Skip to content

Commit

Permalink
feat(google): improve AVD-GCP-0012 rule (#53)
Browse files Browse the repository at this point in the history 
* feat(google): improve AVD-GCP-0012 rule

* bump defsec and trivy-policies
  • Loading branch information
@nikpivkin
nikpivkin authored Nov 22, 2023
1 parent 2ca3ac0 commit 0cb0329
Show file tree
Hide file tree
Showing 9 changed files with 358 additions and 188 deletions.
37 changes: 16 additions & 21 deletions avd_docs/google/dns/AVD-GCP-0012/Terraform.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,22 @@
Use RSA SHA512

```hcl
resource "google_dns_managed_zone" "foo" {
name = "foobar"
dns_name = "foo.bar."
dnssec_config {
state = "on"
non_existence = "nsec3"
}
}
data "google_dns_keys" "foo_dns_keys" {
managed_zone = google_dns_managed_zone.foo.id
zone_signing_keys {
algorithm = "rsasha512"
}
}
output "foo_dns_ds_record" {
description = "DS record of the foo subdomain."
value = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
}
resource "google_dns_managed_zone" "example-zone" {
name = "example-zone"
dns_name = "example-${random_id.rnd.hex}.com."
dnssec_config {
state = "on"
default_key_specs {
algorithm = "rsasha512"
key_type = "keySigning"
}
default_key_specs {
algorithm = "rsasha512"
key_type = "zoneSigning"
}
}
}
```

Expand Down
4 changes: 2 additions & 2 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ require (
github.com/BurntSushi/toml v1.3.2
github.com/Masterminds/semver v1.5.0
github.com/apparentlymart/go-cidr v1.1.0
github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5
github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34
github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f
github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842
github.com/aws/smithy-go v1.14.2
github.com/bmatcuk/doublestar/v4 v4.6.0
github.com/google/uuid v1.3.1
Expand Down
8 changes: 4 additions & 4 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -238,10 +238,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5 h1:CkfFZpctJrH+oHWlvuAE2qV4DNDqaVtPlEkVksbwuwo=
github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0=
github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34 h1:CWZNJiRB/IvS9ARjcY+7ZXWJ/jhVH5r4zoO06L+5DaE=
github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34/go.mod h1:o4r41Ig5yRnyvUcHXEgQeQFatPbWICVTMidByyPawxc=
github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f h1:cO9S78J2eBx9tEIZYwFoousuYWV4DtgQlGsZUusMyNY=
github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0=
github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 h1:RnxM3eTcwPlA/WBwnmaEpeEk3WOCDcnz7yTIFxVL7us=
github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842/go.mod h1:BmEeSFgmBjo3avCli71736sy0veGcSUzGATupp1MCgA=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
Expand Down
2 changes: 1 addition & 1 deletion internal/adapters/terraform/aws/rds/adapt.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ func adaptCluster(resource *terraform.Block, modules terraform.Modules) (rds.Clu
PublicAccess: defsecTypes.Bool(public, resource.GetMetadata()),
Engine: resource.GetAttribute("engine").AsStringValueOrDefault(rds.EngineAurora, resource),
LatestRestorableTime: defsecTypes.TimeUnresolvable(resource.GetMetadata()),
AvailabilityZones: resource.GetAttribute("availability_zones").AsStringValueSliceOrEmpty(resource),
AvailabilityZones: resource.GetAttribute("availability_zones").AsStringValueSliceOrEmpty(),
DeletionProtection: resource.GetAttribute("deletion_protection").AsBoolValueOrDefault(false, resource),
}, ids
}
Expand Down
4 changes: 2 additions & 2 deletions internal/adapters/terraform/google/compute/networks.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,8 @@ func adaptNetworks(modules terraform.Modules) (networks []compute.Network) {
Name: firewallBlock.GetAttribute("name").AsStringValueOrDefault("", firewallBlock),
IngressRules: nil,
EgressRules: nil,
SourceTags: firewallBlock.GetAttribute("source_tags").AsStringValueSliceOrEmpty(firewallBlock),
TargetTags: firewallBlock.GetAttribute("target_tags").AsStringValueSliceOrEmpty(firewallBlock),
SourceTags: firewallBlock.GetAttribute("source_tags").AsStringValueSliceOrEmpty(),
TargetTags: firewallBlock.GetAttribute("target_tags").AsStringValueSliceOrEmpty(),
}

for _, allowBlock := range firewallBlock.GetBlocks("allow") {
Expand Down
101 changes: 27 additions & 74 deletions internal/adapters/terraform/google/dns/adapt.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,96 +16,49 @@ func adaptManagedZones(modules terraform.Modules) []dns.ManagedZone {
var managedZones []dns.ManagedZone
for _, module := range modules {
for _, resource := range module.GetResourcesByType("google_dns_managed_zone") {
managedZone := adaptManagedZone(resource)
for _, data := range module.GetDatasByType("google_dns_keys") {
managedZone.DNSSec.DefaultKeySpecs = adaptKeySpecs(data)
}
managedZones = append(managedZones, managedZone)
managedZones = append(managedZones, adaptManagedZone(resource))
}
}
return managedZones
}

