feat(engine): Added data source policy to terraform (Checkmarx#4409)

Signed-off-by: Felipe Avelar <[email protected]>

assets/libraries/terraform.rego

@@ -449,6 +449,8 @@ check_principals(statement) {
 
 check_actions(statement, typeAction) {
 	any([statement.actions[_] == typeAction, statement.actions[_] == "*"])
+} else {
+	any([statement.Actions[_] == typeAction, statement.Actions[_] == "*"])
 }
 
 # it verifies if 'Principal' or 'Actions' has wildcard
@@ -493,7 +495,7 @@ get_accessibility(resource, name, resourcePolicyName, resourceTarget) = accessib
 	accessibility = "restrict"
 } else = accessibility {
 	not common_lib.valid_key(resource, "policy")
-	
+
 	resourcePolicy := input.document[_].resource[resourcePolicyName][_]
 	split(resourcePolicy[resourceTarget], ".")[1] == name
 
@@ -502,7 +504,7 @@ get_accessibility(resource, name, resourcePolicyName, resourceTarget) = accessib
 	accessibility = "public"
 } else = accessibility {
 	not common_lib.valid_key(resource, "policy")
-	
+
 	resourcePolicy := input.document[_].resource[resourcePolicyName][_]
 	split(resourcePolicy[resourceTarget], ".")[1] == name
 

assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/query.rego

@@ -1,19 +1,18 @@
 package Cx
 
-import data.generic.terraform as terraLib
+import data.generic.common as common_lib
+import data.generic.terraform as terra_lib
 
 CxPolicy[result] {
 	resource := input.document[i].resource.aws_cloudwatch_log_destination_policy[name]
 
-	policyName := split(resource.access_policy, ".")[2]
-
-	policy := input.document[j].data.aws_iam_policy_document[policyName]
-
-	terraLib.has_wildcard(policy.statement, "logs:*")
+	policy := common_lib.json_unmarshal(resource.access_policy)
+	statement := policy.Statement
+	terra_lib.has_wildcard(statement[_], "logs:*")
 
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("ws_cloudwatch_log_destination_policy[%s].access_policy", [name]),
+		"searchKey": sprintf("aws_cloudwatch_log_destination_policy[%s].access_policy", [name]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("ws_cloudwatch_log_destination_policy[%s].access_policy does not have wildcard in 'principals' and 'actions'", [name]),
 		"keyActualValue": sprintf("ws_cloudwatch_log_destination_policy[%s].access_policy has wildcard in 'principals' or 'actions'", [name]),

assets/queries/terraform/aws/glue_with_vulnerable_policy/query.rego

@@ -1,15 +1,14 @@
 package Cx
 
-import data.generic.terraform as terraLib
+import data.generic.common as common_lib
+import data.generic.terraform as terra_lib
 
 CxPolicy[result] {
 	resource := input.document[i].resource.aws_glue_resource_policy[name]
 
-	policyName := split(resource.policy, ".")[2]
-
-	policy := input.document[j].data.aws_iam_policy_document[policyName]
-
-	terraLib.has_wildcard(policy.statement, "glue:*")
+	policy := common_lib.json_unmarshal(resource.policy)
+	statement := policy.Statement
+	terra_lib.has_wildcard(statement[_], "glue:*")
 
 	result := {
 		"documentId": input.document[i].id,

pkg/parser/terraform/converter/default.go

@@ -16,17 +16,17 @@ import (
 	ctyjson "github.com/zclconf/go-cty/cty/json"
 )
 
-// InputVariableMap represents a set of terraform input variables
-type InputVariableMap map[string]cty.Value
+// VariableMap represents a set of terraform input variables
+type VariableMap map[string]cty.Value
 
-var inputVarMap = make(InputVariableMap)
+var inputVarMap = make(VariableMap)
 
 // This file is attributed to https://github.com/tmccombs/hcl2json.
 // convertBlock() is manipulated for combining the both blocks and labels for one given resource.
 
 // DefaultConverted an hcl File to a toJson serializable object
 // This assumes that the body is a hclsyntax.Body
-var DefaultConverted = func(file *hcl.File, inputVariables InputVariableMap) (model.Document, error) {
+var DefaultConverted = func(file *hcl.File, inputVariables VariableMap) (model.Document, error) {
 	inputVarMap = inputVariables
 	c := converter{bytes: file.Bytes}
 	body, err := c.convertBody(file.Body.(*hclsyntax.Body), 0)

pkg/parser/terraform/converter/default_test.go

@@ -54,7 +54,7 @@ block "label_one" "label_two" {
 
 	file, _ := hclsyntax.ParseConfig([]byte(input), "testFileName", hcl.Pos{Byte: 0, Line: 1, Column: 1})
 
-	body, err := DefaultConverted(file, InputVariableMap{})
+	body, err := DefaultConverted(file, VariableMap{})
 	require.NoError(t, err)
 	compareJSONLine(t, body, expected)
 }
@@ -154,7 +154,7 @@ block "label_one" "label_two" {
 
 	file, _ := hclsyntax.ParseConfig([]byte(input), "testFileName", hcl.Pos{Byte: 0, Line: 1, Column: 1})
 
-	body, err := DefaultConverted(file, InputVariableMap{})
+	body, err := DefaultConverted(file, VariableMap{})
 	require.NoError(t, err)
 	compareJSONLine(t, body, expected)
 }
@@ -199,7 +199,7 @@ block "label_one" {
 
 	file, _ := hclsyntax.ParseConfig([]byte(input), "testFileName", hcl.Pos{Byte: 0, Line: 1, Column: 1})
 
-	body, err := DefaultConverted(file, InputVariableMap{})
+	body, err := DefaultConverted(file, VariableMap{})
 	require.NoError(t, err)
 	compareJSONLine(t, body, expected)
 }
@@ -254,7 +254,7 @@ block "label_one" {
 
 	file, _ := hclsyntax.ParseConfig([]byte(input), "testFileName", hcl.Pos{Byte: 0, Line: 1, Column: 1})
 
-	body, err := DefaultConverted(file, InputVariableMap{})
+	body, err := DefaultConverted(file, VariableMap{})
 	require.NoError(t, err)
 	compareJSONLine(t, body, expected)
 }
@@ -277,7 +277,7 @@ block "label_one" {
 
 	file, _ := hclsyntax.ParseConfig([]byte(input), "testFileName", hcl.Pos{Byte: 0, Line: 1, Column: 1})
 
-	body, err := DefaultConverted(file, InputVariableMap{
+	body, err := DefaultConverted(file, VariableMap{
 		"var": cty.ObjectVal(map[string]cty.Value{
 			"test": cty.StringVal("my-test"),
 		}),
@@ -664,7 +664,7 @@ variable "region" {
 
 	file, _ := hclsyntax.ParseConfig([]byte(input), "testFileName", hcl.Pos{Byte: 0, Line: 1, Column: 1})
 
-	body, err := DefaultConverted(file, InputVariableMap{})
+	body, err := DefaultConverted(file, VariableMap{})
 	require.NoError(t, err)
 	compareJSONLine(t, body, expected)
 }