformation_stack",
     "template_args": {
         "name": "cloudFormationStackNotifs",
         "property": "notification_arns"

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0604.json

@@ -2,9 +2,7 @@
     "name": "cloudFormationStackPolicy",
     "file": "cloudFormationNullCheck.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudformation_stack": true
-    },
+    "resource_type": "aws_cloudformation_stack",
     "template_args": {
         "name": "cloudFormationStackPolicy",
         "property": "policy_url"
@@ -13,6 +11,6 @@
     "description": "AWS CloudFormation Stack Policy",
     "reference_id": "AWS.CloudFormation.Medium.0604",
     "category": "Security Best Practices",
-    "version": 1,
-    "id": "AC_AWS_0445"
+    "id": "AC_AWS_0445",
+    "version": 1
 }

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json

@@ -2,10 +2,7 @@
     "name": "cloudFormationTerminationProtection",
     "file": "cloudFormationTerminationProtection.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudformation_stack": true,
-        "aws_cloudformation_stack_set_instance": true
-    },
+    "resource_type": "aws_cloudformation_stack",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS CloudFormation Stack Termination Protection",

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AC-AW-IS-CD-M-0026.json

@@ -2,9 +2,7 @@
     "name": "cloudfrontNoGeoRestriction",
     "file": "cloudfrontNoGeoRestriction.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudfront_distribution": true
-    },
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AC-AW-IS-CD-M-1186.json

@@ -2,9 +2,7 @@
     "name": "noWafEnabled",
     "file": "noWafEnabled.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudfront_distribution": true
-    },
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": null,
     "severity": "Medium",
     "description": "Ensure that cloud-front has web application firewall enabled",

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json

@@ -2,9 +2,7 @@
     "name": "cloudfrontNoHTTPSTraffic",
     "file": "cloudfrontNoHTTPSTraffic.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudfront_distribution": true
-    },
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json

@@ -2,9 +2,7 @@
     "name": "cloudfrontNoSecureCiphers",
     "file": "cloudfrontNoSecureCiphers.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudfront_distribution": true
-    },
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json

@@ -2,9 +2,7 @@
     "name": "cloudfrontNoLogging",
     "file": "cloudfrontNoLogging.rego",
     "policy_type": "aws",
-    "resource_type": {
-        "aws_cloudfront_distribution": true
-    },
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": {
         "prefix": ""
     },