From 6202933272c3da7b6c6015ed6fd0303debf27fc0 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 31 Jul 2023 09:49:03 +0100 Subject: [PATCH 01/22] fix(query): Alicloud RDS Instance Address Publicly Accessible --- .../metadata.json | 2 +- .../query.rego | 0 .../test/negative1.tf | 0 .../test/negative2.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 2 +- 6 files changed, 2 insertions(+), 2 deletions(-) rename assets/queries/terraform/alicloud/{db_instance_publicly_accessible => rds_instance_address_publicly_accessible}/metadata.json (85%) rename assets/queries/terraform/alicloud/{db_instance_publicly_accessible => rds_instance_address_publicly_accessible}/query.rego (100%) rename assets/queries/terraform/alicloud/{db_instance_publicly_accessible => rds_instance_address_publicly_accessible}/test/negative1.tf (100%) rename assets/queries/terraform/alicloud/{db_instance_publicly_accessible => rds_instance_address_publicly_accessible}/test/negative2.tf (100%) rename assets/queries/terraform/alicloud/{db_instance_publicly_accessible => rds_instance_address_publicly_accessible}/test/positive1.tf (100%) rename assets/queries/terraform/alicloud/{db_instance_publicly_accessible => rds_instance_address_publicly_accessible}/test/positive_expected_result.json (52%) diff --git a/assets/queries/terraform/alicloud/db_instance_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json similarity index 85% rename from assets/queries/terraform/alicloud/db_instance_publicly_accessible/metadata.json rename to assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json index 78de5c69a3a..b4ba2d93993 100644 --- a/assets/queries/terraform/alicloud/db_instance_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json @@ -1,6 +1,6 @@ { "id": "faaefc15-51a5-419e-bb5e-51a4b5ab3485", - "queryName": "DB Instance Publicly Accessible", + "queryName": "Alicloud RDS Instance Address Publicly Accessible", "severity": "HIGH", "category": "Insecure Configurations", "descriptionText": "The field 'address' should not be set to '0.0.0.0/0'", diff --git a/assets/queries/terraform/alicloud/db_instance_publicly_accessible/query.rego b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/query.rego similarity index 100% rename from assets/queries/terraform/alicloud/db_instance_publicly_accessible/query.rego rename to assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/query.rego diff --git a/assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/negative1.tf b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/negative1.tf similarity index 100% rename from assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/negative1.tf rename to assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/negative1.tf diff --git a/assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/negative2.tf b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/negative2.tf similarity index 100% rename from assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/negative2.tf rename to assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/negative2.tf diff --git a/assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/positive1.tf b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive1.tf similarity index 100% rename from assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/positive1.tf rename to assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive1.tf diff --git a/assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json similarity index 52% rename from assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/positive_expected_result.json rename to assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json index 5d407f0cc5c..8949c270835 100644 --- a/assets/queries/terraform/alicloud/db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "DB Instance Publicly Accessible", + "queryName": "Alicloud RDS Instance Address Publicly Accessible", "severity": "HIGH", "line": 10, "fileName": "positive1.tf" From 433479d775bb8431917dc442b8bffae2a3354318 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 31 Jul 2023 10:33:28 +0100 Subject: [PATCH 02/22] fix(query): Amazon DB Instance Publicly Accessible for Terraform Query Refactor --- .../metadata.json | 2 +- .../query.rego | 0 .../test/negative1.tf | 0 .../test/negative2.tf | 0 .../test/positive1.tf | 0 .../test/positive2.tf | 0 .../test/positive_expected_result.json | 4 ++-- 7 files changed, 3 insertions(+), 3 deletions(-) rename assets/queries/terraform/aws/{db_instance_publicly_accessible => rds_db_instance_publicly_accessible}/metadata.json (89%) rename assets/queries/terraform/aws/{db_instance_publicly_accessible => rds_db_instance_publicly_accessible}/query.rego (100%) rename assets/queries/terraform/aws/{db_instance_publicly_accessible => rds_db_instance_publicly_accessible}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{db_instance_publicly_accessible => rds_db_instance_publicly_accessible}/test/negative2.tf (100%) rename assets/queries/terraform/aws/{db_instance_publicly_accessible => rds_db_instance_publicly_accessible}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{db_instance_publicly_accessible => rds_db_instance_publicly_accessible}/test/positive2.tf (100%) rename assets/queries/terraform/aws/{db_instance_publicly_accessible => rds_db_instance_publicly_accessible}/test/positive_expected_result.json (57%) diff --git a/assets/queries/terraform/aws/db_instance_publicly_accessible/metadata.