feat(terraform): ignore versions for k8s resources

aquasecurity · Jan 11, 2024 · 9622bca · 9622bca
1 parent b60d283
commit 9622bca
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 1 deletion.
diff --git a/internal/adapters/terraform/kubernetes/adapt.go b/internal/adapters/terraform/kubernetes/adapt.go
@@ -1,10 +1,15 @@
 package kubernetes
 
 import (
+	"regexp"
+	"strings"
+
 	"github.com/aquasecurity/defsec/pkg/providers/kubernetes"
 	"github.com/aquasecurity/defsec/pkg/terraform"
 )
 
+var versionRegex = regexp.MustCompile(`^v\d+(beta\d+)?$`)
+
 func Adapt(modules terraform.Modules) kubernetes.Kubernetes {
 	return kubernetes.Kubernetes{
 		NetworkPolicies: adaptNetworkPolicies(modules),
@@ -14,7 +19,7 @@ func Adapt(modules terraform.Modules) kubernetes.Kubernetes {
 func adaptNetworkPolicies(modules terraform.Modules) []kubernetes.NetworkPolicy {
 	var networkPolicies []kubernetes.NetworkPolicy
 	for _, module := range modules {
-		for _, resource := range module.GetResourcesByType("kubernetes_network_policy") {
+		for _, resource := range getBlocksIgnoreVersion(module, "resource", "kubernetes_network_policy") {
 			networkPolicies = append(networkPolicies, adaptNetworkPolicy(resource))
 		}
 	}
@@ -92,3 +97,27 @@ func adaptNetworkPolicy(resourceBlock *terraform.Block) kubernetes.NetworkPolicy
 
 	return policy
 }
+
+// https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/guides/versioned-resources
+func getBlocksIgnoreVersion(module *terraform.Module, blockType string, resourceType string) terraform.Blocks {
+	var res terraform.Blocks
+	for _, block := range module.GetBlocks().OfType(blockType) {
+		if isMatchingTypeLabel(block.TypeLabel(), resourceType) {
+			res = append(res, block)
+		}
+	}
+	return res
+}
+
+func isMatchingTypeLabel(typeLabel string, resourceType string) bool {
+	if typeLabel == resourceType {
+		return true
+	}
+
+	versionPart, found := strings.CutPrefix(typeLabel, resourceType+"_")
+	if !found {
+		return false
+	}
+
+	return versionRegex.MatchString(versionPart)
+}
diff --git a/internal/adapters/terraform/kubernetes/adapt_test.go b/internal/adapters/terraform/kubernetes/adapt_test.go
@@ -0,0 +1,60 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsMatchingTypeLabel(t *testing.T) {
+	tests := []struct {
+		name         string
+		typeLabel    string
+		resourceType string
+		expected     bool
+	}{
+		{
+			name:         "without version",
+			typeLabel:    "kubernetes_network_policy",
+			resourceType: "kubernetes_network_policy",
+			expected:     true,
+		},
+		{
+			name:         "v1",
+			typeLabel:    "kubernetes_network_policy_v1",
+			resourceType: "kubernetes_network_policy",
+			expected:     true,
+		},
+		{
+			name:         "beta version",
+			typeLabel:    "kubernetes_horizontal_pod_autoscaler_v2beta2",
+			resourceType: "kubernetes_horizontal_pod_autoscaler",
+			expected:     true,
+		},
+		{
+			name:         "another type of resource",
+			typeLabel:    "kubernetes_network_policy",
+			resourceType: "kubernetes_horizontal_pod_autoscaler",
+			expected:     false,
+		},
+		{
+			name:         "similar resource type",
+			typeLabel:    "kubernetes_network_policy_test_v1",
+			resourceType: "kubernetes_network_policy",
+			expected:     false,
+		},
+		{
+			name:         "empty resource type",
+			typeLabel:    "kubernetes_network_policy_test_v1",
+			resourceType: "",
+			expected:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := isMatchingTypeLabel(tt.typeLabel, tt.resourceType)
+			assert.Equal(t, tt.expected, got)
+		})
+	}
+}