From 5a0a9bf6742a3bf8a37e7041a85913169a02d514 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 13 May 2024 16:58:13 +0100 Subject: [PATCH 1/6] changed E2E 54 --- e2e/fixtures/samples/bom-positive.tf | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/e2e/fixtures/samples/bom-positive.tf b/e2e/fixtures/samples/bom-positive.tf index c0645fd3c12..4d7bf87f418 100644 --- a/e2e/fixtures/samples/bom-positive.tf +++ b/e2e/fixtures/samples/bom-positive.tf @@ -1,7 +1,16 @@ -resource "aws_s3_bucket" "hoge" { - bucket = "hoge" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning { + enabled = true + } } + resource "aws_athena_database" "hoge" { name = "database_name" bucket = aws_s3_bucket.hoge.bucket From 9728a9bf3f185f2d0a0f7eff279a9cadd1c875e0 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 13 May 2024 17:04:34 +0100 Subject: [PATCH 2/6] removed versioning from e2e query --- .../query.rego | 32 ------------------- 1 file changed, 32 deletions(-) diff --git a/e2e/fixtures/samples/queries/valid/multiple_query/s3_bucket_without_enabled_mfa_delete/query.rego b/e2e/fixtures/samples/queries/valid/multiple_query/s3_bucket_without_enabled_mfa_delete/query.rego index 10c4ad1d82c..f9e8dfe94a6 100644 --- a/e2e/fixtures/samples/queries/valid/multiple_query/s3_bucket_without_enabled_mfa_delete/query.rego +++ b/e2e/fixtures/samples/queries/valid/multiple_query/s3_bucket_without_enabled_mfa_delete/query.rego @@ -2,21 +2,6 @@ package Cx import data.generic.common as common_lib -CxPolicy[result] { - bucket := input.document[i].resource.aws_s3_bucket[name] - not common_lib.valid_key(bucket, "lifecycle_rule") - not common_lib.valid_key(bucket, "versioning") - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("aws_s3_bucket[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("aws_s3_bucket[%s].versioning should be defined and not null", [name]), - "keyActualValue": sprintf("aws_s3_bucket[%s].versioning is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name], []), - } -} - checkedFields = { "enabled", "mfa_delete" @@ -52,23 +37,6 @@ CxPolicy[result] { } } -CxPolicy[result] { - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") - - not common_lib.valid_key(module, "lifecycle_rule") - not common_lib.valid_key(module, keyToCheck) - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("module[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'versioning' should be defined and not null", - "keyActualValue": "'versioning' is undefined or null", - "searchLine": common_lib.build_search_line(["module", name], []), - } -} - CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") From b29b8b267dd51aafde68c9214f0b9ba034f7705c Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 13 May 2024 17:05:39 +0100 Subject: [PATCH 3/6] removed versioning from query --- .../query.rego | 41 ------------------- 1 file changed, 41 deletions(-) diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego index 50ba4b704f8..d024ecc086c 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego @@ -3,28 +3,6 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -CxPolicy[result] { - bucket := input.document[i].resource.aws_s3_bucket[name] - # version before TF AWS 4.0 - not common_lib.valid_key(bucket, "lifecycle_rule") - not common_lib.valid_key(bucket, "versioning") - - # version after TF AWS 4.0 - not tf_lib.has_target_resource(name, "aws_s3_bucket_lifecycle_configuration") - not tf_lib.has_target_resource(name, "aws_s3_bucket_versioning") - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", - "resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", name), - "searchKey": sprintf("aws_s3_bucket[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "versioning should be defined and not null", - "keyActualValue": "versioning is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name], []), - } -} - checkedFields = { "enabled", "mfa_delete" @@ -66,25 +44,6 @@ CxPolicy[result] { } } -CxPolicy[result] { - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") - - not common_lib.valid_key(module, "lifecycle_rule") - not common_lib.valid_key(module, keyToCheck) - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": sprintf("module[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'versioning' should be defined and not null", - "keyActualValue": "'versioning' is undefined or null", - "searchLine": common_lib.build_search_line(["module", name], []), - } -} - CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") From 2f15f42ff58e96b199196eb17ca0c58ef533d0e6 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 13 May 