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json similarity index 89% rename from assets/queries/terraform/aws/db_instance_publicly_accessible/metadata.json rename to assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json index 387d83ce524..78176f1fe69 100644 --- a/assets/queries/terraform/aws/db_instance_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json @@ -1,6 +1,6 @@ { "id": "35113e6f-2c6b-414d-beec-7a9482d3b2d1", - "queryName": "DB Instance Publicly Accessible", + "queryName": "Amazon RDS DB Instance Publicly Accessible", "severity": "HIGH", "category": "Insecure Configurations", "descriptionText": "RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').", diff --git a/assets/queries/terraform/aws/db_instance_publicly_accessible/query.rego b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/query.rego similarity index 100% rename from assets/queries/terraform/aws/db_instance_publicly_accessible/query.rego rename to assets/queries/terraform/aws/rds_db_instance_publicly_accessible/query.rego diff --git a/assets/queries/terraform/aws/db_instance_publicly_accessible/test/negative1.tf b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/db_instance_publicly_accessible/test/negative1.tf rename to assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/negative1.tf diff --git a/assets/queries/terraform/aws/db_instance_publicly_accessible/test/negative2.tf b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/negative2.tf similarity index 100% rename from assets/queries/terraform/aws/db_instance_publicly_accessible/test/negative2.tf rename to assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/negative2.tf diff --git a/assets/queries/terraform/aws/db_instance_publicly_accessible/test/positive1.tf b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/db_instance_publicly_accessible/test/positive1.tf rename to assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive1.tf diff --git a/assets/queries/terraform/aws/db_instance_publicly_accessible/test/positive2.tf b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive2.tf similarity index 100% rename from assets/queries/terraform/aws/db_instance_publicly_accessible/test/positive2.tf rename to assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive2.tf diff --git a/assets/queries/terraform/aws/db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json similarity index 57% rename from assets/queries/terraform/aws/db_instance_publicly_accessible/test/positive_expected_result.json rename to assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index d5ba7fc1faf..e8044854441 100644 --- a/assets/queries/terraform/aws/db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "DB Instance Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "line": 10, "fileName": "positive1.tf" }, { - "queryName": "DB Instance Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "line": 11, "fileName": "positive2.tf" From 61d3d508910fd50e4f7f3c53c305a24c0893ea43 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 31 Jul 2023 10:34:41 +0100 Subject: [PATCH 03/22] fixed positive expected result --- .../test/positive_expected_result.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index e8044854441..59a58c87e96 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "RDS DB Instance Publicly Accessible", + "queryName": "Amazon RDS DB Instance Publicly Accessible", "severity": "HIGH", "line": 10, "fileName": "positive1.tf" }, { - "queryName": "RDS DB Instance Publicly Accessible", + "queryName": "Amazon RDS DB Instance Publicly Accessible", "severity": "HIGH", "line": 11, "fileName": "positive2.tf" From 9d72b18f1a66db7705f1bd939427d50c35c8e716 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 31 Jul 2023 10:55:13 +0100 Subject: [PATCH 04/22] feat(query): Amazon RDS DB Instance Publicly Accessible Query for Pulumi --- .../metadata.json | 11 ++++++++++ .../query.rego | 20 +++++++++++++++++++ .../test/negative1.yaml | 13 ++++++++++++ .../test/negative2.yaml | 14 +++++++++++++ .../test/positive1.yaml | 14 +++++++++++++ .../test/positive_expected_result.json | 8 ++++++++ 6 files changed, 80 insertions(+) create mode 100644 assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json create mode 100644 assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego create mode 100644 assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml create mode 100644 assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml create mode 100644 assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml create mode 100644 assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json