Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update resource type to map[string]bool #992

Merged
merged 2 commits into from
Aug 20, 2021
Merged

update resource type to map[string]bool #992

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1ae0a45
update resource type to map[string]bool
patilpankaj212 Aug 16, 2021
8e59f38
updated with new resource_type format (#33)
harkirat22 Aug 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
11 changes: 1 addition & 10 deletions pkg/filters/filter-specs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@
package filters

import (
"strings"

"github.com/accurics/terrascan/pkg/policy"
"github.com/accurics/terrascan/pkg/utils"
"go.uber.org/zap"
Expand Down Expand Up @@ -51,14 +49,7 @@ func (rs ResourceTypeFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bo
return true
}

// temporary fix for kubernetes policies (https://github.com/accurics/terrascan/issues/946)
// TODO: modification in policy metadata (resource type (string) => resource type (map<string,bool))
// accordingly modify the filter specification
if r.PolicyType == "k8s" && strings.Contains(strings.ToLower(rs.resourceType), "kubernetes") {
return true
}

return rs.resourceType == r.ResourceType
return r.ResourceType[rs.resourceType]
}

// RerefenceIDFilterSpecification is reference ID based Filter Spec
Expand Down
10 changes: 5 additions & 5 deletions pkg/filters/filters_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,17 +264,17 @@ func TestRegoDataFilter_Filter(t *testing.T) {
testRegoDataMapWithResourceType := map[string]*policy.RegoData{
"Rule.1": {
Metadata: policy.RegoMetadata{
ResourceType: "kubernetes_pod",
ResourceType: map[string]bool{"kubernetes_pod": true},
},
},
"Rule.2": {
Metadata: policy.RegoMetadata{
ResourceType: "ec2_instance",
ResourceType: map[string]bool{"ec2_instance": true},
},
},
"Rule.3": {
Metadata: policy.RegoMetadata{
ResourceType: "kubernetes_pod",
ResourceType: map[string]bool{"kubernetes_pod": true},
},
},
}
Expand Down Expand Up @@ -323,12 +323,12 @@ func TestRegoDataFilter_Filter(t *testing.T) {
want: map[string]*policy.RegoData{
"Rule.1": {
Metadata: policy.RegoMetadata{
ResourceType: "kubernetes_pod",
ResourceType: map[string]bool{"kubernetes_pod": true},
},
},
"Rule.3": {
Metadata: policy.RegoMetadata{
ResourceType: "kubernetes_pod",
ResourceType: map[string]bool{"kubernetes_pod": true},
},
},
},
Expand Down
4 changes: 3 additions & 1 deletion pkg/policies/opa/rego/aws/aws_ami/AWS.EC2.Encryption&KeyManagement.Medium.0688.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "amiNotEncrypted",
"file": "amiNotEncrypted.rego",
"policy_type": "aws",
"resource_type": "aws_ami",
"resource_type": {
"aws_ami": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS AMI Encryption",
Expand Down
4 changes: 3 additions & 1 deletion pkg/policies/opa/rego/aws/aws_ami_launch_permission/AWS.AMI.NS.Medium.1040.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "amiSharedToMultipleAccounts",
"file": "amiSharedToMultipleAccounts.rego",
"policy_type": "aws",
"resource_type": "aws_ami_launch_permission",
"resource_type": {
"aws_ami_launch_permission": true
},
"template_args": {
"prefix": ""
},
Expand Down
8 changes: 5 additions & 3 deletions pkg/policies/opa/rego/aws/aws_api_gateway_method/AWS.APGM.IS.LOW.0056.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@
"name": "apiGatewayAuthorizationDisabled",
"file": "apiGatewayAuthorizationDisabled.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_method",
"resource_type": {
"aws_api_gateway_method": true
},
"template_args": {
"prefix": ""
},
"severity": "LOW",
"description": "Ensure there is no open access to back-end resources through API",
"reference_id": "AWS.APGM.IS.LOW.0056",
"category": "Infrastructure Security",
"id": "AC_AWS_0439",
"version": 1
"version": 1,
"id": "AC_AWS_0439"
}
4 changes: 3 additions & 1 deletion ...ies/opa/rego/aws/aws_api_gateway_method_settings/AWS.API Gateway.Logging.Medium.0569.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewaySettingMetrics",
"file": "apiGatewaySettingMetrics.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_method_settings",
"resource_type": {
"aws_api_gateway_method_settings": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable Detailed CloudWatch Metrics for APIs",
Expand Down
