From 0cb0329f9a17ffe15636324ba6b510df8d0c8c1a Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Thu, 23 Nov 2023 01:27:38 +0300 Subject: [PATCH] feat(google): improve AVD-GCP-0012 rule (#53) * feat(google): improve AVD-GCP-0012 rule * bump defsec and trivy-policies --- avd_docs/google/dns/AVD-GCP-0012/Terraform.md | 37 +-- go.mod | 4 +- go.sum | 8 +- internal/adapters/terraform/aws/rds/adapt.go | 2 +- .../terraform/google/compute/networks.go | 4 +- .../adapters/terraform/google/dns/adapt.go | 101 ++----- .../terraform/google/dns/adapt_test.go | 93 ++---- pkg/rego/schemas/cloud.json | 285 +++++++++++++++++- pkg/scanners/terraform/parser/parser_test.go | 12 +- 9 files changed, 358 insertions(+), 188 deletions(-) diff --git a/avd_docs/google/dns/AVD-GCP-0012/Terraform.md b/avd_docs/google/dns/AVD-GCP-0012/Terraform.md index 171af985..a4b30f8d 100644 --- a/avd_docs/google/dns/AVD-GCP-0012/Terraform.md +++ b/avd_docs/google/dns/AVD-GCP-0012/Terraform.md @@ -2,27 +2,22 @@ Use RSA SHA512 ```hcl - resource "google_dns_managed_zone" "foo" { - name = "foobar" - dns_name = "foo.bar." - - dnssec_config { - state = "on" - non_existence = "nsec3" - } - } - - data "google_dns_keys" "foo_dns_keys" { - managed_zone = google_dns_managed_zone.foo.id - zone_signing_keys { - algorithm = "rsasha512" - } - } - - output "foo_dns_ds_record" { - description = "DS record of the foo subdomain." - value = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record - } +resource "google_dns_managed_zone" "example-zone" { + name = "example-zone" + dns_name = "example-${random_id.rnd.hex}.com." + + dnssec_config { + state = "on" + default_key_specs { + algorithm = "rsasha512" + key_type = "keySigning" + } + default_key_specs { + algorithm = "rsasha512" + key_type = "zoneSigning" + } + } +} ``` diff --git a/go.mod b/go.mod index 6380c29f..a489cea4 100644 --- a/go.mod +++ b/go.mod @@ -6,8 +6,8 @@ require ( github.com/BurntSushi/toml v1.3.2 github.com/Masterminds/semver v1.5.0 github.com/apparentlymart/go-cidr v1.1.0 - github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5 - github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34 + github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f + github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 github.com/aws/smithy-go v1.14.2 github.com/bmatcuk/doublestar/v4 v4.6.0 github.com/google/uuid v1.3.1 diff --git a/go.sum b/go.sum index 6768c1c0..065dd77b 100644 --- a/go.sum +++ b/go.sum @@ -238,10 +238,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= -github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5 h1:CkfFZpctJrH+oHWlvuAE2qV4DNDqaVtPlEkVksbwuwo= -github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0= -github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34 h1:CWZNJiRB/IvS9ARjcY+7ZXWJ/jhVH5r4zoO06L+5DaE= -github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34/go.mod h1:o4r41Ig5yRnyvUcHXEgQeQFatPbWICVTMidByyPawxc= +github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f h1:cO9S78J2eBx9tEIZYwFoousuYWV4DtgQlGsZUusMyNY= +github.com/aquasecurity/defsec v0.93.2-0.20231117234854-a13ada52a90f/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 h1:RnxM3eTcwPlA/WBwnmaEpeEk3WOCDcnz7yTIFxVL7us= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842/go.mod h1:BmEeSFgmBjo3avCli71736sy0veGcSUzGATupp1MCgA= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= diff --git a/internal/adapters/terraform/aws/rds/adapt.go b/internal/adapters/terraform/aws/rds/adapt.go index 36133423..a03b3d12 100644 --- a/internal/adapters/terraform/aws/rds/adapt.go +++ b/internal/adapters/terraform/aws/rds/adapt.go @@ -224,7 +224,7 @@ func adaptCluster(resource *terraform.Block, modules terraform.Modules) (rds.Clu PublicAccess: defsecTypes.Bool(public, resource.GetMetadata()), Engine: resource.GetAttribute("engine").AsStringValueOrDefault(rds.EngineAurora, resource), LatestRestorableTime: defsecTypes.TimeUnresolvable(resource.GetMetadata()), - AvailabilityZones: resource.GetAttribute("availability_zones").AsStringValueSliceOrEmpty(resource), + AvailabilityZones: resource.GetAttribute("availability_zones").AsStringValueSliceOrEmpty(), DeletionProtection: resource.GetAttribute("deletion_protection").AsBoolValueOrDefault(false, resource), }, ids } diff --git a/internal/adapters/terraform/google/compute/networks.go