Merge branch 'master' into kics-782-aws-cloudformation

assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json

@@ -0,0 +1,11 @@
+{
+    "id": "d9dc6429-5140-498a-8f55-a10daac5f000",
+    "queryName": "RDS DB Instance Publicly Accessible",
+    "severity": "HIGH",
+    "category": "Insecure Configurations",
+    "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it",
+    "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/[email protected]",
+    "platform": "Crossplane",
+    "descriptionID": "d7566b63",
+    "cloudProvider": "aws"
+  }

assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego

@@ -0,0 +1,80 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.crossplane as cp_lib
+
+getForProvider(apiVersion, kind, name, docs) = forProvider {
+	doc := docs[_]
+	[_, resource] := walk(doc)
+	startswith(resource.apiVersion, apiVersion)
+	resource.kind == kind
+	resource.metadata.name == name
+    forProvider := resource.spec.forProvider
+}
+
+existsInternetGateway(dbSubnetGroupName) {
+    DBSGforProvider := getForProvider("database.aws.crossplane.io", "DBSubnetGroup", dbSubnetGroupName, input.document)
+    subnetIds := DBSGforProvider.subnetIds
+
+    count(subnetIds) > 0
+    subnetId := subnetIds[s]
+
+    EC2SforProvider := getForProvider("ec2.aws.crossplane.io", "Subnet", subnetId, input.document)
+
+    vpcId := EC2SforProvider.vpcId
+
+    IGdocs := input.document[_]
+    [_, IGresource] := walk(IGdocs)
+	startswith(IGresource.apiVersion, "network.aws.crossplane.io")
+    IGresource.kind == "InternetGateway"
+
+    IGforProvider := IGresource.spec.forProvider
+
+    common_lib.valid_key(IGforProvider, "vpcId")
+	vpcId == IGforProvider.vpcId
+} 
+
+CxPolicy[result] {
+    docs := input.document[i]
+	[path, resource] := walk(docs)
+	startswith(resource.apiVersion, "database.aws.crossplane.io")
+    resource.kind == "RDSInstance"
+
+    forProvider := resource.spec.forProvider
+
+    not common_lib.valid_key(forProvider, "publiclyAccessible")
+
+    dbSubnetGroupName := forProvider.dbSubnetGroupName
+
+    existsInternetGateway(dbSubnetGroupName) == true
+
+    result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.kind,
+		"resourceName": cp_lib.getResourceName(resource),
+		"searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.dbSubnetGroupName", [resource.metadata.name]),
+		"issueType": "MissingAttribute",
+		"keyActualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it",
+		"keyExpectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it",
+	}
+}
+
+CxPolicy[result] {
+    docs := input.document[i]
+	[path, resource] := walk(docs)
+	startswith(resource.apiVersion, "database.aws.crossplane.io")
+    resource.kind == "RDSInstance"
+
+    forProvider := resource.spec.forProvider
+    forProvider.publiclyAccessible == true
+
+    result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.kind,
+		"resourceName": cp_lib.getResourceName(resource),
+		"searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.publiclyAccessible", [resource.metadata.name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "publiclyAccessible should be set to false",
+		"keyActualValue": "publiclyAccessible is set to true",
+	}
+}

assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml

@@ -0,0 +1,20 @@
+apiVersion: database.aws.crossplane.io/v1beta1
+kind: RDSInstance
+metadata:
+  name: sample-cluster3
+spec: 
+  forProvider:
+    publiclyAccessible: false
+
+---
+
+apiVersion: database.aws.crossplane.io/v1alpha3
+kind: DBSubnetGroup
+metadata:
+  name: my-db-subnet-group
+spec:
+  forProvider:
+    description: "My DB Subnet Group"
+    subnetIds:
+      - subnet-12345678
+      - subnet-87654321

assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative2.yaml

@@ -0,0 +1,60 @@
+apiVersion: database.aws.crossplane.io/v1beta1
+kind: RDSInstance
+metadata:
+  name: my-rds-instance
+spec:
+  forProvider:
+    engine: mysql
+    engineVersion: "8.0"
+    instanceClass: db.t2.micro
+    allocatedStorage: 20
+    dbSubnetGroupName: my-db-subnet-group
+  writeConnectionSecretToRef:
+    name: my-rds-instance-connection
+
+---
+
+apiVersion: database.aws.crossplane.io/v1alpha3
+kind: DBSubnetGroup
+metadata:
+  name: my-db-subnet-group
+spec:
+  forProvider:
+    description: "My DB Subnet Group"
+    subnetIds:
+      - subnet-12345678
+      - subnet-87654321
+
+---
+
+apiVersion: ec2.aws.crossplane.io/v1beta1
+kind: Subnet
+metadata:
+  name: subnet-12345678
+spec:
+  forProvider:
+    cidrBlock: "10.0.0.0/24"
+    vpcId: vpc-abcdef12
+    availabilityZone: us-west-2a
+
+---
+
+apiVersion: ec2.aws.crossplane.io/v1beta1
+kind: Subnet
+metadata:
+  name: subnet-87654321
+spec:
+  forProvider:
+    cidrBlock: "10.0.0.1/24"
+    vpcId: vpc-abcdef12
+    availabilityZone: us-west-2a
+
+---
+
+apiVersion: network.aws.crossplane.io/v1alpha3
+kind: InternetGateway
+metadata:
+  name: my-internet-gateway
+spec:
+  forProvider:
+    vpcId: vpc-abcdef12345

assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml

@@ -0,0 +1,20 @@
+apiVersion: database.aws.crossplane.io/v1beta1
+kind: RDSInstance
+metadata:
+  name: sample-cluster3
+spec: 
+  forProvider:
+    publiclyAccessible: true
+
+---
+
+apiVersion: database.aws.crossplane.io/v1alpha3
+kind: DBSubnetGroup
+metadata:
+  name: my-db-subnet-group
+spec:
+  forProvider:
+    description: "My DB Subnet Group"
+    subnetIds:
+      - subnet-12345678
+      - subnet-87654321

assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive2.yaml

@@ -0,0 +1,60 @@
+apiVersion: database.aws.crossplane.io/v1beta1
+kind: RDSInstance
+metadata:
+  name: my-rds-instance
+spec:
+  forProvider:
+    engine: mysql
+    engineVersion: "8.0"
+    instanceClass: db.t2.micro
+    allocatedStorage: 20
+    dbSubnetGroupName: my-db-subnet-group
+  writeConnectionSecretToRef:
+    name: my-rds-instance-connection
+
+---
+
+apiVersion: database.aws.crossplane.io/v1alpha3
+kind: DBSubnetGroup
+metadata:
+  name: my-db-subnet-group
+spec:
+  forProvider:
+    description: "My DB Subnet Group"
+    subnetIds:
+      - subnet-12345678
+      - subnet-87654321
+
+---
+
+apiVersion: ec2.aws.crossplane.io/v1beta1
+kind: Subnet
+metadata:
+  name: subnet-12345678
+spec:
+  forProvider:
+    cidrBlock: "10.0.0.0/24"
+    vpcId: vpc-abcdef12
+    availabilityZone: us-west-2a
+
+---
+
+apiVersion: ec2.aws.crossplane.io/v1beta1
+kind: Subnet
+metadata:
+  name: subnet-87654321
+spec:
+  forProvider:
+    cidrBlock: "10.0.0.1/24"
+    vpcId: vpc-abcdef12
+    availabilityZone: us-west-2a
+
+---
+
+apiVersion: network.aws.crossplane.io/v1alpha3
+kind: InternetGateway
+metadata:
+  name: my-internet-gateway
+spec:
+  forProvider:
+    vpcId: vpc-abcdef12

assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json

@@ -0,0 +1,15 @@
+[
+    {
+      "queryName": "RDS DB Instance Publicly Accessible",
+      "severity": "HIGH",
+      "line": 7,
+      "fileName": "positive1.yaml"
+    },
+    {
+      "queryName": "RDS DB Instance Publicly Accessible",
+      "severity": "HIGH",
+      "line": 11,
+      "fileName": "positive2.yaml"
+    }
+  ]
+

