Merge pull request #6683 from Checkmarx/fix_6680

fix(query): ca certificate identifier is outdated tf aws

assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json

@@ -3,8 +3,8 @@
   "queryName": "CA Certificate Identifier Is Outdated",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "The CA certificate Identifier must be 'rds-ca-2019'.",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance",
+  "descriptionText": "The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS.",
+  "descriptionUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html",
   "platform": "Terraform",
   "descriptionID": "09935963",
   "cloudProvider": "aws"

assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/query.rego

@@ -5,15 +5,16 @@ import data.generic.terraform as tf_lib
 
 CxPolicy[result] {
 	resource := input.document[i].resource.aws_db_instance[name]
-	resource.ca_cert_identifier != "rds-ca-2019"
+	allowed := ["rds-ca-2019", "rds-ca-rsa2048-g1", "rds-ca-rsa4096-g1", "rds-ca-ecc384-g1"]
+    not common_lib.inArray(allowed, resource.ca_cert_identifier)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "aws_db_instance",
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("aws_db_instance[%s].ca_cert_identifier", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'aws_db_instance.ca_cert_identifier' should be 'rds-ca-2019'",
+		"keyExpectedValue": "'aws_db_instance.ca_cert_identifier' should be one provided by Amazon RDS.",
 		"keyActualValue": sprintf("'aws_db_instance.ca_cert_identifier' is '%s'", [resource.ca_cert_identifier]),
 		"searchLine": common_lib.build_search_line(["resource", "aws_db_instance", name, "ca_cert_identifier"], []),
 	}
@@ -22,15 +23,16 @@ CxPolicy[result] {
 CxPolicy[result] {
 	module := input.document[i].module[name]
 	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_db_instance", "ca_cert_identifier")
-	module[keyToCheck] != "rds-ca-2019"
+	allowed := ["rds-ca-2019", "rds-ca-rsa2048-g1", "rds-ca-rsa4096-g1", "rds-ca-ecc384-g1"]
+    not common_lib.inArray(allowed, module[keyToCheck])
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "n/a",
 		"resourceName": "n/a",
 		"searchKey": sprintf("module[%s].ca_cert_identifier", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'ca_cert_identifier' should be 'rds-ca-2019'",
+		"keyExpectedValue": "'ca_cert_identifier' should be one provided by Amazon RDS.",
 		"keyActualValue": sprintf("'ca_cert_identifier' is '%s'", [module.ca_cert_identifier]),
 		"searchLine": common_lib.build_search_line(["module", name, "ca_cert_identifier"], []),
 	}

assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/negative3.tf

@@ -0,0 +1,13 @@
+resource "aws_db_instance" "negative1" {
+  allocated_storage    = 20
+  storage_type         = "gp2"
+  engine               = "mysql"
+  engine_version       = "5.7"
+  instance_class       = "db.t2.micro"
+  name                 = "mydb"
+  username             = "foo"
+  password             = "foobarbaz"
+  iam_database_authentication_enabled = true
+  storage_encrypted = true
+  ca_cert_identifier = "rds-ca-rsa2048-g1"
+}

assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/negative4.tf

@@ -0,0 +1,75 @@
+module "db" {
+  source  = "terraform-aws-modules/rds/aws"
+  version = "~> 3.0"
+
+  identifier = "demodb"
+
+  engine            = "mysql"
+  engine_version    = "5.7.19"
+  instance_class    = "db.t2.large"
+  allocated_storage = 5
+  ca_cert_identifier = "rds-ca-rsa4096-g1"
+
+  name     = "demodb"
+  username = "user"
+  password = "YourPwdShouldBeLongAndSecure!"
+  port     = "3306"
+
+  iam_database_authentication_enabled = true
+
+  vpc_security_group_ids = ["sg-12345678"]
+
+  maintenance_window = "Mon:00:00-Mon:03:00"
+  backup_window      = "03:00-06:00"
+
+  # Enhanced Monitoring - see example for details on how to create the role
+  # by yourself, in case you don't want to create it automatically
+  monitoring_interval = "30"
+  monitoring_role_name = "MyRDSMonitoringRole"
+  create_monitoring_role = true
+
+  tags = {
+    Owner       = "user"
+    Environment = "dev"
+  }
+
+  # DB subnet group
+  subnet_ids = ["subnet-12345678", "subnet-87654321"]
+
+  # DB parameter group
+  family = "mysql5.7"
+
+  # DB option group
+  major_engine_version = "5.7"
+
+  # Database Deletion Protection
+  deletion_protection = true
+
+  parameters = [
+    {
+      name = "character_set_client"
+      value = "utf8mb4"
+    },
+    {
+      name = "character_set_server"
+      value = "utf8mb4"
+    }
+  ]
+
+  options = [
+    {
+      option_name = "MARIADB_AUDIT_PLUGIN"
+
+      option_settings = [
+        {
+          name  = "SERVER_AUDIT_EVENTS"
+          value = "CONNECT"
+        },
+        {
+          name  = "SERVER_AUDIT_FILE_ROTATIONS"
+          value = "37"
+        },
+      ]
+    },
+  ]
+}

assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/negative5.tf

@@ -0,0 +1,13 @@
+resource "aws_db_instance" "negative1" {
+  allocated_storage    = 20
+  storage_type         = "gp2"
+  engine               = "mysql"
+  engine_version       = "5.7"
+  instance_class       = "db.t2.micro"
+  name                 = "mydb"
+  username             = "foo"
+  password             = "foobarbaz"
+  iam_database_authentication_enabled = true
+  storage_encrypted = true
+  ca_cert_identifier = "rds-ca-ecc384-g1"
+}