func adaptManagedZone(resource *terraform.Block) dns.ManagedZone {

zone := dns.ManagedZone{
Metadata: resource.GetMetadata(),
Visibility: defsecTypes.StringDefault("public", resource.GetMetadata()),
DNSSec: dns.DNSSec{
Metadata: resource.GetMetadata(),
Enabled: defsecTypes.BoolDefault(false, resource.GetMetadata()),
DefaultKeySpecs: dns.KeySpecs{
Metadata: resource.GetMetadata(),
KeySigningKey: dns.Key{
Metadata: resource.GetMetadata(),
Algorithm: defsecTypes.StringDefault("", resource.GetMetadata()),
},
ZoneSigningKey: dns.Key{
Metadata: resource.GetMetadata(),
Algorithm: defsecTypes.StringDefault("", resource.GetMetadata()),
},
},
},
}

if resource.HasChild("visibility") {
zone.Visibility = resource.GetAttribute("visibility").AsStringValueOrDefault("public", resource)
Visibility: resource.GetAttribute("visibility").AsStringValueOrDefault("public", resource),
DNSSec: adaptDNSSec(resource),
}
return zone
}

if resource.HasChild("dnssec_config") {
DNSSecBlock := resource.GetBlock("dnssec_config")
zone.DNSSec.Metadata = DNSSecBlock.GetMetadata()

stateAttr := DNSSecBlock.GetAttribute("state")
if stateAttr.Equals("on") {
zone.DNSSec.Enabled = defsecTypes.Bool(true, stateAttr.GetMetadata())
} else if stateAttr.Equals("off") || stateAttr.Equals("transfer") {
zone.DNSSec.Enabled = defsecTypes.Bool(false, stateAttr.GetMetadata())
func adaptDNSSec(b *terraform.Block) dns.DNSSec {
DNSSecBlock := b.GetBlock("dnssec_config")
if DNSSecBlock.IsNil() {
return dns.DNSSec{
Metadata: b.GetMetadata(),
Enabled: defsecTypes.BoolDefault(false, b.GetMetadata()),
}
}

if DNSSecBlock.HasChild("default_key_specs") {
DefaultKeySpecsBlock := DNSSecBlock.GetBlock("default_key_specs")
zone.DNSSec.DefaultKeySpecs.Metadata = DefaultKeySpecsBlock.GetMetadata()

algorithmAttr := DefaultKeySpecsBlock.GetAttribute("algorithm")
algorithmVal := algorithmAttr.AsStringValueOrDefault("", DefaultKeySpecsBlock)
stateAttr := DNSSecBlock.GetAttribute("state")

keyTypeAttr := DefaultKeySpecsBlock.GetAttribute("key_type")
if keyTypeAttr.Equals("keySigning") {
zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm = algorithmVal
zone.DNSSec.DefaultKeySpecs.KeySigningKey.Metadata = keyTypeAttr.GetMetadata()
} else if keyTypeAttr.Equals("zoneSigning") {
zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm = algorithmVal
zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Metadata = keyTypeAttr.GetMetadata()
}
}
DNSSec := dns.DNSSec{
Metadata: DNSSecBlock.GetMetadata(),
Enabled: defsecTypes.Bool(stateAttr.Equals("on"), stateAttr.GetMetadata()),
DefaultKeySpecs: adaptKeySpecs(DNSSecBlock),
}
return zone
}

func adaptKeySpecs(resource *terraform.Block) dns.KeySpecs {
keySpecs := dns.KeySpecs{
Metadata: resource.GetMetadata(),
KeySigningKey: dns.Key{
Metadata: resource.GetMetadata(),
Algorithm: defsecTypes.String("", resource.GetMetadata()),
},
ZoneSigningKey: dns.Key{
Metadata: resource.GetMetadata(),
Algorithm: defsecTypes.String("", resource.GetMetadata()),
},
}
KeySigningKeysBlock := resource.GetBlock("key_signing_keys")
if KeySigningKeysBlock.IsNotNil() {
algorithmAttr := KeySigningKeysBlock.GetAttribute("algorithm")
keySpecs.KeySigningKey.Algorithm = algorithmAttr.AsStringValueOrDefault("", KeySigningKeysBlock)
}
return DNSSec
}

