Merge branch 'master' into feat/vpc_tencent_add_new_query

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/metadata.json

@@ -0,0 +1,12 @@
+{
+  "id": "5bb6fa08-5e84-4760-a54a-cdcd66626976",
+  "queryName": "(Beta) CVM Instance Using User Data",
+  "severity": "LOW",
+  "category": "Access Control",
+  "descriptionText": "CVM instances should use roles to be granted access",
+  "descriptionUrl": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/instance#user_data",
+  "platform": "Terraform",
+  "descriptionID": "7b10c908",
+  "cloudProvider": "tencentcloud",
+  "cwe": ""
+}

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/query.rego

@@ -0,0 +1,44 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+check_user_datas(mdata) {
+	count(regex.find_n(`secretId\s*=|TENCENTCLOUD_SECRET_ID\s*=|secretKey\s*=|TENCENTCLOUD_SECRET_KEY\s*=`, mdata, -1)) > 0
+}
+
+CxPolicy[result] {
+	doc := input.document[i]
+	resource := doc.resource.tencentcloud_instance[name]
+
+	decoded := base64.decode(resource.user_data)
+	check_user_datas(decoded)
+
+	result := {
+		"documentId": doc.id,
+		"resourceType": "tencentcloud_instance",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_instance[%s].user_data", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("tencentcloud_instance[%s] should be using 'cam_role_name' to assign a role with permissions", [name]),
+		"keyActualValue": sprintf("tencentcloud_instance[%s].user_data is being used to configure API secret keys", [name]),
+	}
+}
+
+CxPolicy[result] {
+	doc := input.document[i]
+	resource := doc.resource.tencentcloud_instance[name]
+
+	dataRaw := resource.user_data_raw
+	check_user_datas(dataRaw)
+
+	result := {
+		"documentId": doc.id,
+		"resourceType": "tencentcloud_instance",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_instance[%s].user_data", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("tencentcloud_instance[%s] should be using 'cam_role_name' to assign a role with permissions", [name]),
+		"keyActualValue": sprintf("tencentcloud_instance[%s].user_data is being used to configure API secret keys", [name]),
+	}
+}

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/negative1.tf

@@ -0,0 +1,51 @@
+data "tencentcloud_images" "my_favorite_image" {
+  image_type       = ["PUBLIC_IMAGE"]
+  image_name_regex = "Final"
+}
+
+data "tencentcloud_instance_types" "my_favorite_instance_types" {
+  filter {
+    name   = "instance-family"
+    values = ["S1", "S2", "S3", "S4", "S5"]
+  }
+
+  cpu_core_count   = 2
+  exclude_sold_out = true
+}
+
+data "tencentcloud_availability_zones" "my_favorite_zones" {}
+
+resource "tencentcloud_vpc" "app" {
+  cidr_block = "10.0.0.0/16"
+  name       = "awesome_app_vpc"
+}
+
+resource "tencentcloud_subnet" "app" {
+  vpc_id            = tencentcloud_vpc.app.id
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  name              = "awesome_app_subnet"
+  cidr_block        = "10.0.1.0/24"
+}
+
+resource "tencentcloud_instance" "cvm_postpaid" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+  hostname          = "user"
+  project_id        = 0
+  vpc_id            = tencentcloud_vpc.app.id
+  subnet_id         = tencentcloud_subnet.app.id
+
+  data_disks {
+    data_disk_type = "CLOUD_PREMIUM"
+    data_disk_size = 50
+    encrypt        = false
+  }
+
+  tags = {
+    tagKey = "tagValue"
+  }
+}

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/negative2.tf

@@ -0,0 +1,52 @@
+data "tencentcloud_images" "my_favorite_image" {
+  image_type       = ["PUBLIC_IMAGE"]
+  image_name_regex = "Final"
+}
+
+data "tencentcloud_instance_types" "my_favorite_instance_types" {
+  filter {
+    name   = "instance-family"
+    values = ["S1", "S2", "S3", "S4", "S5"]
+  }
+
+  cpu_core_count   = 2
+  exclude_sold_out = true
+}
+
+data "tencentcloud_availability_zones" "my_favorite_zones" {}
+
+resource "tencentcloud_vpc" "app" {
+  cidr_block = "10.0.0.0/16"
+  name       = "awesome_app_vpc"
+}
+
+resource "tencentcloud_subnet" "app" {
+  vpc_id            = tencentcloud_vpc.app.id
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  name              = "awesome_app_subnet"
+  cidr_block        = "10.0.1.0/24"
+}
+
+resource "tencentcloud_instance" "cvm_postpaid" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+  hostname          = "user"
+  project_id        = 0
+  vpc_id            = tencentcloud_vpc.app.id
+  subnet_id         = tencentcloud_subnet.app.id
+  user_data         = base64encode("this is test value")
+
+  data_disks {
+    data_disk_type = "CLOUD_PREMIUM"
+    data_disk_size = 50
+    encrypt        = false
+  }
+
+  tags = {
+    tagKey = "tagValue"
+  }
+}

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/negative3.tf

@@ -0,0 +1,52 @@
+data "tencentcloud_images" "my_favorite_image" {
+  image_type       = ["PUBLIC_IMAGE"]
+  image_name_regex = "Final"
+}
+
+data "tencentcloud_instance_types" "my_favorite_instance_types" {
+  filter {
+    name   = "instance-family"
+    values = ["S1", "S2", "S3", "S4", "S5"]
+  }
+
+  cpu_core_count   = 2
+  exclude_sold_out = true
+}
+
+data "tencentcloud_availability_zones" "my_favorite_zones" {}
+
+resource "tencentcloud_vpc" "app" {
+  cidr_block = "10.0.0.0/16"
+  name       = "awesome_app_vpc"
+}
+
+resource "tencentcloud_subnet" "app" {
+  vpc_id            = tencentcloud_vpc.app.id
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  name              = "awesome_app_subnet"
+  cidr_block        = "10.0.1.0/24"
+}
+
+resource "tencentcloud_instance" "cvm_postpaid" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+  hostname          = "user"
+  project_id        = 0
+  vpc_id            = tencentcloud_vpc.app.id
+  subnet_id         = tencentcloud_subnet.app.id
+  user_data_raw     = "this is test value"
+
+  data_disks {
+    data_disk_type = "CLOUD_PREMIUM"
+    data_disk_size = 50
+    encrypt        = false
+  }
+
+  tags = {
+    tagKey = "tagValue"
+  }
+}

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive1.tf

@@ -0,0 +1,52 @@
+data "tencentcloud_images" "my_favorite_image" {
+  image_type       = ["PUBLIC_IMAGE"]
+  image_name_regex = "Final"
+}
+
+data "tencentcloud_instance_types" "my_favorite_instance_types" {
+  filter {
+    name   = "instance-family"
+    values = ["S1", "S2", "S3", "S4", "S5"]
+  }
+
+  cpu_core_count   = 2
+  exclude_sold_out = true
+}
+
+data "tencentcloud_availability_zones" "my_favorite_zones" {}
+
+resource "tencentcloud_vpc" "app" {
+  cidr_block = "10.0.0.0/16"
+  name       = "awesome_app_vpc"
+}
+
+resource "tencentcloud_subnet" "app" {
+  vpc_id            = tencentcloud_vpc.app.id
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  name              = "awesome_app_subnet"
+  cidr_block        = "10.0.1.0/24"
+}
+
+resource "tencentcloud_instance" "cvm_postpaid" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+  hostname          = "user"
+  project_id        = 0
+  vpc_id            = tencentcloud_vpc.app.id
+  subnet_id         = tencentcloud_subnet.app.id
+  user_data         = base64encode("apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here")
+
+  data_disks {
+    data_disk_type = "CLOUD_PREMIUM"
+    data_disk_size = 50
+    encrypt        = false
+  }
+
+  tags = {
+    tagKey = "tagValue"
+  }
+}

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive2.tf

@@ -0,0 +1,52 @@
+data "tencentcloud_images" "my_favorite_image" {
+  image_type       = ["PUBLIC_IMAGE"]
+  image_name_regex = "Final"
+}
+
+data "tencentcloud_instance_types" "my_favorite_instance_types" {
+  filter {
+    name   = "instance-family"
+    values = ["S1", "S2", "S3", "S4", "S5"]
+  }
+
+  cpu_core_count   = 2
+  exclude_sold_out = true
+}
+
+data "tencentcloud_availability_zones" "my_favorite_zones" {}
+
+resource "tencentcloud_vpc" "app" {
+  cidr_block = "10.0.0.0/16"
+  name       = "awesome_app_vpc"
+}
+
+resource "tencentcloud_subnet" "app" {
+  vpc_id            = tencentcloud_vpc.app.id
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  name              = "awesome_app_subnet"
+  cidr_block        = "10.0.1.0/24"
+}
+
+resource "tencentcloud_instance" "cvm_postpaid" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+  hostname          = "user"
+  project_id        = 0
+  vpc_id            = tencentcloud_vpc.app.id
+  subnet_id         = tencentcloud_subnet.app.id
+  user_data_raw     = "apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here"
+
+  data_disks {
+    data_disk_type = "CLOUD_PREMIUM"
+    data_disk_size = 50
+    encrypt        = false
+  }
+
+  tags = {
+    tagKey = "tagValue"
+  }
+}

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "(Beta) CVM Instance Using User Data",
+    "severity": "LOW",
+    "line": 41,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "(Beta) CVM Instance Using User Data",
+    "severity": "LOW",
+    "line": 41,
+    "fileName": "positive2.tf"
+  }
+]

assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/terraform.tfvars

@@ -0,0 +1 @@
+init_aws_cli = "IyEvYmluL2Jhc2gNCmFwdC1nZXQgaW5zdGFsbCAteSBhd3NjbGkNCmNhdCA8PCBFT0YgPiB+Ly5hd3MvY3JlZGVudGlhbHMNCltkZWZhdWx0XQ0KYXdzX2FjY2Vzc19rZXlfaWQgPSBzb21la2V5DQphd3Nfc2VjcmV0X2FjY2Vzc19rZXkgPSBzb21lc2VjcmV0DQpFT0Y="