Merge pull request #7051 from Checkmarx/AST-42523

fix(query): tf mfa delete doing checks out of its scope
Checkmarx · May 20, 2024 · 142d2cf · 142d2cf
2 parents d342f4c + 7073208
commit 142d2cf
Show file tree

Hide file tree

Showing 16 changed files with 121 additions and 195 deletions.
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego
@@ -3,28 +3,6 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.terraform as tf_lib
 
-CxPolicy[result] {
-	bucket := input.document[i].resource.aws_s3_bucket[name]
-	# version before TF AWS 4.0
-	not common_lib.valid_key(bucket, "lifecycle_rule")
-	not common_lib.valid_key(bucket, "versioning")
-
-	# version after TF AWS 4.0
-	not tf_lib.has_target_resource(name, "aws_s3_bucket_lifecycle_configuration")
-	not tf_lib.has_target_resource(name, "aws_s3_bucket_versioning")
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": "aws_s3_bucket",
-		"resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", name),
-		"searchKey": sprintf("aws_s3_bucket[%s]", [name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "versioning should be defined and not null",
-		"keyActualValue": "versioning is undefined or null",
-		"searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name], []),
-	}
-}
-
 checkedFields = {
 	"enabled",
 	"mfa_delete"
@@ -66,25 +44,6 @@ CxPolicy[result] {
 	}
 }
 
-CxPolicy[result] {
-	module := input.document[i].module[name]
-	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning")
-
-	not common_lib.valid_key(module, "lifecycle_rule")
-	not common_lib.valid_key(module, keyToCheck)
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": "n/a",
-		"resourceName": "n/a",
-		"searchKey": sprintf("module[%s]", [name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "'versioning' should be defined and not null",
-		"keyActualValue": "'versioning' is undefined or null",
-		"searchLine": common_lib.build_search_line(["module", name], []),
-	}
-}
-
 CxPolicy[result] {
 	module := input.document[i].module[name]
 	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning")

diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf
@@ -0,0 +1,22 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
+
+resource "aws_s3_bucket" "negative6" {
+  bucket = "my-tf-test-bucket"
+  acl    = "private"
+
+  tags = {
+    Name        = "My bucket"
+    Environment = "Dev"
+  }
+}
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf
@@ -0,0 +1,7 @@
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.7.0"
+
+  bucket = "my-s3-bucket"
+  acl    = "private"
+}
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf
@@ -19,4 +19,8 @@ resource "aws_s3_bucket" "positive1" {
     Name        = "My bucket"
     Environment = "Dev"
   }
+
+  versioning {
+    enabled = true
+  }
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf
@@ -22,5 +22,6 @@ resource "aws_s3_bucket" "positive2" {
 
   versioning {
     enabled = true
+    mfa_delete = false
   }
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf
@@ -21,7 +21,6 @@ resource "aws_s3_bucket" "positive3" {
   }
 
   versioning {
-    enabled = true
-    mfa_delete = false
+    enabled = false
   }
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf
@@ -1,26 +1,11 @@
-provider "aws" {
-  region = "us-east-1"
-}
-
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 3.0"
-    }
-  }
-}
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.7.0"
 
-resource "aws_s3_bucket" "positive3" {
-  bucket = "my-tf-test-bucket"
+  bucket = "my-s3-bucket"
   acl    = "private"
 
-  tags = {
-    Name        = "My bucket"
-    Environment = "Dev"
-  }
-
   versioning {
-    enabled = false
+    enabled = true
   }
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf
@@ -4,4 +4,9 @@ module "s3_bucket" {
 
   bucket = "my-s3-bucket"
   acl    = "private"
+
+  versioning {
+    enabled = true
+    mfa_delete = false
+  }
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf
@@ -6,6 +6,6 @@ module "s3_bucket" {
   acl    = "private"
 
   versioning {
-    enabled = true
+    enabled = false
   }
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf
@@ -1,12 +1,30 @@
-module "s3_bucket" {
-  source = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.7.0"
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "4.2.0"
+    }
+  }
+}
+
+provider "aws" {
+  # Configuration options
+}
+
+resource "aws_s3_bucket" "b0" {
+  bucket = "my-tf-test-bucket"
+
+  tags = {
+    Name        = "My bucket"
+    Environment = "Dev"
+  }
+}
 
-  bucket = "my-s3-bucket"
-  acl    = "private"
+resource "aws_s3_bucket_versioning" "example2" {
+  bucket = aws_s3_bucket.b0.id
 
-  versioning {
-    enabled = true
-    mfa_delete = false
+  versioning_configuration {
+    status = "Enabled"
+    mfa_delete = "Disabled"
   }
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf
@@ -1,11 +1,30 @@
-module "s3_bucket" {
-  source = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.7.0"
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "4.2.0"
+    }
+  }
+}
+
+provider "aws" {
+  # Configuration options
+}
+
+resource "aws_s3_bucket" "bbb" {
+  bucket = "my-tf-test-bucket"
+
+  tags = {
+    Name        = "My bucket"
+    Environment = "Dev"
+  }
+}
 
-  bucket = "my-s3-bucket"
-  acl    = "private"
+resource "aws_s3_bucket_versioning" "example" {
+  bucket = aws_s3_bucket.bbb.id
 
-  versioning {
-    enabled = false
+  versioning_configuration {
+    status = "Disabled"
+    mfa_delete = "Enabled"
   }
 }
diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf
diff --git a/...ies/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/...ies/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json
@@ -1,74 +1,62 @@
 [
-  {
-    "queryName": "S3 Bucket Without Enabled MFA Delete",
-    "severity": "LOW",
-    "line": 14,
-    "fileName": "positive1.tf"
-  },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 23,
-    "fileName": "positive2.tf"
+    "fileName": "positive1.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 25,
-    "fileName": "positive3.tf"
+    "fileName": "positive2.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 24,
-    "fileName": "positive4.tf"
+    "fileName": "positive3.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 23,
-    "fileName": "positive4.tf"
-  },
-  {
-    "queryName": "S3 Bucket Without Enabled MFA Delete",
-    "severity": "LOW",
-    "line": 1,
-    "fileName": "positive5.tf"
+    "fileName": "positive3.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 8,
-    "fileName": "positive6.tf"
+    "fileName": "positive4.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 10,
-    "fileName": "positive7.tf"
+    "fileName": "positive5.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 8,
-    "fileName": "positive8.tf"
+    "fileName": "positive6.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 9,
-    "fileName": "positive8.tf"
+    "fileName": "positive6.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 28,
-    "fileName": "positive9.tf"
+    "fileName": "positive7.tf"
   },
   {
     "queryName": "S3 Bucket Without Enabled MFA Delete",
     "severity": "LOW",
     "line": 27,
-    "fileName": "positive10.tf"
+    "fileName": "positive8.tf"
   }
 ]