b/internal/adapters/terraform/google/compute/networks.go index 14322575..ef59c360 100644 --- a/internal/adapters/terraform/google/compute/networks.go +++ b/internal/adapters/terraform/google/compute/networks.go @@ -68,8 +68,8 @@ func adaptNetworks(modules terraform.Modules) (networks []compute.Network) { Name: firewallBlock.GetAttribute("name").AsStringValueOrDefault("", firewallBlock), IngressRules: nil, EgressRules: nil, - SourceTags: firewallBlock.GetAttribute("source_tags").AsStringValueSliceOrEmpty(firewallBlock), - TargetTags: firewallBlock.GetAttribute("target_tags").AsStringValueSliceOrEmpty(firewallBlock), + SourceTags: firewallBlock.GetAttribute("source_tags").AsStringValueSliceOrEmpty(), + TargetTags: firewallBlock.GetAttribute("target_tags").AsStringValueSliceOrEmpty(), } for _, allowBlock := range firewallBlock.GetBlocks("allow") { diff --git a/internal/adapters/terraform/google/dns/adapt.go b/internal/adapters/terraform/google/dns/adapt.go index 21ee4172..a139d764 100644 --- a/internal/adapters/terraform/google/dns/adapt.go +++ b/internal/adapters/terraform/google/dns/adapt.go @@ -16,96 +16,49 @@ func adaptManagedZones(modules terraform.Modules) []dns.ManagedZone { var managedZones []dns.ManagedZone for _, module := range modules { for _, resource := range module.GetResourcesByType("google_dns_managed_zone") { - managedZone := adaptManagedZone(resource) - for _, data := range module.GetDatasByType("google_dns_keys") { - managedZone.DNSSec.DefaultKeySpecs = adaptKeySpecs(data) - } - managedZones = append(managedZones, managedZone) + managedZones = append(managedZones, adaptManagedZone(resource)) } } return managedZones } func adaptManagedZone(resource *terraform.Block) dns.ManagedZone { - zone := dns.ManagedZone{ Metadata: resource.GetMetadata(), - Visibility: defsecTypes.StringDefault("public", resource.GetMetadata()), - DNSSec: dns.DNSSec{ - Metadata: resource.GetMetadata(), - Enabled: defsecTypes.BoolDefault(false, resource.GetMetadata()), - DefaultKeySpecs: dns.KeySpecs{ - Metadata: resource.GetMetadata(), - KeySigningKey: dns.Key{ - Metadata: resource.GetMetadata(), - Algorithm: defsecTypes.StringDefault("", resource.GetMetadata()), - }, - ZoneSigningKey: dns.Key{ - Metadata: resource.GetMetadata(), - Algorithm: defsecTypes.StringDefault("", resource.GetMetadata()), - }, - }, - }, - } - - if resource.HasChild("visibility") { - zone.Visibility = resource.GetAttribute("visibility").AsStringValueOrDefault("public", resource) + Visibility: resource.GetAttribute("visibility").AsStringValueOrDefault("public", resource), + DNSSec: adaptDNSSec(resource), } + return zone +} - if resource.HasChild("dnssec_config") { - DNSSecBlock := resource.GetBlock("dnssec_config") - zone.DNSSec.Metadata = DNSSecBlock.GetMetadata() - - stateAttr := DNSSecBlock.GetAttribute("state") - if stateAttr.Equals("on") { - zone.DNSSec.Enabled = defsecTypes.Bool(true, stateAttr.GetMetadata()) - } else if stateAttr.Equals("off") || stateAttr.Equals("transfer") { - zone.DNSSec.Enabled = defsecTypes.Bool(false, stateAttr.GetMetadata()) +func adaptDNSSec(b *terraform.Block) dns.DNSSec { + DNSSecBlock := b.GetBlock("dnssec_config") + if DNSSecBlock.IsNil() { + return dns.DNSSec{ + Metadata: b.GetMetadata(), + Enabled: defsecTypes.BoolDefault(false, b.GetMetadata()), } + } - if DNSSecBlock.HasChild("default_key_specs") { - DefaultKeySpecsBlock := DNSSecBlock.GetBlock("default_key_specs") - zone.DNSSec.DefaultKeySpecs.Metadata = DefaultKeySpecsBlock.GetMetadata() - - algorithmAttr := DefaultKeySpecsBlock.GetAttribute("algorithm") - algorithmVal := algorithmAttr.AsStringValueOrDefault("", DefaultKeySpecsBlock) + stateAttr := DNSSecBlock.GetAttribute("state") - keyTypeAttr := DefaultKeySpecsBlock.GetAttribute("key_type") - if keyTypeAttr.Equals("keySigning") { - zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm = algorithmVal - zone.DNSSec.DefaultKeySpecs.KeySigningKey.Metadata = keyTypeAttr.GetMetadata() - } else if keyTypeAttr.Equals("zoneSigning") { - zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm = algorithmVal - zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Metadata = keyTypeAttr.GetMetadata() - } - } + DNSSec := dns.DNSSec{ + Metadata: DNSSecBlock.GetMetadata(), + Enabled: defsecTypes.Bool(stateAttr.Equals("on"), stateAttr.GetMetadata()), + DefaultKeySpecs: adaptKeySpecs(DNSSecBlock), } - return zone -} -func adaptKeySpecs(resource *terraform.Block) dns.KeySpecs { - keySpecs := dns.KeySpecs{ - Metadata: resource.GetMetadata(), - KeySigningKey: dns.Key{ - Metadata: resource.GetMetadata(), - Algorithm: defsecTypes.String("", resource.GetMetadata()), - }, - ZoneSigningKey: dns.Key{ - Metadata: resource.GetMetadata(), - Algorithm: defsecTypes.String("", resource.GetMetadata()), - }, - } - KeySigningKeysBlock := resource.GetBlock("key_signing_keys") - if KeySigningKeysBlock.IsNotNil() { - algorithmAttr := KeySigningKeysBlock.GetAttribute("algorithm") - keySpecs.KeySigningKey.Algorithm = algorithmAttr.AsStringValueOrDefault("", KeySigningKeysBlock) - } + return DNSSec +} - ZoneSigningKeysBlock := resource.GetBlock("zone_signing_keys") - if ZoneSigningKeysBlock.IsNotNil() { - algorithmAttr := ZoneSigningKeysBlock.GetAttribute("algorithm") - keySpecs.ZoneSigningKey.Algorithm = algorithmAttr.AsStringValueOrDefault("", ZoneSigningKeysBlock) +func adaptKeySpecs(b *terraform.Block) []dns.KeySpecs { + var keySpecs []dns.KeySpecs + for _, keySpecsBlock := range b.GetBlocks("default_key_specs") { + keySpecs = append(keySpecs, dns.KeySpecs{ + Metadata: keySpecsBlock.GetMetadata(), + Algorithm: keySpecsBlock.GetAttribute("algorithm").AsStringValueOrDefault("", keySpecsBlock), + KeyType: keySpecsBlock.GetAttribute("key_type").AsStringValueOrDefault("", keySpecsBlock), + }) } - return keySpecs } diff --git a/internal/adapters/terraform/google/dns/adapt_test.go b/internal/adapters/terraform/google/dns/adapt_test.go index e4f6edd1..6c35bab1 100644 --- a/internal/adapters/terraform/google/dns/adapt_test.go +++ b/internal/adapters/terraform/google/dns/adapt_test.go @@ -23,21 +23,25 @@ func Test_Adapt(t *testing.T) { { name: "basic", terraform: ` - resource "google_dns_managed_zone" "example" { - name = "example-zone" - dns_name = "example-${random_id.rnd.hex}.com." - description = "Example DNS zone" - labels = { - foo = "bar" - } - dnssec_config { - state = "on" - default_key_specs { - algorithm = "rsasha1" - key_type = "keySigning" - } - } - } +resource "google_dns_managed_zone" "example" { + name = "example-zone" + dns_name = "example-${random_id.rnd.hex}.com." + description = "Example DNS zone" + labels = { + foo = "bar" + } + dnssec_config { + state = "on" + default_key_specs { + algorithm = "rsasha1" + key_type = "keySigning" + } + default_key_specs { + algorithm = "rsasha1" + key_type = "zoneSigning" + } + } +} `, expected: dns.DNS{ ManagedZones: []dns.ManagedZone{ @@ -46,15 +50,16 @@ func Test_Adapt(t *testing.T) { Visibility: defsecTypes.String("public", defsecTypes.NewTestMetadata()), DNSSec: dns.DNSSec{ Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), - DefaultKeySpecs: dns.KeySpecs{ - Metadata: defsecTypes.NewTestMetadata(), - ZoneSigningKey: dns.Key{ + DefaultKeySpecs: []dns.KeySpecs{ + { Metadata: defsecTypes.NewTestMetadata(), - Algorithm: defsecTypes.String("", defsecTypes.NewTestMetadata()), + Algorithm: defsecTypes.String("rsasha1", defsecTypes.NewTestMetadata()), + KeyType: defsecTypes.String("keySigning", defsecTypes.NewTestMetadata()), }, - KeySigningKey: dns.Key{ + { Metadata: defsecTypes.NewTestMetadata(), Algorithm: defsecTypes.String("rsasha1", defsecTypes.NewTestMetadata()), + KeyType: defsecTypes.String("zoneSigning", defsecTypes.NewTestMetadata()), }, }, }, @@ -73,46 +78,6 @@ func Test_Adapt(t *testing.T) { } } -func Test_adaptKeySpecs(t *testing.T) { - tests := []struct { - name string - terraform string - expected dns.KeySpecs - }{ - { - name: "basic", - terraform: ` - - data "google_dns_keys" "foo_dns_keys" { - managed_zone = google_dns_managed_zone.example.id - zone_signing_keys { - algorithm = "rsasha512" - } - } -`, - expected: dns.KeySpecs{ - Metadata: defsecTypes.NewTestMetadata(), - ZoneSigningKey: dns.Key{ - Metadata: defsecTypes.NewTestMetadata(), - Algorithm: defsecTypes.String("rsasha512", defsecTypes.NewTestMetadata()), - }, - KeySigningKey: dns.Key{ - Metadata: defsecTypes.NewTestMetadata(), - Algorithm: defsecTypes.String("", defsecTypes.NewTestMetadata()), - }, - }, - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") - adapted := adaptKeySpecs(modules.GetBlocks()[0]) - testutil.AssertDefsecEqual(t, test.expected, adapted) - }) - } -} - func