new file mode 100644 index 00000000000..2777e1709a5 --- /dev/null +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "647de8aa-5a42-41b5-9faf-22136f117380", + "queryName": "Amazon RDS DB Instance Publicly Accessible", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.", + "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/#publiclyaccessible_yaml", + "platform": "Pulumi", + "descriptionID": "be6d13f0", + "cloudProvider": "aws" +} diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego new file mode 100644 index 00000000000..cfbd0ca1989 --- /dev/null +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego @@ -0,0 +1,20 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:rds:Instance" + resource.properties.publiclyAccessible == true + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": name, + "searchKey": sprintf("%s%s.properties.publiclyAccessible", [cf_lib.getPath(path), name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'resources.%s.properties.publiclyAccessible' should be set to 'false'", [name]), + "keyActualValue": sprintf("'resources.%s.properties.publiclyAccessible' is set to 'true'", [name]), + "searchLine": common_lib.build_search_line(["resources", name, "properties", "publiclyAccessible"], []), + } +} diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml new file mode 100644 index 00000000000..7de39012a4e --- /dev/null +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml @@ -0,0 +1,13 @@ +resources: + default: + type: aws:rds:Instance + properties: + allocatedStorage: 10 + dbName: mydb + engine: mysql + engineVersion: '5.7' + instanceClass: db.t3.micro + parameterGroupName: default.mysql5.7 + password: foobarbaz + skipFinalSnapshot: true + username: foo \ No newline at end of file diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml new file mode 100644 index 00000000000..f2ecde143aa --- /dev/null +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml @@ -0,0 +1,14 @@ +resources: + default: + type: aws:rds:Instance + properties: + allocatedStorage: 10 + dbName: mydb + engine: mysql + engineVersion: '5.7' + instanceClass: db.t3.micro + parameterGroupName: default.mysql5.7 + password: foobarbaz + skipFinalSnapshot: true + username: foo + publiclyAccessible: false diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml new file mode 100644 index 00000000000..5ae34dfbec2 --- /dev/null +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml @@ -0,0 +1,14 @@ +resources: + default: + type: aws:rds:Instance + properties: + allocatedStorage: 10 + dbName: mydb + engine: mysql + engineVersion: '5.7' + instanceClass: db.t3.micro + parameterGroupName: default.mysql5.7 + password: foobarbaz + skipFinalSnapshot: true + username: foo + publiclyAccessible: true diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json new file mode 100644 index 00000000000..f73afc1b490 --- /dev/null +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Amazon RDS DB Instance Publicly Accessible", + "severity": "HIGH", + "line": 14, + "fileName": "positive1.yaml" + } +] From 68bec3e8792dc23ade57a64e75498c8f18638a9b Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 1 Aug 2023 11:02:49 +0100 Subject: [PATCH 05/22] fixed tests and query --- .../pulumi/aws/rds_db_instance_publicly_accessible/query.rego | 2 +- .../rds_db_instance_publicly_accessible/test/negative2.yaml | 3 +++ .../rds_db_instance_publicly_accessible/test/positive1.yaml | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego index cfbd0ca1989..4f3cd288559 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("%s%s.properties.publiclyAccessible", [cf_lib.getPath(path), name]), + "searchKey": sprintf("resources[%s].properties.publiclyAccessible", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'resources.%s.properties.publiclyAccessible' should be set to 'false'", [name]), "keyActualValue": sprintf("'resources.%s.properties.publiclyAccessible' is set to 'true'", [name]), diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml index f2ecde143aa..3f8bbd4db46 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml @@ -1,3 +1,6 @@ +name: aws-rds +runtime: yaml +description: An RDS Instance resources: default: type: aws:rds:Instance diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml index 5ae34dfbec2..0266ab388ba 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml @@ -1,3 +1,6 @@ +name: aws-rds +runtime: yaml +description: An RDS Instance resources: default: type: aws:rds:Instance From f37c4d19846b87f18823b7f51feee24386673f18 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 1 Aug 2023 11:08:34 +0100 Subject: [PATCH 06/22] fixed negative test --- .../rds_db_instance_publicly_accessible/test/negative1.