From 37a2a1945a2d0265a72df43fb2e9f0b2dd16167d Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 28 Aug 2023 17:48:13 +0100 Subject: [PATCH 1/2] feat(query): pulumi ECS Cluster with Container Insights Disabled --- .../metadata.json | 11 +++++ .../query.rego | 45 +++++++++++++++++++ .../test/negative1.yaml | 7 +++ .../test/positive1.yaml | 7 +++ .../test/positive2.yaml | 5 +++ .../test/positive3.yaml | 5 +++ .../test/positive_expected_result.json | 20 +++++++++ 7 files changed, 100 insertions(+) create mode 100644 assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/metadata.json create mode 100644 assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego create mode 100644 assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/negative1.yaml create mode 100644 assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive1.yaml create mode 100644 assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive2.yaml create mode 100644 assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive3.yaml create mode 100644 assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/metadata.json b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/metadata.json new file mode 100644 index 00000000000..78a1164bb36 --- /dev/null +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "abcefee4-a0c1-4245-9f82-a473f79a9e2f", + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "category": "Observability", + "descriptionText": "ECS Cluster should enable container insights", + "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/ecs/cluster/#settings_yaml", + "platform": "Pulumi", + "descriptionID": "6fd99865", + "cloudProvider": "aws" +} diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego new file mode 100644 index 00000000000..e82c4bbd40e --- /dev/null +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego @@ -0,0 +1,45 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.pulumi as plm_lib + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:ecs:Cluster" + + not common_lib.valid_key(resource.properties, "settings") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "keyActualValue": "Attribute 'settings' is not defined", + "searchLine": common_lib.build_search_line(["resources", name, "properties"], []), + } +} + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:ecs:Cluster" + + not containerInsights(resource.properties.settings) + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties.monitoring", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Attribute 'monitoring' should be set to true", + "keyActualValue": "Attribute 'monitoring' is set to false", + "searchLine": common_lib.build_search_line(["resources", name, "properties"], ["monitoring"]), + } +} + +containerInsights(settings){ + settings[0].name == "containerInsights" + settings[0].value == "enabled" +} \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/negative1.yaml b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/negative1.yaml new file mode 100644 index 00000000000..7007d43b39b --- /dev/null +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/negative1.yaml @@ -0,0 +1,7 @@ +resources: + foo: + type: aws:ecs:Cluster + properties: + settings: + - name: containerInsights + value: enabled \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive1.yaml b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive1.yaml new file mode 100644 index 00000000000..8f5b69a910c --- /dev/null +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive1.yaml @@ -0,0 +1,7 @@ +resources: + foo: + type: aws:ecs:Cluster + properties: + settings: + - name: containerInsights + value: disabled \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive2.yaml b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive2.yaml new file mode 100644 index 00000000000..0c817968ef6 --- /dev/null +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive2.yaml @@ -0,0 +1,5 @@ +resources: + foo: + type: aws:ecs:Cluster + properties: + settings: [] \ No newline at end of file diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive3.yaml b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive3.yaml new file mode 100644 index 00000000000..96bb4bd1019 --- /dev/null +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive3.yaml @@ -0,0 +1,5 @@ +resources: + foo: + type: aws:ecs:Cluster + properties: + description: example diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..d01ed069296 --- /dev/null +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -0,0 +1,20 @@ +[ + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 5, + "fileName": "positive1.yaml" + }, + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 5, + "fileName": "positive2.yaml" + }, + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 4, + "fileName": "positive3.yaml" + } +] From 756ce36b1e290cffebb0c5dec53efab53ef57d85 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 28 Aug 2023 18:29:20 +0100 Subject: [PATCH 2/2] fixed query and tests --- .../ecs_cluster_container_insights_disabled/query.rego | 8 ++++---- .../test/negative1.yaml | 3 +++ .../test/positive1.yaml | 3 +++ .../test/positive2.yaml | 3 +++ .../test/positive3.yaml | 3 +++ .../test/positive_expected_result.json | 6 +++--- 6 files changed, 19 insertions(+), 7 deletions(-) diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego index e82c4bbd40e..89f03888651 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego @@ -31,11 +31,11 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.monitoring", [name]), + "searchKey": sprintf("resources[%s].properties.settings", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": "Attribute 'monitoring' should be set to true", - "keyActualValue": "Attribute 'monitoring' is set to false", - "searchLine": common_lib.build_search_line(["resources", name, "properties"], ["monitoring"]), + "keyExpectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "keyActualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "searchLine": common_lib.build_search_line(["resources", name, "properties","settings"], []), } } diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/negative1.yaml b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/negative1.yaml index 7007d43b39b..1577efb4f8a 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/negative1.yaml +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/negative1.yaml @@ -1,3 +1,6 @@ +name: aws-eks +runtime: yaml +description: An EKS cluster resources: foo: type: aws:ecs:Cluster diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive1.yaml b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive1.yaml index 8f5b69a910c..862abcdd756 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive1.yaml +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive1.yaml @@ -1,3 +1,6 @@ +name: aws-eks +runtime: yaml +description: An EKS cluster resources: foo: type: aws:ecs:Cluster diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive2.yaml b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive2.yaml index 0c817968ef6..453efd8085e 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive2.yaml +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive2.yaml @@ -1,3 +1,6 @@ +name: aws-eks +runtime: yaml +description: An EKS cluster resources: foo: type: aws:ecs:Cluster diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive3.yaml b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive3.yaml index 96bb4bd1019..c8978026faa 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive3.yaml +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive3.yaml @@ -1,3 +1,6 @@ +name: aws-eks +runtime: yaml +description: An EKS cluster resources: foo: type: aws:ecs:Cluster diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index d01ed069296..601fa6515b7 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -2,19 +2,19 @@ { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 5, + "line": 8, "fileName": "positive1.yaml" }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 5, + "line": 8, "fileName": "positive2.yaml" }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 4, + "line": 7, "fileName": "positive3.yaml" } ]