4 changes: 3 additions & 1 deletion pkg/policies/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Medium.0568.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewayContentEncoding",
"file": "apiGatewayContentEncoding.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_rest_api",
"resource_type": {
"aws_api_gateway_rest_api": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable Content Encoding",
Expand Down
4 changes: 3 additions & 1 deletion ...es/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Network Security.Medium.0570.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewayEndpointConfig",
"file": "apiGatewayEndpointConfig.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_rest_api",
"resource_type": {
"aws_api_gateway_rest_api": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "API Gateway Private Endpoints",
Expand Down
8 changes: 5 additions & 3 deletions pkg/policies/opa/rego/aws/aws_api_gateway_rest_api_policy/AWS.APGRAP.IAM.HIGH.0064.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@
"name": "apiGatewayRestApiPolicyNotSecure",
"file": "apiGatewayRestApiPolicyNotSecure.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_rest_api_policy",
"resource_type": {
"aws_api_gateway_rest_api_policy": true
},
"template_args": {
"prefix": ""
},
"severity": "HIGH",
"description": "Ensure use of API Gateway endpoint policy, and no action wildcards are being used.",
"reference_id": "AWS.APGRAP.IAM.HIGH.0064",
"category": "Identity and Access Management",
"id": "AC_AWS_0440",
"version": 1
"version": 1,
"id": "AC_AWS_0440"
}
5 changes: 4 additions & 1 deletion pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@
"name": "apiGatewayName",
"file": "apiGatewayName.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"resource_type": {
"aws_api_gateway_stage": true,
"aws_cloudwatch_log_group": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS CloudWatch Logs for APIs",
Expand Down
4 changes: 3 additions & 1 deletion pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0571.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewayTracing",
"file": "apiGatewayTracing.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"resource_type": {
"aws_api_gateway_stage": true
},
"template_args": null,
"severity": "LOW",
"description": "Ensure AWS API Gateway has active xray tracing enabled",
Expand Down
4 changes: 3 additions & 1 deletion pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0572.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewayLogging",
"file": "apiGatewayLogging.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"resource_type": {
"aws_api_gateway_stage": true
},
"template_args": {
"prefix": ""
},
Expand Down
4 changes: 3 additions & 1 deletion ...cies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Network Security.Medium.0565.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "apiGatewaySslCertificate",
"file": "apiGatewaySslCertificate.rego",
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"resource_type": {
"aws_api_gateway_stage": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable SSL Client Certificate",
Expand Down
8 changes: 5 additions & 3 deletions ...cies/opa/rego/aws/aws_apigatewayv2_api/AWS.ApiGatewayV2Api.AccessControl.Medium.0630.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@
"name": "apiGatewayMiconfiguredCors",
"file": "apiGatewayMiconfiguredCors.rego",
"policy_type": "aws",
"resource_type": "aws_apigatewayv2_api",
"resource_type": {
"aws_apigatewayv2_api": true
},
"template_args": null,
"severity": "Medium",
"description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
"reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
"category": "Security Best Practices",
"id": "AC_AWS_0441",
"version": 2
"version": 2,
"id": "AC_AWS_0441"
}
8 changes: 5 additions & 3 deletions pkg/policies/opa/rego/aws/aws_apigatewayv2_stage/AWS.ApiGatewayV2Stage.Logging.Low.0630.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@
"name": "apiGatewayNoAccessLogs",
"file": "apiGatewayNoAccessLogs.rego",
"policy_type": "aws",
"resource_type": "aws_apigatewayv2_stage",
"resource_type": {
"aws_apigatewayv2_stage": true
},
"template_args": null,
"severity": "Low",
"description": "AWS API Gateway V2 Stage is missing access logs",
"reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
"category": "Logging and Monitoring",
"id": "AC_AWS_0442",