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml index 7de39012a4e..9782ae5cc4d 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml @@ -1,3 +1,6 @@ +name: aws-rds +runtime: yaml +description: An RDS cluster resources: default: type: aws:rds:Instance From 016422800d8397a1f4dc7b166baf25e0aa69afd0 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 1 Aug 2023 11:28:00 +0100 Subject: [PATCH 07/22] fixed expected result --- .../test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index f73afc1b490..e92431613cb 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -2,7 +2,7 @@ { "queryName": "Amazon RDS DB Instance Publicly Accessible", "severity": "HIGH", - "line": 14, + "line": 17, "fileName": "positive1.yaml" } ] From 04e88d3928742713602c261d28a0dd694276e12f Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 3 Aug 2023 12:25:54 +0100 Subject: [PATCH 08/22] changed query name --- .../aws/rds_db_instance_publicly_accessible/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json index 2777e1709a5..eab7bccdd2d 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json @@ -1,6 +1,6 @@ { "id": "647de8aa-5a42-41b5-9faf-22136f117380", - "queryName": "Amazon RDS DB Instance Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "category": "Insecure Configurations", "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.", From 084c119a23f988f670a9146c003b237a18289c59 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 3 Aug 2023 12:27:45 +0100 Subject: [PATCH 09/22] changed queryname --- .../rds_instance_address_publicly_accessible/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json index b4ba2d93993..e3ba9a95a0a 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json @@ -1,6 +1,6 @@ { "id": "faaefc15-51a5-419e-bb5e-51a4b5ab3485", - "queryName": "Alicloud RDS Instance Address Publicly Accessible", + "queryName": "RDS Instance Address Publicly Accessible", "severity": "HIGH", "category": "Insecure Configurations", "descriptionText": "The field 'address' should not be set to '0.0.0.0/0'", From 83e82b0b3c25315ce341428039f21815c8190688 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 3 Aug 2023 12:28:48 +0100 Subject: [PATCH 10/22] changed query name --- .../aws/rds_db_instance_publicly_accessible/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json index 78176f1fe69..9d0507bb425 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/metadata.json @@ -1,6 +1,6 @@ { "id": "35113e6f-2c6b-414d-beec-7a9482d3b2d1", - "queryName": "Amazon RDS DB Instance Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "category": "Insecure Configurations", "descriptionText": "RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').", From 284061d3565835c8802016cef75591e1605f3184 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 3 Aug 2023 13:48:00 +0100 Subject: [PATCH 11/22] Fixed positive expected results --- .../test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index e92431613cb..0a78a43abb3 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Amazon RDS DB Instance Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "line": 17, "fileName": "positive1.yaml" From 673197f9e208468cb680cb8f97c592f811e6f8e1 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 3 Aug 2023 13:48:59 +0100 Subject: [PATCH 12/22] Fixed positive expected results --- .../test/positive_expected_result.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 59a58c87e96..e8044854441 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "Amazon RDS DB Instance Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "line": 10, "fileName": "positive1.tf" }, { - "queryName": "Amazon RDS DB Instance Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "line": 11, "fileName": "positive2.tf" From 840f37a6ea9743fd61fe793ed20a594646496ade Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 3 Aug 2023 13:49:33 +0100 Subject: [PATCH 13/22] Fixed positive expected results --- .../test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json index 8949c270835..06798a140b1 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Alicloud RDS Instance Address Publicly Accessible", + "queryName": "RDS Instance Address Publicly Accessible", "severity": "HIGH", "line": 10, "fileName": "positive1.tf" From 6244d79f104edaebe76db5f7c6e1987574d176ca Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Fri, 4 Aug 2023 11:31:35 +0100 Subject: [PATCH 14/22] Empty commit From 315d4141316aee13da55bfc461f340367442393d Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 7 Aug 2023 18:45:00 +0100 Subject: [PATCH 15/22] feat(query): rds DB Instance Publicly Accessible for Crossplane --- .../metadata.json | 11 +++ .../query.rego | 77 +++++++++++++++++++ .../test/negative1.yaml | 20 +++++ .../test/negative2.yaml | 60 +++++++++++++++ .../test/positive1.yaml | 20 +++++ .../test/positive2.yaml | 60 +++++++++++++++ .../test/positive_expected_results.json | 15 ++++ 7 files changed, 263 insertions(+) create mode 100644 assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json create mode 100644 assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego create mode 100644 assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml create mode 100644 assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative2.yaml create mode 100644 assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml create mode 100644 assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive2.yaml create mode 100644 assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_results.json diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json new file mode 100644 index 00000000000..4d317a55939 --- /dev/null +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "d9dc6429-5140-498a-8f55-a10daac5f000", + "queryName": "RDS DB Instance Publicly Accessible", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it", + "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.17.0", + "platform": "Crossplane", + "descriptionID": "d7566b63", + "cloudProvider": "aws" + } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego new file mode 100644 index 00000000000..22b6efb7f95 --- /dev/null +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego @@ -0,0 +1,77 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.crossplane as cp_lib + +getForProvider(apiVersion, kind, name, docs) = forProvider { + doc := docs[_] + [_, resource] := walk(doc) + startswith(resource.apiVersion, apiVersion) + resource.kind == kind + resource.metadata.name == name + forProvider := resource.spec.forProvider +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "database.aws.crossplane.io") + resource.kind == "RDSInstance" + + forProvider := resource.spec.forProvider + + common_lib.valid_key(forProvider, "dbSubnetGroupName") + not common_lib.valid_key(forProvider, "publiclyAccessible") + + dbSubnetGroupName := forProvider.dbSubnetGroupName + + DBSGforProvider := getForProvider("database.aws.crossplane.io", "DBSubnetGroup", dbSubnetGroupName, input.document) + subnetIds := DBSGforProvider.subnetIds + + count(subnetIds) > 0 + subnetId := subnetIds[s] + + EC2SforProvider := getForProvider("ec2.aws.crossplane.io", "Subnet", subnetId, input.document) + + common_lib.valid_key(EC2SforProvider, "vpcId") + vpcId := EC2SforProvider.vpcId + + IGdocs := input.document[_] + [_, IGresource] := walk(IGdocs) + startswith(IGresource.apiVersion, "network.aws.crossplane.io") + IGresource.kind == "InternetGateway" + + IGforProvider := IGresource.spec.forProvider + common_lib.valid_key(IGforProvider, "vpcId") + vpcId == IGforProvider.vpcId + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": cp_lib.getResourceName(resource), + "searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.dbSubnetGroupName", [resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "storageEncrypted should be defined and set to true", + "keyActualValue": "storageEncrypted is not defined", + } +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "database.aws.crossplane.io") + resource.kind == "RDSInstance" + + forProvider := resource.spec.forProvider + forProvider.publiclyAccessible == true + + result := { + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": cp_lib.getResourceName(resource), + "searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.publiclyAccessible", [resource.metadata.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "storageEncrypted should be defined and set to true", + "keyActualValue": "storageEncrypted is not defined", + } +} \ No newline at end of file diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml new file mode 100644 index 00000000000..2cf4f3c8a51 --- /dev/null +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml @@ -0,0 +1,20 @@ +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: sample-cluster3 +spec: + forProvider: + publiclyAccessible: false + +--- + +apiVersion: database.aws.crossplane.io/v1alpha3 +kind: DBSubnetGroup +metadata: + name: my-db-subnet-group +spec: + forProvider: + description: "My DB Subnet Group" + subnetIds: + - subnet-12345678 + - subnet-87654321 diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative2.yaml b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative2.yaml new file mode 100644 index 00000000000..00bec873d56 --- /dev/null +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative2.yaml @@ -0,0 +1,60 @@ +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: my-rds-instance +spec: + forProvider: + engine: mysql + engineVersion: "8.0" + instanceClass: db.t2.micro + allocatedStorage: 20 + dbSubnetGroupName: my-db-subnet-group + writeConnectionSecretToRef: + name: my-rds-instance-connection + +--- + +apiVersion: database.aws.crossplane.io/v1alpha3 +kind: DBSubnetGroup +metadata: + name: my-db-subnet-group +spec: + forProvider: + description: "My DB Subnet Group" + subnetIds: + - subnet-12345678 + - subnet-87654321 + +--- + +apiVersion: ec2.aws.crossplane.io/v1beta1 +kind: Subnet +metadata: + name: subnet-12345678 +spec: + forProvider: + cidrBlock: "10.0.0.0/24" + vpcId: vpc-abcdef12 + availabilityZone: us-west-2a + +--- + +apiVersion: ec2.aws.crossplane.io/v1beta1 +kind: Subnet +metadata: + name: subnet-87654321 +spec: + forProvider: + cidrBlock: "10.0.0.1/24" + vpcId: vpc-abcdef12 + availabilityZone: us-west-2a + +--- + +apiVersion: network.aws.crossplane.io/v1alpha3 +kind: InternetGateway +metadata: + name: