The query auto-generation tool generates queries by examples: its input is an example of a source file with security issues, when there is a special comment marks lines with security issues; its output is a query source in REGO format.
resource "aws_lb_listener" "front_end" {
load_balancer_arn = aws_lb.front_end.arn
port = "80"
protocol = "HTTP" //IncorrectValue:"group=rule1,upper,resource=['aws_lb_listener','aws_alb_listener']"
default_action {
type = "redirect"
redirect {
port = "80"
protocol = "HTTP" //IncorrectValue:"group=rule1,upper,condition=!=,val=HTTPS"
status_code = "HTTP_301"
resource "aws_alb_listener" "front_end" {
load_balancer_arn = aws_lb.front_end.arn
port = "8080"
protocol = "HTTP" //IncorrectValue:"group=rule2,upper,resource=['aws_lb_listener','aws_alb_listener']"
default_action {
redirect {
protocol = "any" //MissingAttribute:"group=rule2"
package Cx
CxPolicy [ result ] {
document := input.document[i]
block := document.resource
blockTypes := {"aws_alb_listener", "aws_lb_listener"}
upper(block[blockTypes[blockIndex]][name].protocol) == "HTTP"
upper(block[blockTypes[blockIndex]][name].default_action.redirect.protocol) != "HTTPS"
result := {
"searchKey": sprintf("%s[%s].default_action.redirect.protocol", [blockTypes[blockIndex], name]),
"issueType": "IncorrectValue",
"keyExpectedValue": "'default_action.redirect.protocol' should be valid",
"keyActualValue": "'default_action.redirect.protocol' is invalid"
CxPolicy [ result ] {
document := input.document[i]
block := document.resource
blockTypes := {"aws_lb_listener", "aws_alb_listener"}
upper(block[blockTypes[blockIndex]][name].protocol) == "HTTP"
not block[blockTypes[blockIndex]][name].default_action.redirect.protocol
result := {
"searchKey": sprintf("%s[%s].default_action.redirect.protocol", [blockTypes[blockIndex], name]),
"issueType": "MissingAttribute",
"keyExpectedValue": "'default_action.redirect.protocol' should be valid",
"keyActualValue": "'default_action.redirect.protocol' is invalid"
go run cmd/builder/main.go -i ./cmd/builder/ -o ./out.rego
Where -i
- terraform file to parse, -o
result query.
Please ensure you have downloaded all tool dependencies, to do that please execute:
go mod download
go mod vendor
The tool supports only comments which have Golang struct tag syntax, for example // Comment:"attribute1,attribute2=value" Comment2
. (note: space is not allowed in comments attributes).
For more example please take a look at the example files.
Supported comment:
- to target a resource, can beresource=*
, by default resource from terraform file will be usedany_key
- allow any element in condition, -> resource.vars[_]
- to wrap condition, -> upper(
- usere_match
for a condition, should be provided with a regex pattern as an attribute valuecondition
- to set a custom condition, by default we use==
- to set custom condition value, by default we use the value from the provided terraform file