feat(query): Added modules for 'Public and Private EC2 Share Role' qu…

…ery (Checkmarx#4312)

Signed-off-by: Felipe Avelar <[email protected]>

assets/queries/terraform/aws/public_and_private_ec2_share_role/query.rego

@@ -1,26 +1,58 @@
 package Cx
 
+import data.generic.common as common_lib
+
 CxPolicy[result] {
 	resource := input.document[i].resource.aws_instance[name]
 	contains(resource.subnet_id, "public_subnets")
 
 	instanceProfileName := split(resource.iam_instance_profile, ".")[1]
 
-	check_private_instance(instanceProfileName)
+	check_private_instance(instanceProfileName, i)
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("aws_instance[%s].iam_instance_profile", [name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "Public and private istances do not share the same role",
-		"keyActualValue": "Public and private istances share the same role",
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Public and private instances do not share the same role",
+		"keyActualValue": "Public and private instances share the same role",
+		"searchLine": common_lib.build_search_line(["resource", "aws_instance", name, "iam_instance_profile"], []),
 	}
 }
 
-check_private_instance(instanceProfileName) {
-	instance := input.document[z].resource.aws_instance[name]
+CxPolicy[result] {
+	module := input.document[i].module[name]
+	subnetId := common_lib.get_module_equivalent_key("aws", module.source, "aws_instance", "subnet_id")
+
+	contains(module[subnetId], "public_subnets")
+
+	iamInstanceProfile := common_lib.get_module_equivalent_key("aws", module.source, "aws_instance", "iam_instance_profile")
+	instanceProfileName := split(module[iamInstanceProfile], ".")[1]
+
+	check_private_instance(instanceProfileName, i)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("module[%s].iam_instance_profile", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Public and private instances do not share the same role",
+		"keyActualValue": "Public and private instances share the same role",
+		"searchLine": common_lib.build_search_line(["module", name, "iam_instance_profile"], []),
+	}
+}
+
+check_private_instance(instanceProfileName, i) {
+	instance := input.document[i].resource.aws_instance[name]
 
 	contains(instance.subnet_id, "private_subnets")
 
 	split(instance.iam_instance_profile, ".")[1] == instanceProfileName
+} else {
+	instance := input.document[i].module[name]
+	subnetId := common_lib.get_module_equivalent_key("aws", instance.source, "aws_instance", "subnet_id")
+
+	contains(instance[subnetId], "private_subnets")
+	iamInstanceProfile := common_lib.get_module_equivalent_key("aws", instance.source, "aws_instance", "iam_instance_profile")
+
+	split(instance[iamInstanceProfile], ".")[1] == instanceProfileName
 }

assets/queries/terraform/aws/public_and_private_ec2_share_role/test/negative2.tf

@@ -0,0 +1,74 @@
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  name            = "Ec2RoleShareRule1"
+  azs             = ["us-east-1a", "us-east-1b", "us-east-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  cidr                          = "10.0.0.0/16"
+  manage_default_security_group = true
+  default_security_group_ingress = [
+    {
+      from_port   = 22
+      to_port     = 22
+      protocol    = "tcp"
+      description = "ssh"
+      cidr_blocks = "0.0.0.0/0"
+  }]
+  default_security_group_egress = []
+  version                       = "3.7.0"
+}
+
+module "ec2_public_instance" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "~> 3.0"
+
+  name = "single-instance"
+
+  ami                    = "ami-ebd02392"
+  instance_type          = "t2.micro"
+  key_name               = "user1"
+  monitoring             = true
+  vpc_security_group_ids = ["sg-12345678"]
+  subnet_id              = module.vpc.public_subnets[0]
+  iam_instance_profile   = aws_iam_instance_profile.test_profile5.name
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+
+module "ec2_private_instance" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "~> 3.0"
+
+  name = "single-instance"
+
+  ami                    = "ami-ebd02392"
+  instance_type          = "t2.micro"
+  key_name               = "user1"
+  monitoring             = true
+  vpc_security_group_ids = ["sg-12345678"]
+  subnet_id              = module.vpc.private_subnets[0]
+  iam_instance_profile   = aws_iam_instance_profile.test_profile4.name
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+
+resource "aws_iam_instance_profile" "test_profile4" {
+  name = "test_profile"
+  role = "aws_iam_role.test_role4.name"
+}
+
+resource "aws_iam_instance_profile" "test_profile5" {
+  name = "test_profile"
+  role = "aws_iam_role.test_role5.name"
+}

assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive2.tf

@@ -0,0 +1,69 @@
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  name            = "Ec2RoleShareRule1"
+  azs             = ["us-east-1a", "us-east-1b", "us-east-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  cidr                          = "10.0.0.0/16"
+  manage_default_security_group = true
+  default_security_group_ingress = [
+    {
+      from_port   = 22
+      to_port     = 22
+      protocol    = "tcp"
+      description = "ssh"
+      cidr_blocks = "0.0.0.0/0"
+  }]
+  default_security_group_egress = []
+  version                       = "3.7.0"
+}
+
+module "ec2_public_instance" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "~> 3.0"
+
+  name = "single-instance"
+
+  ami                    = "ami-ebd02392"
+  instance_type          = "t2.micro"
+  key_name               = "user1"
+  monitoring             = true
+  vpc_security_group_ids = ["sg-12345678"]
+  subnet_id              = module.vpc.public_subnets[0]
+  iam_instance_profile   = aws_iam_instance_profile.test_profile1.name
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+
+module "ec2_private_instance" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "~> 3.0"
+
+  name = "single-instance"
+
+  ami                    = "ami-ebd02392"
+  instance_type          = "t2.micro"
+  key_name               = "user1"
+  monitoring             = true
+  vpc_security_group_ids = ["sg-12345678"]
+  subnet_id              = module.vpc.private_subnets[0]
+  iam_instance_profile   = aws_iam_instance_profile.test_profile1.name
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+
+resource "aws_iam_instance_profile" "test_profile1" {
+  name = "test_profile"
+  role = "aws_iam_role.test_role1.name"
+}

assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json

@@ -2,6 +2,13 @@
   {
     "queryName": "Public and Private EC2 Share Role",
     "severity": "MEDIUM",
-    "line": 103
+    "line": 103,
+    "filename": "positive1.tf"
+  },
+  {
+    "queryName": "Public and Private EC2 Share Role",
+    "severity": "MEDIUM",
+    "line": 38,
+    "filename": "positive2.tf"
   }
 ]