query(bom): add mvp queries storage, queue, cache

assets/libraries/common.rego

@@ -331,3 +331,15 @@ find_selector_by_value(filter, str) = rtn {
 	trim(fvalue._value, "'") == str
 	rtn := fvalue
 }
+
+get_tag_name_if_exists(resource) = name {
+	name := resource.tags.Name
+} else = name {
+	name := ""
+}
+
+get_encryption_if_exists(resource) = encryption {
+	encryption := resource.encrypted
+} else = encryption {
+	encryption := "unencrypted"
+}

assets/queries/terraform/aws_bom/ebs/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "86571149-eef3-4280-a645-01e60df854b0",
+  "queryName": "BOM - EBS",
+  "severity": "TRACE",
+  "category": "Bill Of Materials",
+  "descriptionText": "A list of EBS resources specified",
+  "descriptionUrl": "https://kics.io",
+  "platform": "Terraform",
+  "descriptionID": "fd141699",
+  "cloudProvider": "aws"
+}

assets/queries/terraform/aws_bom/ebs/query.rego

@@ -0,0 +1,25 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	ebs_volume := input.document[i].resource.aws_ebs_volume[name]
+
+	bom_output = {
+		"resource_type": "aws_ebs_volume",
+		"resource_name": common_lib.get_tag_name_if_exists(ebs_volume),
+		"resource_accessibility": common_lib.get_encryption_if_exists(ebs_volume),
+		"resource_vendor": "AWS",
+		"resource_category": "Storage",
+	}
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("aws_ebs_volume[%s]", [name]),
+		"issueType": "BillOfMaterials",
+		"keyExpectedValue": "",
+		"keyActualValue": "",
+		"searchLine": common_lib.build_search_line(["resource", "aws_ebs_volume", name], []),
+		"value": json.marshal(bom_output),
+	}
+}

assets/queries/terraform/aws_bom/ebs/test/negative1.tf

@@ -0,0 +1,15 @@
+variable "web_type" {
+  description = "Size/type of the host."
+  default     = "m1.large"
+}
+
+module "ebs_optimized" {
+  source        = "terraform-aws-modules/ebs-optimized/aws"
+  instance_type = "${var.web_type}"
+}
+
+resource "aws_instance" "web" {
+  ami           = "${data.aws_ami.ubuntu.id}"
+  instance_type = "${var.web_type}"
+  ebs_optimized = "${module.ebs_optimized.answer}"
+}

assets/queries/terraform/aws_bom/ebs/test/positive1.tf

@@ -0,0 +1,8 @@
+resource "aws_ebs_volume" "positive1" {
+  availability_zone = "us-west-2a"
+  size              = 40
+
+  tags = {
+    Name = "HelloWorld"
+  }
+}

assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "BOM - EBS",
+    "severity": "TRACE",
+    "line": 1,
+    "fileName": "positive1.tf"
+  }
+]

assets/queries/terraform/aws_bom/efs/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "f53f16d6-46a9-4277-9fbe-617b1e24cdca",
+  "queryName": "BOM - EFS",
+  "severity": "TRACE",
+  "category": "Bill Of Materials",
+  "descriptionText": "A list of EFS resources specified",
+  "descriptionUrl": "https://kics.io",
+  "platform": "Terraform",
+  "descriptionID": "5522243f",
+  "cloudProvider": "aws"
+}

assets/queries/terraform/aws_bom/efs/query.rego

@@ -0,0 +1,25 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	efs_file_system := input.document[i].resource.aws_efs_file_system[name]
+
+	bom_output = {
+		"resource_type": "aws_efs_file_system",
+		"resource_name": common_lib.get_tag_name_if_exists(efs_file_system),
+		"resource_accessibility": common_lib.get_encryption_if_exists(efs_file_system),
+		"resource_vendor": "AWS",
+		"resource_category": "Storage",
+	}
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("aws_efs_file_system[%s]", [name]),
+		"issueType": "BillOfMaterials",
+		"keyExpectedValue": "",
+		"keyActualValue": "",
+		"searchLine": common_lib.build_search_line(["resource", "aws_efs_file_system", name], []),
+		"value": json.marshal(bom_output),
+	}
+}