my-internet-gateway +spec: + forProvider: + vpcId: vpc-abcdef12345 diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml new file mode 100644 index 00000000000..d08764de5da --- /dev/null +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml @@ -0,0 +1,20 @@ +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: sample-cluster3 +spec: + forProvider: + publiclyAccessible: true + +--- + +apiVersion: database.aws.crossplane.io/v1alpha3 +kind: DBSubnetGroup +metadata: + name: my-db-subnet-group +spec: + forProvider: + description: "My DB Subnet Group" + subnetIds: + - subnet-12345678 + - subnet-87654321 diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive2.yaml b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive2.yaml new file mode 100644 index 00000000000..b90fb6344cd --- /dev/null +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive2.yaml @@ -0,0 +1,60 @@ +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: my-rds-instance +spec: + forProvider: + engine: mysql + engineVersion: "8.0" + instanceClass: db.t2.micro + allocatedStorage: 20 + dbSubnetGroupName: my-db-subnet-group + writeConnectionSecretToRef: + name: my-rds-instance-connection + +--- + +apiVersion: database.aws.crossplane.io/v1alpha3 +kind: DBSubnetGroup +metadata: + name: my-db-subnet-group +spec: + forProvider: + description: "My DB Subnet Group" + subnetIds: + - subnet-12345678 + - subnet-87654321 + +--- + +apiVersion: ec2.aws.crossplane.io/v1beta1 +kind: Subnet +metadata: + name: subnet-12345678 +spec: + forProvider: + cidrBlock: "10.0.0.0/24" + vpcId: vpc-abcdef12 + availabilityZone: us-west-2a + +--- + +apiVersion: ec2.aws.crossplane.io/v1beta1 +kind: Subnet +metadata: + name: subnet-87654321 +spec: + forProvider: + cidrBlock: "10.0.0.1/24" + vpcId: vpc-abcdef12 + availabilityZone: us-west-2a + +--- + +apiVersion: network.aws.crossplane.io/v1alpha3 +kind: InternetGateway +metadata: + name: my-internet-gateway +spec: + forProvider: + vpcId: vpc-abcdef12 diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_results.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_results.json new file mode 100644 index 00000000000..3f0018ea5da --- /dev/null +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_results.json @@ -0,0 +1,15 @@ +[ + { + "queryName": "RDS DB Instance Publicly Accessible", + "severity": "HIGH", + "line": 7, + "fileName": "positive1.yaml" + }, + { + "queryName": "RDS DB Instance Publicly Accessible", + "severity": "HIGH", + "line": 11, + "fileName": "positive2.yaml" + } + ] + \ No newline at end of file From c41177361a437101c9417783e6c8473fada1e4bd Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Mon, 7 Aug 2023 18:50:42 +0100 Subject: [PATCH 16/22] fixed keyexpectedvalue and keyactualvalue --- .../aws/rds_db_instance_publicly_accessible/query.rego | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego index 22b6efb7f95..244c0fe7e5d 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego @@ -51,8 +51,8 @@ CxPolicy[result] { "resourceName": cp_lib.getResourceName(resource), "searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.dbSubnetGroupName", [resource.metadata.name]), "issueType": "MissingAttribute", - "keyExpectedValue": "storageEncrypted should be defined and set to true", - "keyActualValue": "storageEncrypted is not defined", + "keyActualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it", + "keyExpectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", } } @@ -71,7 +71,7 @@ CxPolicy[result] { "resourceName": cp_lib.getResourceName(resource), "searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.publiclyAccessible", [resource.metadata.name]), "issueType": "MissingAttribute", - "keyExpectedValue": "storageEncrypted should be defined and set to true", - "keyActualValue": "storageEncrypted is not defined", + "keyExpectedValue": "publiclyAccessible should be set to false", + "keyActualValue": "publiclyAccessible is set to true", } } \ No newline at end of file From bca738abd65358388ffbd0848f485234285d1fb0 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 8 Aug 2023 08:33:30 +0100 Subject: [PATCH 17/22] File renamed --- ...sitive_expected_results.json => positive_expected_result.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/{positive_expected_results.json => positive_expected_result.json} (100%) diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_results.