added possibility of sec group being a var (#5208)

Checkmarx · Apr 20, 2022 · 37ca249 · 37ca249
1 parent e7da059
commit 37ca249
Show file tree

Hide file tree

Showing 2 changed files with 112 additions and 5 deletions.
diff --git a/assets/queries/terraform/aws/security_groups_not_used/query.rego b/assets/queries/terraform/aws/security_groups_not_used/query.rego
@@ -2,9 +2,9 @@ package Cx
 
 CxPolicy[result] {
 	doc := input.document[i]
-	doc.resource.aws_security_group[securityGroupName]
+	resource := doc.resource.aws_security_group[securityGroupName]
 
-	not is_used(securityGroupName, doc)
+	not is_used(securityGroupName, doc, resource)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -15,22 +15,29 @@ CxPolicy[result] {
 	}
 }
 
-is_used(securityGroupName, doc) {
+is_used(securityGroupName, doc, resource) {
 	[path, value] := walk(doc)
 	securityGroupUsed := value.security_groups[_]
 	contains(securityGroupUsed, sprintf("aws_security_group.%s", [securityGroupName]))
 }
 
 # check in modules for module terraform-aws-modules/security-group/aws
-is_used(securityGroupName, doc) {
+is_used(securityGroupName, doc, resource) {
 	[path, value] := walk(doc)
 	securityGroupUsed := value.security_group_id
 	contains(securityGroupUsed, sprintf("aws_security_group.%s", [securityGroupName]))
 }
 
 # check security groups assigned to aws_instance resources
-is_used(securityGroupName, doc) {
+is_used(securityGroupName, doc, resource) {
 	[path, value] := walk(doc)
 	securityGroupUsed := value.vpc_security_group_ids[_]
 	contains(securityGroupUsed, sprintf("aws_security_group.%s", [securityGroupName]))
 }
+
+is_used(securityGroupName, doc, resource) {
+	sec_group_used := resource.name
+    [path, value] := walk(doc)
+	securityGroupUsed := value.security_groups[_]
+	sec_group_used == securityGroupUsed
+}
diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf b/assets/queries/terraform/aws/security_groups_not_used/test/negative4.tf
@@ -0,0 +1,100 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+
+  required_version = ">= 1.1.0"
+}
+
+variable "iam_role" {
+  type        = string
+  default     = "AmazonSSMRoleForInstancesQuickSetup"
+  description = "Set AWS IAM role."
+}
+
+variable "ami_owner" {
+  type        = string
+  default     = "self"
+  description = "Set AWS image owner."
+}
+
+variable "region" {
+  type        = string
+  default     = "eu-west-3"
+  description = "Set AWS region."
+}
+
+variable "secgroups" {
+  type        = list(string)
+  default     = ["CowrieSSH"]
+  description = "Set AWS security groups."
+}
+
+data "aws_ami" "cowrie" {
+  most_recent = true
+  owners      = ["${var.ami_owner}"]
+
+  filter {
+    name   = "name"
+    values = ["cowrie-packer-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+provider "aws" {
+  profile = "default"
+  region  = var.region
+}
+
+resource "aws_security_group" "cowrie" {
+  name        = "CowrieSSH"
+  description = "CowrieSSH Terraform security group"
+
+  ingress {
+    description = "Allow anyone to connect to the honeypot."
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    description      = "Allow all outgoing traffic."
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = {
+    Name    = "cowrie_ssh_sg"
+    purpose = "honeypot"
+  }
+}
+
+resource "aws_instance" "cowrie_server" {
+  ami                  = data.aws_ami.cowrie.id
+  instance_type        = "t3.nano"
+  security_groups      = var.secgroups
+  iam_instance_profile = var.iam_role
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
+  tags = {
+    Name    = "cowrie",
+    author  = "konstruktoid"
+    vcs-url = "https://github.com/konstruktoid/ansible-cowrie-rootless"
+    purpose = "honeypot"
+  }
+}