assets/queries/terraform/aws_bom/efs/test/negative1.tf

@@ -0,0 +1,11 @@
+module "efs" {
+  source = "cloudposse/efs/aws"
+  namespace       = "eg"
+  stage           = "test"
+  name            = "app"
+  region          = "us-west-1"
+  vpc_id          = var.vpc_id
+  subnets         = var.private_subnets
+  security_groups = [var.security_group_id]
+  zone_id         = var.aws_route53_dns_zone_id
+}

assets/queries/terraform/aws_bom/efs/test/positive1.tf

@@ -0,0 +1,8 @@
+resource "aws_efs_file_system" "positive1" {
+  creation_token = "my-product"
+  encrypted = true
+
+  tags = {
+    Name = "MyProduct"
+  }
+}

assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "BOM - EFS",
+    "severity": "TRACE",
+    "line": 1,
+    "fileName": "positive1.tf"
+  }
+]

assets/queries/terraform/aws_bom/elasticache/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "54229498-850b-4f78-b3a7-218d24ef2c37",
+  "queryName": "BOM - Elasticache",
+  "severity": "TRACE",
+  "category": "Bill Of Materials",
+  "descriptionText": "A list of Elasticache resources specified",
+  "descriptionUrl": "https://kics.io",
+  "platform": "Terraform",
+  "descriptionID": "34559ecd",
+  "cloudProvider": "aws"
+}

assets/queries/terraform/aws_bom/elasticache/query.rego

@@ -0,0 +1,34 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	elasticache := input.document[i].resource.aws_elasticache_cluster[name]
+
+	bom_output = {
+		"resource_type": "aws_elasticache_cluster",
+		"resource_name": elasticache.cluster_id,
+		# memcached or redis
+		"resource_engine": get_engine_type(aws_mq_broker_resource),
+		"resource_accessibility": check_publicly_accessible(aws_mq_broker_resource),
+		"resource_vendor": "AWS",
+		"resource_category": "Queues",
+	}
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("aws_elasticache_cluster[%s]", [name]),
+		"issueType": "BillOfMaterials",
+		"keyExpectedValue": "",
+		"keyActualValue": "",
+		"searchLine": common_lib.build_search_line(["resource", "aws_elasticache_cluster", name], []),
+		"value": json.marshal(elasticache),
+	}
+}
+
+get_engine_type(aws_mq_broker_resource) = engine_type {
+	engine_type := aws_mq_broker_resource.engine_type
+} else {
+	aws_mq_broker_resource.replication_group_id != ""
+	engine_type := "unknown"
+}

assets/queries/terraform/aws_bom/elasticache/test/negative1.tf

@@ -0,0 +1,46 @@
+module "redis" {
+  source = "cloudposse/elasticache-redis/aws"
+  availability_zones         = var.availability_zones
+  namespace                  = var.namespace
+  stage                      = var.stage
+  name                       = var.name
+  zone_id                    = var.zone_id
+  vpc_id                     = module.vpc.vpc_id
+  subnets                    = module.subnets.private_subnet_ids
+  cluster_size               = var.cluster_size
+  instance_type              = var.instance_type
+  apply_immediately          = true
+  automatic_failover_enabled = false
+  engine_version             = var.engine_version
+  family                     = var.family
+  at_rest_encryption_enabled = var.at_rest_encryption_enabled
+  transit_encryption_enabled = var.transit_encryption_enabled
+
+  security_group_rules = [
+    {
+      type                     = "egress"
+      from_port                = 0
+      to_port                  = 65535
+      protocol                 = "-1"
+      cidr_blocks              = ["0.0.0.0/0"]
+      source_security_group_id = null
+      description              = "Allow all outbound traffic"
+    },
+    {
+      type                     = "ingress"
+      from_port                = 0
+      to_port                  = 65535
+      protocol                 = "-1"
+      cidr_blocks              = []
+      source_security_group_id = module.vpc.vpc_default_security_group_id
+      description              = "Allow all inbound traffic from trusted Security Groups"
+    },
+  ]
+
+  parameter = [
+    {
+      name  = "notify-keyspace-events"
+      value = "lK"
+    }
+  ]
+}

assets/queries/terraform/aws_bom/elasticache/test/positive1.tf

@@ -0,0 +1,8 @@
+resource "aws_elasticache_cluster" "positive1" {
+  cluster_id           = "cluster-example"
+  engine               = "memcached"
+  node_type            = "cache.m4.large"
+  num_cache_nodes      = 2
+  parameter_group_name = "default.memcached1.4"
+  port                 = 11211
+}