"version": 2
"version": 2,
"id": "AC_AWS_0442"
}
8 changes: 5 additions & 3 deletions pkg/policies/opa/rego/aws/aws_athena_database/AWS.ADB.DP.MEDIUM.016.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@
"name": "athenaDatabaseEncrypted",
"file": "athenaDatabaseEncrypted.rego",
"policy_type": "aws",
"resource_type": "aws_athena_database",
"resource_type": {
"aws_athena_database": true
},
"template_args": {
"prefix": ""
},
"severity": "MEDIUM",
"description": "Ensure Athena Database is encrypted at rest",
"reference_id": "AWS.ADB.DP.MEDIUM.016",
"category": "Data Protection",
"id": "AC_AWS_0443",
"version": 2
"version": 2,
"id": "AC_AWS_0443"
}
8 changes: 5 additions & 3 deletions pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0599.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "awsCloudFormationInUse",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": "aws_cloudformation_stack",
"resource_type": {
"aws_cloudformation_stack": true
},
"template_args": {
"name": "awsCloudFormationInUse",
"property": "template_url"
Expand All @@ -11,6 +13,6 @@
"description": "AWS CloudFormation Not In Use",
"reference_id": "AWS.CloudFormation.Medium.0599",
"category": "Security Best Practices",
"id": "AC_AWS_0444",
"version": 1
"version": 1,
"id": "AC_AWS_0444"
}
4 changes: 3 additions & 1 deletion pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0603.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudFormationStackNotifs",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": "aws_cloudformation_stack",
"resource_type": {
"aws_cloudformation_stack": true
},
"template_args": {
"name": "cloudFormationStackNotifs",
"property": "notification_arns"
Expand Down
8 changes: 5 additions & 3 deletions pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0604.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudFormationStackPolicy",
"file": "cloudFormationNullCheck.rego",
"policy_type": "aws",
"resource_type": "aws_cloudformation_stack",
"resource_type": {
"aws_cloudformation_stack": true
},
"template_args": {
"name": "cloudFormationStackPolicy",
"property": "policy_url"
Expand All @@ -11,6 +13,6 @@
"description": "AWS CloudFormation Stack Policy",
"reference_id": "AWS.CloudFormation.Medium.0604",
"category": "Security Best Practices",
"id": "AC_AWS_0445",
"version": 1
"version": 1,
"id": "AC_AWS_0445"
}
5 changes: 4 additions & 1 deletion pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@
"name": "cloudFormationTerminationProtection",
"file": "cloudFormationTerminationProtection.rego",
"policy_type": "aws",
"resource_type": "aws_cloudformation_stack",
"resource_type": {
"aws_cloudformation_stack": true,
"aws_cloudformation_stack_set_instance": true
},
"template_args": null,
"severity": "MEDIUM",
"description": "Enable AWS CloudFormation Stack Termination Protection",
Expand Down
4 changes: 3 additions & 1 deletion pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AC-AW-IS-CD-M-0026.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudfrontNoGeoRestriction",
"file": "cloudfrontNoGeoRestriction.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": {
"prefix": ""
},
Expand Down
4 changes: 3 additions & 1 deletion pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AC-AW-IS-CD-M-1186.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "noWafEnabled",
"file": "noWafEnabled.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": null,
"severity": "Medium",
"description": "Ensure that cloud-front has web application firewall enabled",
Expand Down
4 changes: 3 additions & 1 deletion .../aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudfrontNoHTTPSTraffic",
"file": "cloudfrontNoHTTPSTraffic.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": {
"prefix": ""
},
Expand Down
4 changes: 3 additions & 1 deletion .../aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudfrontNoSecureCiphers",
"file": "cloudfrontNoSecureCiphers.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": {
"prefix": ""
},
Expand Down
4 changes: 3 additions & 1 deletion ...policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
"name": "cloudfrontNoLogging",
"file": "cloudfrontNoLogging.rego",
"policy_type": "aws",
"resource_type": "aws_cloudfront_distribution",
"resource_type": {
"aws_cloudfront_distribution": true
},
"template_args": {
"prefix": ""
},
Expand Down
Loading