diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego index 91132f84d5c..d3aca94c393 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego @@ -1,5 +1,6 @@ package Cx +import data.generic.common as common_lib import data.generic.terraform as terra_lib CxPolicy[result] { @@ -15,6 +16,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_network_acl[%s].ingress[%d] 'SSH' (Port:22) is not public", [name, idx]), "keyActualValue": sprintf("aws_network_acl[%s].ingress[%d] 'SSH' (Port:22) is public", [name, idx]), + "searchLine": common_lib.build_search_line(["resource", "aws_network_acl", name, "ingress", idx], []), } } @@ -32,6 +34,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_network_acl[%s] 'SSH' (TCP:22) is not public", [netAclRuleName]), "keyActualValue": sprintf("aws_network_acl[%s] 'SSH' (TCP:22) is public", [netAclRuleName]), + "searchLine": common_lib.build_search_line(["resource", "aws_network_acl_rule", netAclRuleName], []), } } @@ -48,5 +51,24 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_network_acl[%s].ingress 'SSH' (TCP:22) is not public", [name]), "keyActualValue": sprintf("aws_network_acl[%s].ingress 'SSH' (TCP:22) is public", [name]), + "searchLine": common_lib.build_search_line(["resource", "aws_network_acl", name, "ingress"], []), + } +} + +CxPolicy[result] { + module := input.document[i].module[name] + keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_default_vpc", "default_network_acl_ingress") + common_lib.valid_key(module, keyToCheck) + rule := module[keyToCheck][idx] + + terra_lib.openPort(rule, 22) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("module[%s].%s", [name, keyToCheck]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("aws_network_acl[%s].ingress[%d] 'SSH' (Port:22) is not public", [name, idx]), + "keyActualValue": sprintf("aws_network_acl[%s].ingress[%d] 'SSH' (Port:22) is public", [name, idx]), + "searchLine": common_lib.build_search_line(["module", name, keyToCheck, idx], []), } } diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative4.tf b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative4.tf new file mode 100644 index 00000000000..6eff1c30442 --- /dev/null +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative4.tf @@ -0,0 +1,19 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative5.tf b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative5.tf new file mode 100644 index 00000000000..cdb76264151 --- /dev/null +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/negative5.tf @@ -0,0 +1,38 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + default_network_acl_ingress = [ + { + "action" : "allow", + "cidr_block" : "0.0.0.0/0", + "from_port" : 0, + "protocol" : "-1", + "rule_no" : 100, + "to_port" : 0 + }, + { + "action" : "allow", + "cidr_block" : "10.3.0.0/18", + "from_port" : 0, + "protocol" : "-1", + "rule_no" : 22, + "to_port" : 0 + } + ] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive4.tf b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive4.tf new file mode 100644 index 00000000000..12e2aafb1be --- /dev/null +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive4.tf @@ -0,0 +1,30 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + default_network_acl_ingress = [ + { + "action" : "allow", + "cidr_block" : "0.0.0.0/0", + "from_port" : 0, + "protocol" : "tcp", + "rule_no" : 22, + "to_port" : 0 + } + ] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 63748a8705d..a7d92da3359 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,7 +2,7 @@ { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "HIGH", - "line": 28, + "line": 30, "fileName": "positive1.tf" }, { @@ -16,5 +16,11 @@ "severity": "HIGH", "line": 26, "fileName": "positive3.tf" + }, + { + "queryName": "Network ACL With Unrestricted Access To SSH", + "severity": "HIGH", + "line": 14, + "fileName": "positive4.tf" } ]