ZoneSigningKeysBlock := resource.GetBlock("zone_signing_keys")
if ZoneSigningKeysBlock.IsNotNil() {
algorithmAttr := ZoneSigningKeysBlock.GetAttribute("algorithm")
keySpecs.ZoneSigningKey.Algorithm = algorithmAttr.AsStringValueOrDefault("", ZoneSigningKeysBlock)
func adaptKeySpecs(b *terraform.Block) []dns.KeySpecs {
var keySpecs []dns.KeySpecs
for _, keySpecsBlock := range b.GetBlocks("default_key_specs") {
keySpecs = append(keySpecs, dns.KeySpecs{
Metadata: keySpecsBlock.GetMetadata(),
Algorithm: keySpecsBlock.GetAttribute("algorithm").AsStringValueOrDefault("", keySpecsBlock),
KeyType: keySpecsBlock.GetAttribute("key_type").AsStringValueOrDefault("", keySpecsBlock),
})
}

return keySpecs
}
93 changes: 29 additions & 64 deletions internal/adapters/terraform/google/dns/adapt_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,21 +23,25 @@ func Test_Adapt(t *testing.T) {
{
name: "basic",
terraform: `
resource "google_dns_managed_zone" "example" {
name = "example-zone"
dns_name = "example-${random_id.rnd.hex}.com."
description = "Example DNS zone"
labels = {
foo = "bar"
}
dnssec_config {
state = "on"
default_key_specs {
algorithm = "rsasha1"
key_type = "keySigning"
}
}
}
resource "google_dns_managed_zone" "example" {
name = "example-zone"
dns_name = "example-${random_id.rnd.hex}.com."
description = "Example DNS zone"
labels = {
foo = "bar"
}
dnssec_config {
state = "on"
default_key_specs {
algorithm = "rsasha1"
key_type = "keySigning"
}
default_key_specs {
algorithm = "rsasha1"
key_type = "zoneSigning"
}
}
}
`,
expected: dns.DNS{
ManagedZones: []dns.ManagedZone{
Expand All @@ -46,15 +50,16 @@ func Test_Adapt(t *testing.T) {
Visibility: defsecTypes.String("public", defsecTypes.NewTestMetadata()),
DNSSec: dns.DNSSec{
Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
DefaultKeySpecs: dns.KeySpecs{
Metadata: defsecTypes.NewTestMetadata(),
ZoneSigningKey: dns.Key{
DefaultKeySpecs: []dns.KeySpecs{
{
Metadata: defsecTypes.NewTestMetadata(),
Algorithm: defsecTypes.String("", defsecTypes.NewTestMetadata()),
Algorithm: defsecTypes.String("rsasha1", defsecTypes.NewTestMetadata()),
KeyType: defsecTypes.String("keySigning", defsecTypes.NewTestMetadata()),
},
KeySigningKey: dns.Key{
{
Metadata: defsecTypes.NewTestMetadata(),
Algorithm: defsecTypes.String("rsasha1", defsecTypes.NewTestMetadata()),
KeyType: defsecTypes.String("zoneSigning", defsecTypes.NewTestMetadata()),
},
},
},
Expand All @@ -73,46 +78,6 @@ func Test_Adapt(t *testing.T) {
}
}

func Test_adaptKeySpecs(t *testing.T) {
tests := []struct {
name string
terraform string
expected dns.KeySpecs
}{
{
name: "basic",
terraform: `
data "google_dns_keys" "foo_dns_keys" {
managed_zone = google_dns_managed_zone.example.id
zone_signing_keys {
algorithm = "rsasha512"
}
}
`,
expected: dns.KeySpecs{
Metadata: defsecTypes.NewTestMetadata(),
ZoneSigningKey: dns.Key{
Metadata: defsecTypes.NewTestMetadata(),
Algorithm: defsecTypes.String("rsasha512", defsecTypes.NewTestMetadata()),
},
KeySigningKey: dns.Key{
Metadata: defsecTypes.NewTestMetadata(),
Algorithm: defsecTypes.String("", defsecTypes.NewTestMetadata()),
},
},
},
}

for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf")
adapted := adaptKeySpecs(modules.GetBlocks()[0])
testutil.AssertDefsecEqual(t, test.expected, adapted)
})
}
}

func TestLines(t *testing.T) {
src := `
resource "google_dns_managed_zone" "example" {
Expand Down Expand Up @@ -140,9 +105,9 @@ func TestLines(t *testing.T) {
assert.Equal(t, 7, zone.DNSSec.Enabled.GetMetadata().Range().GetStartLine())
assert.Equal(t, 7, zone.DNSSec.Enabled.GetMetadata().Range().GetEndLine())

assert.Equal(t, 8, zone.DNSSec.DefaultKeySpecs.Metadata.Range().GetStartLine())
assert.Equal(t, 11, zone.DNSSec.DefaultKeySpecs.Metadata.Range().GetEndLine())
assert.Equal(t, 8, zone.DNSSec.DefaultKeySpecs[0].Metadata.Range().GetStartLine())
assert.Equal(t, 11, zone.DNSSec.DefaultKeySpecs[0].Metadata.Range().GetEndLine())

assert.Equal(t, 9, zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm.GetMetadata().Range().GetStartLine())
assert.Equal(t, 9, zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm.GetMetadata().Range().GetEndLine())
assert.Equal(t, 9, zone.DNSSec.DefaultKeySpecs[0].Algorithm.GetMetadata().Range().GetStartLine())
assert.Equal(t, 9, zone.DNSSec.DefaultKeySpecs[0].Algorithm.GetMetadata().Range().GetEndLine())
}
Loading

0 comments on commit 0cb0329

Please sign in to comment.