2024 17:32:23 +0100 Subject: [PATCH 4/6] changed query tests --- .../test/negative6.tf | 22 ++++++++++++ .../test/negative7.tf | 7 ++++ .../test/positive1.tf | 6 +++- .../test/positive10.tf | 30 ---------------- .../test/positive2.tf | 3 +- .../test/positive3.tf | 3 +- .../test/positive4.tf | 25 +++----------- .../test/positive5.tf | 5 +++ .../test/positive6.tf | 2 +- .../test/positive7.tf | 34 ++++++++++++++----- .../test/positive8.tf | 33 ++++++++++++++---- .../test/positive9.tf | 30 ---------------- .../test/positive_expected_result.json | 32 ++++++----------- 13 files changed, 110 insertions(+), 122 deletions(-) create mode 100644 assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf create mode 100644 assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf delete mode 100644 assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf delete mode 100644 assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf new file mode 100644 index 00000000000..b8d70e27d9a --- /dev/null +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf @@ -0,0 +1,22 @@ +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf new file mode 100644 index 00000000000..34410da37c0 --- /dev/null +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative7.tf @@ -0,0 +1,7 @@ +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" +} diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf index b8d70e27d9a..ac925415484 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf @@ -11,7 +11,7 @@ terraform { } } -resource "aws_s3_bucket" "positive1" { +resource "aws_s3_bucket" "positive2" { bucket = "my-tf-test-bucket" acl = "private" @@ -19,4 +19,8 @@ resource "aws_s3_bucket" "positive1" { Name = "My bucket" Environment = "Dev" } + + versioning { + enabled = true + } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf deleted file mode 100644 index 4a20cb67ad8..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive10.tf +++ /dev/null @@ -1,30 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "bbb" { - bucket = "my-tf-test-bucket" - - tags = { - Name = "My bucket" - Environment = "Dev" - } -} - -resource "aws_s3_bucket_versioning" "example" { - bucket = aws_s3_bucket.bbb.id - - versioning_configuration { - status = "Disabled" - mfa_delete = "Enabled" - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf index ac925415484..bfb14e70456 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf @@ -11,7 +11,7 @@ terraform { } } -resource "aws_s3_bucket" "positive2" { +resource "aws_s3_bucket" "positive3" { bucket = "my-tf-test-bucket" acl = "private" @@ -22,5 +22,6 @@ resource "aws_s3_bucket" "positive2" { versioning { enabled = true + mfa_delete = false } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf index bfb14e70456..6fcd3d9a29a 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive3.tf @@ -21,7 +21,6 @@ resource "aws_s3_bucket" "positive3" { } versioning { - enabled = true - mfa_delete = false + enabled = false } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf index 6fcd3d9a29a..59cb39572ab 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive4.tf @@ -1,26 +1,11 @@ -provider "aws" { - region = "us-east-1" -} - -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.0" - } - } -} +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" -resource "aws_s3_bucket" "positive3" { - bucket = "my-tf-test-bucket" + bucket = "my-s3-bucket" acl = "private" - tags = { - Name = "My bucket" - Environment = "Dev" - } - versioning { - enabled = false + enabled = true } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf index 34410da37c0..f6e96745734 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive5.tf @@ -4,4 +4,9 @@ module "s3_bucket" { bucket = "my-s3-bucket" acl = "private" + + versioning { + enabled = true + mfa_delete = false + } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf index 59cb39572ab..91293d36cbd 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive6.tf @@ -6,6 +6,6 @@ module "s3_bucket" { acl = "private" versioning { - enabled = true + enabled = false } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf index f6e96745734..20d39f4d71f 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive7.tf @@ -1,12 +1,30 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "b0" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} - bucket = "my-s3-bucket" - acl = "private" +resource "aws_s3_bucket_versioning" "example2" { + bucket = aws_s3_bucket.b0.id - versioning { - enabled = true - mfa_delete = false + versioning_configuration { + status = "Enabled" + mfa_delete = "Disabled" } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf index 91293d36cbd..4a20cb67ad8 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive8.tf @@ -1,11 +1,30 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "bbb" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} - bucket = "my-s3-bucket" - acl = "private" +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.bbb.id - versioning { - enabled = false + versioning_configuration { + status = "Disabled" + mfa_delete = "Enabled" } } diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf deleted file mode 100644 index 20d39f4d71f..