TestLines(t *testing.T) { src := ` resource "google_dns_managed_zone" "example" { @@ -140,9 +105,9 @@ func TestLines(t *testing.T) { assert.Equal(t, 7, zone.DNSSec.Enabled.GetMetadata().Range().GetStartLine()) assert.Equal(t, 7, zone.DNSSec.Enabled.GetMetadata().Range().GetEndLine()) - assert.Equal(t, 8, zone.DNSSec.DefaultKeySpecs.Metadata.Range().GetStartLine()) - assert.Equal(t, 11, zone.DNSSec.DefaultKeySpecs.Metadata.Range().GetEndLine()) + assert.Equal(t, 8, zone.DNSSec.DefaultKeySpecs[0].Metadata.Range().GetStartLine()) + assert.Equal(t, 11, zone.DNSSec.DefaultKeySpecs[0].Metadata.Range().GetEndLine()) - assert.Equal(t, 9, zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm.GetMetadata().Range().GetStartLine()) - assert.Equal(t, 9, zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm.GetMetadata().Range().GetEndLine()) + assert.Equal(t, 9, zone.DNSSec.DefaultKeySpecs[0].Algorithm.GetMetadata().Range().GetStartLine()) + assert.Equal(t, 9, zone.DNSSec.DefaultKeySpecs[0].Algorithm.GetMetadata().Range().GetEndLine()) } diff --git a/pkg/rego/schemas/cloud.json b/pkg/rego/schemas/cloud.json index b5865180..0518601a 100644 --- a/pkg/rego/schemas/cloud.json +++ b/pkg/rego/schemas/cloud.json @@ -150,6 +150,13 @@ "type": "object", "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.neptune.Neptune" }, + "providers": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.TerraformProvider" + } + }, "rds": { "type": "object", "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.RDS" @@ -184,6 +191,262 @@ } } }, + "github.com.aquasecurity.defsec.pkg.providers.aws.AssumeRole": { + "type": "object", + "properties": { + "duration": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "externalid": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "policy": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "policyarns": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + }, + "rolearn": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "sessionname": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "sourceidentity": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "tags": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.MapValue" + }, + "transitivetagkeys": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + } + } + }, + "github.com.aquasecurity.defsec.pkg.providers.aws.AssumeRoleWithWebIdentity": { + "type": "object", + "properties": { + "duration": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "policy": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "policyarns": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + }, + "rolearn": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "sessionname": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "webidentitytoken": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "webidentitytokenfile": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + } + }, + "github.com.aquasecurity.defsec.pkg.providers.aws.DefaultTags": { + "type": "object", + "properties": { + "tags": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.MapValue" + } + } + }, + "github.com.aquasecurity.defsec.pkg.providers.aws.IgnoreTags": { + "type": "object", + "properties": { + "keyprefixes": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + }, + "keys": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + } + } + }, + "github.com.aquasecurity.defsec.pkg.providers.aws.TerraformProvider": { + "type": "object", + "properties": { + "accesskey": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "alias": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "allowedaccountsids": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + }, + "assumerole": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.AssumeRole" + }, + "assumerolewithwebidentity": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.AssumeRoleWithWebIdentity" + }, + "customcabundle": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "defaulttags": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.DefaultTags" + }, + "ec2metadataserviceendpoint": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "ec2metadataserviceendpointmode": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "endpoints": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.MapValue" + }, + "forbiddenaccountids": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + }, + "httpproxy": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "ignoretags": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.IgnoreTags" + }, + "insecure": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, + "maxretries": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" + }, + "profile": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "region": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "retrymode": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "s3useast1regionalendpoint": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "s3usepathstyle": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, + "secretkey": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "sharedconfigfiles": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + }, + "sharedcredentialsfiles": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + }, + "skipcredentialsvalidation": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, + "skipmetadataapicheck": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, + "skipregionvalidation": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, + "skiprequestingaccountid": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, + "stsregion": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "token": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "usedualstackendpoint": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, + "usefipsendpoint": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, + "version": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + } + } + }, "github.com.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.AccessAnalyzer": { "type": "object", "properties": { @@ -5086,8 +5349,11 @@ "type": "object", "properties": { "defaultkeyspecs": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.dns.KeySpecs" + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.dns.KeySpecs" + } }, "enabled": { "type": "object", @@ -5095,25 +5361,16 @@ } } }, - "github.com.aquasecurity.defsec.pkg.providers.google.dns.Key": { + "github.com.aquasecurity.defsec.pkg.providers.google.dns.KeySpecs": { "type": "object", "properties": { "algorithm": { "type": "object", "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.dns.KeySpecs": { - "type": "object", - "properties": { - "keysigningkey": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.dns.Key" }, - "zonesigningkey": { + "keytype": { "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.dns.Key" + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" } } }, diff --git a/pkg/scanners/terraform/parser/parser_test.go b/pkg/scanners/terraform/parser/parser_test.go index 57ce4e6b..c0e82a6a 100644 --- a/pkg/scanners/terraform/parser/parser_test.go +++ b/pkg/scanners/terraform/parser/parser_test.go @@ -318,7 +318,7 @@ resource "something" "blah" { assert.Equal(t, true, attr.IsResolvable()) - values := attr.AsStringValueSliceOrEmpty(block) + values := attr.AsStringValueSliceOrEmpty() require.Len(t, values, 3) assert.Equal(t, "first", values[0].Value()) @@ -361,7 +361,7 @@ resource "something" "blah" { assert.Equal(t, true, attr.IsResolvable()) - values := attr.AsStringValueSliceOrEmpty(block) + values := attr.AsStringValueSliceOrEmpty() require.Len(t, values, 3) assert.Equal(t, "first", values[0].Value()) @@ -409,7 +409,7 @@ resource "something" "blah" { assert.Equal(t, true, attr.IsResolvable()) - values := attr.AsStringValueSliceOrEmpty(block) + values := attr.AsStringValueSliceOrEmpty() require.Len(t, values, 2) assert.Equal(t, "1", values[0].Value()) @@ -450,7 +450,7 @@ resource "something" "blah" { assert.Equal(t, true, attr.IsResolvable()) - values := attr.AsStringValueSliceOrEmpty(block) + values := attr.AsStringValueSliceOrEmpty() require.Len(t, values, 3) assert.Equal(t, "a", values[0].Value()) @@ -498,7 +498,7 @@ resource "something" "blah" { assert.Equal(t, true, attr.IsResolvable()) - values := attr.AsStringValueSliceOrEmpty(block) + values := attr.AsStringValueSliceOrEmpty() require.Len(t, values, 3) assert.Equal(t, "a", values[0].Value()) @@ -543,7 +543,7 @@ resource "something" "blah" { assert.Equal(t, true, attr.IsResolvable()) - values := attr.AsStringValueSliceOrEmpty(block) + values := attr.AsStringValueSliceOrEmpty() require.Len(t, values, 3) assert.Equal(t, "a", values[0].Value())