assets/queries/terraform/aws_bom/elasticache/test/positive2.tf

@@ -0,0 +1,9 @@
+resource "aws_elasticache_cluster" "positive2" {
+  cluster_id           = "cluster-example"
+  engine               = "redis"
+  node_type            = "cache.m4.large"
+  num_cache_nodes      = 1
+  parameter_group_name = "default.redis3.2"
+  engine_version       = "3.2.10"
+  port                 = 6379
+}

assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "BOM - Elasticache",
+    "severity": "TRACE",
+    "line": 1,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "BOM - Elasticache",
+    "severity": "TRACE",
+    "line": 1,
+    "fileName": "positive2.tf"
+  }
+]

assets/queries/terraform/aws_bom/mq/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "baecd2da-492a-4d59-b9dc-29540a1398e0",
+  "queryName": "BOM - SQS",
+  "severity": "TRACE",
+  "category": "Bill Of Materials",
+  "descriptionText": "A list of SQS resources specified",
+  "descriptionUrl": "https://kics.io",
+  "platform": "Terraform",
+  "descriptionID": "63fc27c2",
+  "cloudProvider": "aws"
+}

assets/queries/terraform/aws_bom/mq/query.rego

@@ -0,0 +1,33 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	aws_mq_broker_resource := input.document[i].resource.aws_mq_broker[name]
+
+	bom_output = {
+		"resource_type": "aws_mq_broker",
+		"resource_name": aws_mq_broker_resource.broker_name,
+		# RabbitMQ or ActiveMQ
+		"resource_engine": aws_mq_broker_resource.engine_type,
+		"resource_accessibility": check_publicly_accessible(aws_mq_broker_resource),
+		"resource_vendor": "AWS",
+		"resource_category": "Queues",
+	}
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("aws_mq_broker[%s]", [name]),
+		"issueType": "BillOfMaterials",
+		"keyExpectedValue": "",
+		"keyActualValue": "",
+		"searchLine": common_lib.build_search_line(["resource", "aws_mq_broker", name], []),
+		"value": json.marshal(bom_output),
+	}
+}
+
+check_publicly_accessible(resource) = accessibility {
+	accessibility := aws_mq_broker_resource.publicly_accessible
+} else = accessibility {
+	accessibility := false
+}

assets/queries/terraform/aws_bom/mq/test/negative1.tf

@@ -0,0 +1,21 @@
+  module "mq_broker" {
+    source = "cloudposse/mq-broker/aws"
+
+    namespace                  = "eg"
+    stage                      = "test"
+    name                       = "mq-broker"
+    apply_immediately          = true
+    auto_minor_version_upgrade = true
+    deployment_mode            = "ACTIVE_STANDBY_MULTI_AZ"
+    engine_type                = "ActiveMQ"
+    engine_version             = "5.15.14"
+    host_instance_type         = "mq.t3.micro"
+    publicly_accessible        = false
+    general_log_enabled        = true
+    audit_log_enabled          = true
+    encryption_enabled         = true
+    use_aws_owned_key          = true
+    vpc_id                     = var.vpc_id
+    subnet_ids                 = var.subnet_ids
+    security_groups            = var.security_groups
+  }

assets/queries/terraform/aws_bom/mq/test/positive1.tf

@@ -0,0 +1,18 @@
+resource "aws_mq_broker" "positive1" {
+  broker_name = "example"
+
+  configuration {
+    id       = aws_mq_configuration.test.id
+    revision = aws_mq_configuration.test.latest_revision
+  }
+
+  engine_type        = "ActiveMQ"
+  engine_version     = "5.15.9"
+  host_instance_type = "mq.t2.micro"
+  security_groups    = [aws_security_group.test.id]
+
+  user {
+    username = "ExampleUser"
+    password = "MindTheGap"
+  }
+}

assets/queries/terraform/aws_bom/mq/test/positive2.tf

@@ -0,0 +1,18 @@
+resource "aws_mq_broker" "positive2" {
+  broker_name = "example"
+
+  configuration {
+    id       = aws_mq_configuration.test.id
+    revision = aws_mq_configuration.test.latest_revision
+  }
+
+  engine_type        = "RabbitMQ"
+  engine_version     = "5.15.9"
+  host_instance_type = "mq.t2.micro"
+  security_groups    = [aws_security_group.test.id]
+
+  user {
+    username = "ExampleUser"
+    password = "MindTheGap"
+  }
+}