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "647de8aa-5a42-41b5-9faf-22136f117380",
+  "queryName": "RDS DB Instance Publicly Accessible",
+  "severity": "HIGH",
+  "category": "Insecure Configurations",
+  "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.",
+  "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/#publiclyaccessible_yaml",
+  "platform": "Pulumi",
+  "descriptionID": "be6d13f0",
+  "cloudProvider": "aws"
+}

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego

@@ -0,0 +1,20 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resources[name]
+	resource.type == "aws:rds:Instance"
+	resource.properties.publiclyAccessible == true
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.type,
+		"resourceName": name,
+		"searchKey": sprintf("resources[%s].properties.publiclyAccessible", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'resources.%s.properties.publiclyAccessible' should be set to 'false'", [name]),
+		"keyActualValue": sprintf("'resources.%s.properties.publiclyAccessible' is set to 'true'", [name]),
+		"searchLine": common_lib.build_search_line(["resources", name, "properties", "publiclyAccessible"], []),
+	}
+}

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml

@@ -0,0 +1,16 @@
+name: aws-rds
+runtime: yaml
+description: An RDS cluster
+resources:
+  default:
+    type: aws:rds:Instance
+    properties:
+      allocatedStorage: 10
+      dbName: mydb
+      engine: mysql
+      engineVersion: '5.7'
+      instanceClass: db.t3.micro
+      parameterGroupName: default.mysql5.7
+      password: foobarbaz
+      skipFinalSnapshot: true
+      username: foo

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml

@@ -0,0 +1,17 @@
+name: aws-rds
+runtime: yaml
+description: An RDS Instance
+resources:
+  default:
+    type: aws:rds:Instance
+    properties:
+      allocatedStorage: 10
+      dbName: mydb
+      engine: mysql
+      engineVersion: '5.7'
+      instanceClass: db.t3.micro
+      parameterGroupName: default.mysql5.7
+      password: foobarbaz
+      skipFinalSnapshot: true
+      username: foo
+      publiclyAccessible: false

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml

@@ -0,0 +1,17 @@
+name: aws-rds
+runtime: yaml
+description: An RDS Instance
+resources:
+  default:
+    type: aws:rds:Instance
+    properties:
+      allocatedStorage: 10
+      dbName: mydb
+      engine: mysql
+      engineVersion: '5.7'
+      instanceClass: db.t3.micro
+      parameterGroupName: default.mysql5.7
+      password: foobarbaz
+      skipFinalSnapshot: true
+      username: foo
+      publiclyAccessible: true

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "RDS DB Instance Publicly Accessible",
+    "severity": "HIGH",
+    "line": 17,
+    "fileName": "positive1.yaml"
+  }
+]

assets/queries/terraform/alicloud/db_instance_publicly_accessible/metadata.json → assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "faaefc15-51a5-419e-bb5e-51a4b5ab3485",
-  "queryName": "DB Instance Publicly Accessible",
+  "queryName": "RDS DB Instance Publicly Accessible",
   "severity": "HIGH",
   "category": "Insecure Configurations",
   "descriptionText": "The field 'address' should not be set to '0.0.0.0/0'",

assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/positive_expected_result.json → assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json

@@ -1,6 +1,6 @@
 [
 	{
-		"queryName": "DB Instance Publicly Accessible",
+		"queryName": "RDS DB Instance Publicly Accessible",
 		"severity": "HIGH",
 		"line": 10,
 		"fileName": "positive1.tf"

assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego

@@ -17,7 +17,7 @@ CxPolicy[result] {
 		"documentId": input.document[i].id,
 		"resourceType": "alicloud_db_instance",
 		"resourceName": tf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("alicloud_db_instance[%s].security_ips.%s", [name,x]),
+		"searchKey": sprintf("alicloud_db_instance[%s].security_ips[%v]", [name,x]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("'%s' should not be in 'security_ips' list", [sec_ip]),
 		"keyActualValue": sprintf("'%s' is in 'security_ips' list", [sec_ip]),