diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego index 50ba4b704f8..d024ecc086c 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego @@ -3,28 +3,6 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -CxPolicy[result] { - bucket := input.document[i].resource.aws_s3_bucket[name] - # version before TF AWS 4.0 - not common_lib.valid_key(bucket, "lifecycle_rule") - not common_lib.valid_key(bucket, "versioning") - - # version after TF AWS 4.0 - not tf_lib.has_target_resource(name, "aws_s3_bucket_lifecycle_configuration") - not tf_lib.has_target_resource(name, "aws_s3_bucket_versioning") - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", - "resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", name), - "searchKey": sprintf("aws_s3_bucket[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "versioning should be defined and not null", - "keyActualValue": "versioning is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name], []), - } -} - checkedFields = { "enabled", "mfa_delete" @@ -66,25 +44,6 @@ CxPolicy[result] { } } -CxPolicy[result] { - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") - - not common_lib.valid_key(module, "lifecycle_rule") - not common_lib.valid_key(module, keyToCheck) - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": sprintf("module[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'versioning' should be defined and not null", - "keyActualValue": "'versioning' is undefined or null", - "searchLine": common_lib.build_search_line(["module", name], []), - } -} - CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf new file mode 100644 index 00000000000..a25ca6d09ff --- /dev/null +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf @@ -0,0 +1,22 @@ +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative6" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf new file mode 100644 index 00000000000..34410da37c0 --- /dev/null +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf @@ -0,0 +1,7 @@ +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" +} diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf index b8d70e27d9a..7b956bf61f6 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf @@ -19,4 +19,8 @@ resource "aws_s3_bucket" "positive1" { Name = "My bucket" Environment = "Dev" } + + versioning { + enabled = true + } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf deleted file mode 100644 index 4a20cb67ad8..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf +++ /dev/null @@ -1,30 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "bbb" { - bucket = "my-tf-test-bucket" - - tags = { - Name = "My bucket" - Environment = "Dev" - } -} - -resource "aws_s3_bucket_versioning" "example" { - bucket = aws_s3_bucket.bbb.id - - versioning_configuration { - status = "Disabled" - mfa_delete = "Enabled" - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf index ac925415484..8e5508b25da 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf @@ -22,5 +22,6 @@ resource "aws_s3_bucket" "positive2" { versioning { enabled = true + mfa_delete = false } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf index bfb14e70456..6fcd3d9a29a 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf @@ -21,7 +21,6 @@ resource "aws_s3_bucket" "positive3" { } versioning { - enabled = true - mfa_delete = false + enabled = false } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf index 6fcd3d9a29a..59cb39572ab 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf @@ -1,26 +1,11 @@ -provider "aws" { - region = "us-east-1" -} - -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.0" - } - } -} +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" -resource "aws_s3_bucket" "positive3" { - bucket = "my-tf-test-bucket" + bucket = "my-s3-bucket" acl = "private" - tags = { - Name = "My bucket" - Environment = "Dev" - } - versioning { - enabled = false + enabled = true } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf index 34410da37c0..f6e96745734 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf @@ -4,4 +4,9 @@ module "s3_bucket" { bucket = "my-s3-bucket" acl = "private" + + versioning { + enabled = true + mfa_delete = false + } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf index 59cb39572ab..91293d36cbd 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf @@ -6,6 +6,6 @@ module "s3_bucket" { acl = "private" versioning { - enabled = true + enabled = false } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf index f6e96745734..20d39f4d71f 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf @@ -1,12 +1,30 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "b0" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} - bucket = "my-s3-bucket" - acl = "private" +resource "aws_s3_bucket_versioning" "example2" { + bucket = aws_s3_bucket.b0.id - versioning { - enabled = true - mfa_delete = false + versioning_configuration { + status = "Enabled" + mfa_delete = "Disabled" } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf index 91293d36cbd..4a20cb67ad8 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf @@ -1,11 +1,30 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "bbb" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} - bucket = "my-s3-bucket" - acl = "private" +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.bbb.id - versioning { - enabled = false + versioning_configuration { + status = "Disabled" + mfa_delete = "Enabled" } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf deleted file mode 100644 index 20d39f4d71f..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf +++ /dev/null @@ -1,30 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "b0" { - bucket = "my-tf-test-bucket" - - tags = { - Name = "My bucket" - Environment = "Dev" - } -} - -resource "aws_s3_bucket_versioning" "example2" { - bucket = aws_s3_bucket.b0.id - - versioning_configuration { - status = "Enabled" - mfa_delete = "Disabled" - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json index d6320d44848..63c2be9e202 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json @@ -1,74 +1,62 @@ [ - { - "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "LOW", - "line": 14, - "fileName": "positive1.tf" - }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 23, - "fileName": "positive2.tf" + "fileName": "positive1.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 25, - "fileName": "positive3.tf" + "fileName": "positive2.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 24, - "fileName": "positive4.tf" + "fileName": "positive3.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 23, - "fileName": "positive4.tf" - }, - { - "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "LOW", - "line": 1, - "fileName": "positive5.tf" + "fileName": "positive3.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 8, - "fileName": "positive6.tf" + "fileName": "positive4.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 10, - "fileName": "positive7.tf" + "fileName": "positive5.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 8, - "fileName": "positive8.tf" + "fileName": "positive6.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 9, - "fileName": "positive8.tf" + "fileName": "positive6.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 28, - "fileName": "positive9.tf" + "fileName": "positive7.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 27, - "fileName": "positive10.tf" + "fileName": "positive8.tf" } ] \ No newline at end of file diff --git a/e2e/fixtures/samples/bom-positive.tf b/e2e/fixtures/samples/bom-positive.tf index c0645fd3c12..ad7dea4f07d 100644 --- a/e2e/fixtures/samples/bom-positive.tf +++ b/e2e/fixtures/samples/bom-positive.tf @@ -1,7 +1,18 @@ -resource "aws_s3_bucket" "hoge" { - bucket = "hoge" +resource "aws_s3_bucket" "negative1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = true + } } + resource "aws_athena_database" "hoge" { name = "database_name" bucket = aws_s3_bucket.hoge.bucket diff --git a/e2e/fixtures/samples/queries/valid/multiple_query/s3_bucket_without_enabled_mfa_delete/query.rego b/e2e/fixtures/samples/queries/valid/multiple_query/s3_bucket_without_enabled_mfa_delete/query.rego index 10c4ad1d82c..f9e8dfe94a6 100644 --- a/e2e/fixtures/samples/queries/valid/multiple_query/s3_bucket_without_enabled_mfa_delete/query.rego +++ b/e2e/fixtures/samples/queries/valid/multiple_query/s3_bucket_without_enabled_mfa_delete/query.rego @@ -2,21 +2,6 @@ package Cx import data.generic.common as common_lib -CxPolicy[result] { - bucket := input.document[i].resource.aws_s3_bucket[name] - not common_lib.valid_key(bucket, "lifecycle_rule") - not common_lib.valid_key(bucket, "versioning") - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("aws_s3_bucket[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("aws_s3_bucket[%s].versioning should be defined and not null", [name]), - "keyActualValue": sprintf("aws_s3_bucket[%s].versioning is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name], []), - } -} - checkedFields = { "enabled", "mfa_delete" @@ -52,23 +37,6 @@ CxPolicy[result] { } } -CxPolicy[result] { - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") - - not common_lib.valid_key(module, "lifecycle_rule") - not common_lib.valid_key(module, keyToCheck) - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("module[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'versioning' should be defined and not null", - "keyActualValue": "'versioning' is undefined or null", - "searchLine": common_lib.build_search_line(["module", name], []), - } -} - CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning")