-
Notifications
You must be signed in to change notification settings - Fork 307
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into kics-782-aws-pulumi
- Loading branch information
Showing
49 changed files
with
1,196 additions
and
53 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 0 additions & 12 deletions
12
...ts/queries/ansible/aws/db_instance_publicly_accessible/test/positive_expected_result.json
This file was deleted.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
...nstance_publicly_accessible/metadata.json → ...nstance_publicly_accessible/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
12 changes: 12 additions & 0 deletions
12
...ueries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
[ | ||
{ | ||
"queryName": "RDS DB Instance Publicly Accessible", | ||
"severity": "HIGH", | ||
"line": 12 | ||
}, | ||
{ | ||
"queryName": "RDS DB Instance Publicly Accessible", | ||
"severity": "HIGH", | ||
"line": 22 | ||
} | ||
] |
11 changes: 11 additions & 0 deletions
11
assets/queries/cloudFormation/aws/docdb_logging_disabled/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"id": "1bf3b3d4-f373-4d7c-afbb-7d85948a67a5", | ||
"queryName": "DocDB Logging Is Disabled", | ||
"severity": "LOW", | ||
"category": "Observability", | ||
"descriptionText": "DocDB logging should be enabled", | ||
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports", | ||
"platform": "CloudFormation", | ||
"descriptionID": "4818ceaf", | ||
"cloudProvider": "aws" | ||
} |
52 changes: 52 additions & 0 deletions
52
assets/queries/cloudFormation/aws/docdb_logging_disabled/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
package Cx | ||
|
||
import data.generic.cloudformation as cf_lib | ||
import data.generic.common as common_lib | ||
|
||
validTypes := {"profiler", "audit"} | ||
|
||
validTypeConcat := concat(", ", validTypes) | ||
|
||
CxPolicy[result] { | ||
document := input.document[i] | ||
resource := document.Resources[key] | ||
resource.Type == "AWS::DocDB::DBCluster" | ||
properties := resource.Properties | ||
|
||
not common_lib.valid_key(properties, "EnableCloudwatchLogsExports") | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"resourceType": "AWS::DocDB::DBCluster", | ||
"resourceName": key, | ||
"searchKey": sprintf("Resources.%s.Properties", [key]), | ||
"searchLine": common_lib.build_search_line(["Resources", key, "Properties"], []), | ||
"issueType": "MissingAttribute", | ||
"keyExpectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should be defined", | ||
"keyActualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports is undefined", | ||
} | ||
} | ||
|
||
CxPolicy[result] { | ||
document := input.document[i] | ||
resource := document.Resources[key] | ||
resource.Type == "AWS::DocDB::DBCluster" | ||
properties := resource.Properties | ||
logs := properties.EnableCloudwatchLogsExports | ||
|
||
logsSet := {log | log := logs[_]} | ||
missingTypes := validTypes - logsSet | ||
|
||
count(missingTypes) > 0 | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"resourceType": "AWS::DocDB::DBCluster", | ||
"resourceName": key, | ||
"searchKey": sprintf("Resources.%s.Properties.EnableCloudwatchLogsExports", [key]), | ||
"searchLine": common_lib.build_search_line(["Resources", key, "Properties", "EnableCloudwatchLogsExports"], []), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": sprintf("AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: %s", [validTypeConcat]), | ||
"keyActualValue": sprintf("AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: %s", [concat(", ", missingTypes)]), | ||
} | ||
} |
34 changes: 34 additions & 0 deletions
34
assets/queries/cloudFormation/aws/docdb_logging_disabled/test/negative1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
AWSTemplateFormatVersion: '2010-09-09' | ||
Resources: | ||
MyDocDBCluster: | ||
Type: AWS::DocDB::DBCluster | ||
Properties: | ||
AvailabilityZones: | ||
- us-east-1a | ||
- us-east-1b | ||
BackupRetentionPeriod: 30 | ||
CopyTagsToSnapshot: true | ||
DBClusterIdentifier: my-docdb-cluster | ||
DBClusterParameterGroupName: default.docdb3.6 | ||
DBSubnetGroupName: my-docdb-subnet-group | ||
DeletionProtection: false | ||
EnableCloudwatchLogsExports: | ||
- error | ||
- general | ||
- profiler | ||
- audit | ||
EngineVersion: "3.6.0" | ||
KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" | ||
MasterUsername: mydocdbuser | ||
MasterUserPassword: mysecretpassword123 | ||
Port: 27017 | ||
PreferredBackupWindow: "07:00-09:00" | ||
PreferredMaintenanceWindow: "sun:05:00-sun:06:00" | ||
StorageEncrypted: true | ||
Tags: | ||
- Key: Name | ||
Value: MyDocDBCluster | ||
UseLatestRestorableTime: true | ||
VpcSecurityGroupIds: | ||
- sg-0123456789abcdef0 | ||
- sg-abcdef01234567890 |
33 changes: 33 additions & 0 deletions
33
assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive1.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
{ | ||
"AWSTemplateFormatVersion": "2010-09-09", | ||
"Resources": { | ||
"MyDocDBCluster": { | ||
"Type": "AWS::DocDB::DBCluster", | ||
"Properties": { | ||
"AvailabilityZones": ["us-east-1a", "us-east-1b"], | ||
"BackupRetentionPeriod": 30, | ||
"CopyTagsToSnapshot": true, | ||
"DBClusterIdentifier": "my-docdb-cluster", | ||
"DBClusterParameterGroupName": "default.docdb3.6", | ||
"DBSubnetGroupName": "my-docdb-subnet-group", | ||
"DeletionProtection": false, | ||
"EngineVersion": "3.6.0", | ||
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", | ||
"MasterUsername": "mydocdbuser", | ||
"MasterUserPassword": "mysecretpassword123", | ||
"Port": 27017, | ||
"PreferredBackupWindow": "07:00-09:00", | ||
"PreferredMaintenanceWindow": "sun:05:00-sun:06:00", | ||
"StorageEncrypted": true, | ||
"Tags": [ | ||
{ | ||
"Key": "Name", | ||
"Value": "MyDocDBCluster" | ||
} | ||
], | ||
"UseLatestRestorableTime": true, | ||
"VpcSecurityGroupIds": ["sg-0123456789abcdef0", "sg-abcdef01234567890"] | ||
} | ||
} | ||
} | ||
} |
30 changes: 30 additions & 0 deletions
30
assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
AWSTemplateFormatVersion: '2010-09-09' | ||
Resources: | ||
MyDocDBCluster: | ||
Type: AWS::DocDB::DBCluster | ||
Properties: | ||
AvailabilityZones: | ||
- us-east-1a | ||
- us-east-1b | ||
BackupRetentionPeriod: 30 | ||
CopyTagsToSnapshot: true | ||
DBClusterIdentifier: my-docdb-cluster | ||
DBClusterParameterGroupName: default.docdb3.6 | ||
DBSubnetGroupName: my-docdb-subnet-group | ||
DeletionProtection: false | ||
EnableCloudwatchLogsExports: [] | ||
EngineVersion: "3.6.0" | ||
KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" | ||
MasterUsername: mydocdbuser | ||
MasterUserPassword: mysecretpassword123 | ||
Port: 27017 | ||
PreferredBackupWindow: "07:00-09:00" | ||
PreferredMaintenanceWindow: "sun:05:00-sun:06:00" | ||
StorageEncrypted: true | ||
Tags: | ||
- Key: Name | ||
Value: MyDocDBCluster | ||
UseLatestRestorableTime: true | ||
VpcSecurityGroupIds: | ||
- sg-0123456789abcdef0 | ||
- sg-abcdef01234567890 |
33 changes: 33 additions & 0 deletions
33
assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
AWSTemplateFormatVersion: '2010-09-09' | ||
Resources: | ||
MyDocDBCluster: | ||
Type: AWS::DocDB::DBCluster | ||
Properties: | ||
AvailabilityZones: | ||
- us-east-1a | ||
- us-east-1b | ||
BackupRetentionPeriod: 30 | ||
CopyTagsToSnapshot: true | ||
DBClusterIdentifier: my-docdb-cluster | ||
DBClusterParameterGroupName: default.docdb3.6 | ||
DBSubnetGroupName: my-docdb-subnet-group | ||
DeletionProtection: false | ||
EnableCloudwatchLogsExports: | ||
- error | ||
- general | ||
- profiler | ||
EngineVersion: "3.6.0" | ||
KmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" | ||
MasterUsername: mydocdbuser | ||
MasterUserPassword: mysecretpassword123 | ||
Port: 27017 | ||
PreferredBackupWindow: "07:00-09:00" | ||
PreferredMaintenanceWindow: "sun:05:00-sun:06:00" | ||
StorageEncrypted: true | ||
Tags: | ||
- Key: Name | ||
Value: MyDocDBCluster | ||
UseLatestRestorableTime: true | ||
VpcSecurityGroupIds: | ||
- sg-0123456789abcdef0 | ||
- sg-abcdef01234567890 |
34 changes: 34 additions & 0 deletions
34
assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive4.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"AWSTemplateFormatVersion": "2010-09-09", | ||
"Resources": { | ||
"MyDocDBCluster": { | ||
"Type": "AWS::DocDB::DBCluster", | ||
"Properties": { | ||
"AvailabilityZones": ["us-east-1a", "us-east-1b"], | ||
"BackupRetentionPeriod": 30, | ||
"CopyTagsToSnapshot": true, | ||
"DBClusterIdentifier": "my-docdb-cluster", | ||
"DBClusterParameterGroupName": "default.docdb3.6", | ||
"DBSubnetGroupName": "my-docdb-subnet-group", | ||
"DeletionProtection": false, | ||
"EnableCloudwatchLogsExports": ["error", "general", "audit"], | ||
"EngineVersion": "3.6.0", | ||
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", | ||
"MasterUsername": "mydocdbuser", | ||
"MasterUserPassword": "mysecretpassword123", | ||
"Port": 27017, | ||
"PreferredBackupWindow": "07:00-09:00", | ||
"PreferredMaintenanceWindow": "sun:05:00-sun:06:00", | ||
"StorageEncrypted": true, | ||
"Tags": [ | ||
{ | ||
"Key": "Name", | ||
"Value": "MyDocDBCluster" | ||
} | ||
], | ||
"UseLatestRestorableTime": true, | ||
"VpcSecurityGroupIds": ["sg-0123456789abcdef0", "sg-abcdef01234567890"] | ||
} | ||
} | ||
} | ||
} |
26 changes: 26 additions & 0 deletions
26
assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
[ | ||
{ | ||
"queryName": "DocDB Logging Is Disabled", | ||
"severity": "LOW", | ||
"line": 6, | ||
"filename": "positive1.json" | ||
}, | ||
{ | ||
"queryName": "DocDB Logging Is Disabled", | ||
"severity": "LOW", | ||
"line": 15, | ||
"filename": "positive2.yaml" | ||
}, | ||
{ | ||
"queryName": "DocDB Logging Is Disabled", | ||
"severity": "LOW", | ||
"line": 15, | ||
"filename": "positive3.yaml" | ||
}, | ||
{ | ||
"queryName": "DocDB Logging Is Disabled", | ||
"severity": "LOW", | ||
"line": 14, | ||
"filename": "positive4.json" | ||
} | ||
] |
11 changes: 11 additions & 0 deletions
11
assets/queries/crossplane/aws/docdb_logging_disabled/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"id": "e6cd49ba-77ed-417f-9bca-4f5303554308", | ||
"queryName": "DocDB Logging Is Disabled", | ||
"severity": "LOW", | ||
"category": "Observability", | ||
"descriptionText": "DocDB logging should be enabled", | ||
"descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/docdb.aws.crossplane.io/DBCluster/v1alpha1@v0.21.1#status-atProvider-enabledCloudwatchLogsExports", | ||
"platform": "Crossplane", | ||
"descriptionID": "60b6794e", | ||
"cloudProvider": "aws" | ||
} |
55 changes: 55 additions & 0 deletions
55
assets/queries/crossplane/aws/docdb_logging_disabled/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
package Cx | ||
|
||
import data.generic.common as common_lib | ||
import data.generic.crossplane as cp_lib | ||
|
||
validTypes := {"profiler", "audit"} | ||
|
||
validTypeConcat := concat(", ", validTypes) | ||
|
||
CxPolicy[result] { | ||
docs := input.document[i] | ||
[path, resource] := walk(docs) | ||
resource.kind == "DBCluster" | ||
spec = resource.spec | ||
|
||
not common_lib.valid_key(spec.forProvider, "enableCloudwatchLogsExports") | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"resourceType": "DBCluster", | ||
"resourceName": resource.metadata.name, | ||
"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), | ||
"searchLine": common_lib.build_search_line(path, ["spec", "forProvider"]), | ||
"issueType": "MissingAttribute", | ||
"keyExpectedValue": "DBCluster.enableCloudwatchLogsExports should be defined", | ||
"keyActualValue": "DBCluster.enableCloudwatchLogsExports is undefined", | ||
} | ||
} | ||
|
||
|
||
CxPolicy[result] { | ||
docs := input.document[i] | ||
[path, resource] := walk(docs) | ||
resource.kind == "DBCluster" | ||
|
||
spec := resource.spec | ||
provider := spec.forProvider | ||
logs := provider.enableCloudwatchLogsExports | ||
|
||
logsSet := {log | log := logs[_]} | ||
missingTypes := validTypes - logsSet | ||
|
||
count(missingTypes) > 0 | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"resourceType": "DBCluster", | ||
"resourceName": resource.metadata.name, | ||
"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.enableCloudwatchLogsExports", [cp_lib.getPath(path), resource.metadata.name]), | ||
"searchLine": common_lib.build_search_line(path, ["spec", "forProvider","enableCloudwatchLogsExports"]), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": sprintf("DBCluster.enableCloudwatchLogsExports should have all following values: %s", [validTypeConcat]), | ||
"keyActualValue": sprintf("DBCluster.enableCloudwatchLogsExports has the following missing values: %s", [concat(", ", missingTypes)]), | ||
} | ||
} |
Oops, something went wrong.