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive9.tf +++ /dev/null @@ -1,30 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "b0" { - bucket = "my-tf-test-bucket" - - tags = { - Name = "My bucket" - Environment = "Dev" - } -} - -resource "aws_s3_bucket_versioning" "example2" { - bucket = aws_s3_bucket.b0.id - - versioning_configuration { - status = "Enabled" - mfa_delete = "Disabled" - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json index d6320d44848..63c2be9e202 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json @@ -1,74 +1,62 @@ [ - { - "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "LOW", - "line": 14, - "fileName": "positive1.tf" - }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 23, - "fileName": "positive2.tf" + "fileName": "positive1.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 25, - "fileName": "positive3.tf" + "fileName": "positive2.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 24, - "fileName": "positive4.tf" + "fileName": "positive3.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 23, - "fileName": "positive4.tf" - }, - { - "queryName": "S3 Bucket Without Enabled MFA Delete", - "severity": "LOW", - "line": 1, - "fileName": "positive5.tf" + "fileName": "positive3.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 8, - "fileName": "positive6.tf" + "fileName": "positive4.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 10, - "fileName": "positive7.tf" + "fileName": "positive5.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 8, - "fileName": "positive8.tf" + "fileName": "positive6.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 9, - "fileName": "positive8.tf" + "fileName": "positive6.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 28, - "fileName": "positive9.tf" + "fileName": "positive7.tf" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 27, - "fileName": "positive10.tf" + "fileName": "positive8.tf" } ] \ No newline at end of file From 1f2c493848e90b43a8b863f76b9707314bcc8565 Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Mon, 13 May 2024 17:50:11 +0100 Subject: [PATCH 5/6] fixed bom test --- e2e/fixtures/samples/bom-positive.tf | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/e2e/fixtures/samples/bom-positive.tf b/e2e/fixtures/samples/bom-positive.tf index 4d7bf87f418..ad7dea4f07d 100644 --- a/e2e/fixtures/samples/bom-positive.tf +++ b/e2e/fixtures/samples/bom-positive.tf @@ -1,10 +1,12 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" - - bucket = "my-s3-bucket" +resource "aws_s3_bucket" "negative1" { + bucket = "my-tf-test-bucket" acl = "private" + tags = { + Name = "My bucket" + Environment = "Dev" + } + versioning { enabled = true } From cf491f4fdbe00c27a2395dc939328b51818a736a Mon Sep 17 00:00:00 2001 From: JulioSCX Date: Wed, 15 May 2024 16:52:36 +0100 Subject: [PATCH 6/6] changed names in resources to keep them consistent with their respective filenames --- .../aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf | 2 +- .../aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf | 2 +- .../aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf index b8d70e27d9a..a25ca6d09ff 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/negative6.tf @@ -11,7 +11,7 @@ terraform { } } -resource "aws_s3_bucket" "positive1" { +resource "aws_s3_bucket" "negative6" { bucket = "my-tf-test-bucket" acl = "private" diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf index ac925415484..7b956bf61f6 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive1.tf @@ -11,7 +11,7 @@ terraform { } } -resource "aws_s3_bucket" "positive2" { +resource "aws_s3_bucket" "positive1" { bucket = "my-tf-test-bucket" acl = "private" diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf index bfb14e70456..8e5508b25da 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive2.tf @@ -11,7 +11,7 @@ terraform { } } -resource "aws_s3_bucket" "positive3" { +resource "aws_s3_bucket" "positive2" { bucket = "my-tf-test-bucket" acl = "private"