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json similarity index 100% rename from assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_results.json rename to assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json From 1deb93557d3136159dcee75ff648a5f64b5093a5 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Tue, 8 Aug 2023 17:37:40 +0100 Subject: [PATCH 18/22] suggestions --- .../query.rego | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego index 244c0fe7e5d..26647d001e9 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego @@ -12,19 +12,7 @@ getForProvider(apiVersion, kind, name, docs) = forProvider { forProvider := resource.spec.forProvider } -CxPolicy[result] { - docs := input.document[i] - [path, resource] := walk(docs) - startswith(resource.apiVersion, "database.aws.crossplane.io") - resource.kind == "RDSInstance" - - forProvider := resource.spec.forProvider - - common_lib.valid_key(forProvider, "dbSubnetGroupName") - not common_lib.valid_key(forProvider, "publiclyAccessible") - - dbSubnetGroupName := forProvider.dbSubnetGroupName - +existsInternetGateway(dbSubnetGroupName) { DBSGforProvider := getForProvider("database.aws.crossplane.io", "DBSubnetGroup", dbSubnetGroupName, input.document) subnetIds := DBSGforProvider.subnetIds @@ -33,7 +21,6 @@ CxPolicy[result] { EC2SforProvider := getForProvider("ec2.aws.crossplane.io", "Subnet", subnetId, input.document) - common_lib.valid_key(EC2SforProvider, "vpcId") vpcId := EC2SforProvider.vpcId IGdocs := input.document[_] @@ -42,8 +29,23 @@ CxPolicy[result] { IGresource.kind == "InternetGateway" IGforProvider := IGresource.spec.forProvider - common_lib.valid_key(IGforProvider, "vpcId") vpcId == IGforProvider.vpcId +} + +CxPolicy[result] { + docs := input.document[i] + [path, resource] := walk(docs) + startswith(resource.apiVersion, "database.aws.crossplane.io") + resource.kind == "RDSInstance" + + forProvider := resource.spec.forProvider + + common_lib.valid_key(forProvider, "dbSubnetGroupName") + not common_lib.valid_key(forProvider, "publiclyAccessible") + + dbSubnetGroupName := forProvider.dbSubnetGroupName + + existsInternetGateway(dbSubnetGroupName) == true result := { "documentId": input.document[i].id, From 8fc264562dfb35519d02dca2e736d01aed8d9711 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 9 Aug 2023 09:12:40 +0100 Subject: [PATCH 19/22] Fix queryname --- .../rds_instance_address_publicly_accessible/metadata.json | 2 +- .../test/positive_expected_result.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json index e3ba9a95a0a..de3e308bc4b 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/metadata.json @@ -1,6 +1,6 @@ { "id": "faaefc15-51a5-419e-bb5e-51a4b5ab3485", - "queryName": "RDS Instance Address Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "category": "Insecure Configurations", "descriptionText": "The field 'address' should not be set to '0.0.0.0/0'", diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json index 06798a140b1..a30a8204b25 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "RDS Instance Address Publicly Accessible", + "queryName": "RDS DB Instance Publicly Accessible", "severity": "HIGH", "line": 10, "fileName": "positive1.tf" From f30808b35042ff187ff7a4c99c4ee6cd134d7d8f Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 9 Aug 2023 09:19:54 +0100 Subject: [PATCH 20/22] removed valid_key --- .../aws/rds_db_instance_publicly_accessible/query.rego | 1 - 1 file changed, 1 deletion(-) diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego index 26647d001e9..75312649d7a 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego @@ -40,7 +40,6 @@ CxPolicy[result] { forProvider := resource.spec.forProvider - common_lib.valid_key(forProvider, "dbSubnetGroupName") not common_lib.valid_key(forProvider, "publiclyAccessible") dbSubnetGroupName := forProvider.dbSubnetGroupName From cd55ba7534ecb47db9c1d0591216e88564184aed Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Wed, 9 Aug 2023 09:25:56 +0100 Subject: [PATCH 21/22] added valid_key --- .../aws/rds_db_instance_publicly_accessible/query.rego | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego index 75312649d7a..458553ce571 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego @@ -29,7 +29,9 @@ existsInternetGateway(dbSubnetGroupName) { IGresource.kind == "InternetGateway" IGforProvider := IGresource.spec.forProvider - vpcId == IGforProvider.vpcId + + common_lib.valid_key(IGforProvider, "vpcId") + vpcId == IGforProvider.vpcId } CxPolicy[result] { From 77ff3504c0300be063881c88b76c71bd5de30cb2 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Thu, 10 Aug 2023 15:29:31 +0100 Subject: [PATCH 22/22] fixed search_key --- .../alicloud/rds_instance_publicly_accessible/query.rego | 2 +- .../alicloud/rds_instance_ssl_action_disabled/query.rego | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego index 9c65f02948b..60d2b99183f 100644 --- a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s].security_ips.%s", [name,x]), + "searchKey": sprintf("alicloud_db_instance[%s].security_ips[%v]", [name,x]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' should not be in 'security_ips' list", [sec_ip]), "keyActualValue": sprintf("'%s' is in 'security_ips' list", [sec_ip]), diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego index c6f94eb1c0c..fe7543bb6d7 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego @@ -35,7 +35,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "searchKey": sprintf("alicloud_db_instance[%s]", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'ssl_action' value should be 'Open'", "keyActualValue": "'ssl_action' is not defined",