From 86f0182c9c9afa7bf9586151024c9095d8464386 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 14 Nov 2023 16:39:07 +0700 Subject: [PATCH 1/2] feat(aws): support for CloudFrontDefaultCertificate and SSLSupportMethod --- avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md | 4 ++- .../aws/rds/AVD-AWS-0078/CloudFormation.md | 2 +- avd_docs/aws/rds/AVD-AWS-0078/Terraform.md | 2 +- avd_docs/aws/rds/AVD-AWS-0078/docs.md | 8 +++-- .../aws/rds/AVD-AWS-0180/CloudFormation.md | 2 +- avd_docs/aws/rds/AVD-AWS-0180/Terraform.md | 2 +- avd_docs/aws/rds/AVD-AWS-0180/docs.md | 2 +- go.mod | 15 ++++++---- go.sum | 30 ++++++++++--------- .../terraform/aws/cloudfront/adapt.go | 9 ++++-- .../terraform/aws/cloudfront/adapt_test.go | 9 ++++-- pkg/rego/schemas/cloud.json | 21 +++++-------- 12 files changed, 59 insertions(+), 47 deletions(-) diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md b/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md index 53b20d4f..fc83dffe 100644 --- a/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md +++ b/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md @@ -1,7 +1,7 @@ You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. -Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). +Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name) and *ssl_support_method* is *sni-only*. If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. The only option when using the cloudfront.net domain name is to ignore this rule. @@ -14,4 +14,6 @@ Outdated SSL policies increase exposure to known vulnerabilities ### Links - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html +- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesGeneral + diff --git a/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md index 6e546967..409debda 100644 --- a/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md @@ -1,5 +1,5 @@ -Enable encryption for RDS clusters and instances +Use Customer Managed Keys to encrypt Performance Insights data ```yaml--- AWSTemplateFormatVersion: 2010-09-09 diff --git a/avd_docs/aws/rds/AVD-AWS-0078/Terraform.md b/avd_docs/aws/rds/AVD-AWS-0078/Terraform.md index 8d20b41e..03bb694c 100644 --- a/avd_docs/aws/rds/AVD-AWS-0078/Terraform.md +++ b/avd_docs/aws/rds/AVD-AWS-0078/Terraform.md @@ -1,5 +1,5 @@ -Enable encryption for RDS clusters and instances +Use Customer Managed Keys to encrypt Performance Insights data ```hcl resource "aws_rds_cluster_instance" "good_example" { diff --git a/avd_docs/aws/rds/AVD-AWS-0078/docs.md b/avd_docs/aws/rds/AVD-AWS-0078/docs.md index 66539ec1..66aaa3dd 100644 --- a/avd_docs/aws/rds/AVD-AWS-0078/docs.md +++ b/avd_docs/aws/rds/AVD-AWS-0078/docs.md @@ -1,15 +1,17 @@ -When enabling Performance Insights on an RDS cluster or RDS DB Instance, and encryption key should be provided. +Amazon RDS uses the AWS managed key for your new DB instance. For complete control over KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, and rotating their cryptographic material, use a customer managed keys. The encryption key specified in `performance_insights_kms_key_id` references a KMS ARN ### Impact -Data can be read from the RDS Performance Insights if it is compromised +Using AWS managed keys does not allow for fine grained control {{ remediationActions }} ### Links -- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.htm +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html#USER_PerfInsights.access-control.cmk-policy + +- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt diff --git a/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md index bbc88e28..e183f4cb 100644 --- a/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md @@ -1,5 +1,5 @@ -Remove the public endpoint from the RDS instance' +Remove the public endpoint from the RDS instance. ```yaml--- AWSTemplateFormatVersion: 2010-09-09 diff --git a/avd_docs/aws/rds/AVD-AWS-0180/Terraform.md b/avd_docs/aws/rds/AVD-AWS-0180/Terraform.md index 98d23859..929769bd 100644 --- a/avd_docs/aws/rds/AVD-AWS-0180/Terraform.md +++ b/avd_docs/aws/rds/AVD-AWS-0180/Terraform.md @@ -1,5 +1,5 @@ -Remove the public endpoint from the RDS instance' +Remove the public endpoint from the RDS instance. ```hcl resource "aws_db_instance" "good_example" { diff --git a/avd_docs/aws/rds/AVD-AWS-0180/docs.md b/avd_docs/aws/rds/AVD-AWS-0180/docs.md index 5361d794..24487a1f 100644 --- a/avd_docs/aws/rds/AVD-AWS-0180/docs.md +++ b/avd_docs/aws/rds/AVD-AWS-0180/docs.md @@ -1,5 +1,5 @@ -Ensures RDS instances are not launched into the public cloud. +Ensures RDS instances and RDS Cluster instances are not launched into the public cloud. ### Impact diff --git a/go.mod b/go.mod index 281b95c4..26a63c4e 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( github.com/Masterminds/sprig/v3 v3.2.3 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect - github.com/Microsoft/hcsshim v0.11.0 // indirect + github.com/Microsoft/hcsshim v0.11.1 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect github.com/acomagu/bufpipe v1.0.4 // indirect @@ -65,14 +65,15 @@ require ( github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/cloudflare/circl v1.3.3 // indirect - github.com/containerd/containerd v1.7.6 // indirect + github.com/containerd/containerd v1.7.7 // indirect + github.com/containerd/log v0.1.0 // indirect github.com/containerd/typeurl v1.0.2 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dlclark/regexp2 v1.4.0 // indirect github.com/docker/cli v24.0.5+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect - github.com/docker/docker v24.0.6+incompatible // indirect + github.com/docker/docker v24.0.7+incompatible // indirect github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect @@ -145,7 +146,7 @@ require ( github.com/morikuni/aec v1.0.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc4 // indirect + github.com/opencontainers/image-spec v1.1.0-rc5 // indirect github.com/owenrumney/squealer v1.2.1 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pjbgf/sha1cd v0.3.0 // indirect @@ -180,7 +181,7 @@ require ( go.opentelemetry.io/otel/trace v1.16.0 // indirect go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.15.0 // indirect + golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect golang.org/x/sync v0.3.0 // indirect golang.org/x/sys v0.13.0 // indirect @@ -218,3 +219,7 @@ require ( ) replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af + +replace github.com/aquasecurity/defsec => github.com/nikpivkin/defsec v0.0.0-20231114084431-b974397eaa64 + +replace github.com/aquasecurity/trivy-policies => github.com/nikpivkin/trivy-policies v0.0.0-20231114085710-41b0ffa48745 diff --git a/go.sum b/go.sum index 15dabeb1..00cbf8e5 100644 --- a/go.sum +++ b/go.sum @@ -212,8 +212,8 @@ github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA4 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= -github.com/Microsoft/hcsshim v0.11.0 h1:7EFNIY4igHEXUdj1zXgAyU3fLc7QfOKHbkldRVTBdiM= -github.com/Microsoft/hcsshim v0.11.0/go.mod h1:OEthFdQv/AD2RAdzR6Mm1N1KPCztGKDurW1Z8b8VGMM= +github.com/Microsoft/hcsshim v0.11.1 h1:hJ3s7GbWlGK4YVV92sO88BQSyF4ZLVy7/awqOlPxFbA= +github.com/Microsoft/hcsshim v0.11.1/go.mod h1:nFJmaO4Zr5Y7eADdFOpYswDDlNVbvcIJJNJLECr5JQg= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -238,10 +238,6 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= -github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898 h1:gu7XQvv2CswgzOdOFHg/AmtR4vBonG35XvGxHHvcIr4= -github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0= -github.com/aquasecurity/trivy-policies v0.3.1-0.20231021040354-0572a07131c2 h1:Xkm2i9Dy98p/DMR0smfog487zaTJ11hLVL+PvIgVWyM= -github.com/aquasecurity/trivy-policies v0.3.1-0.20231021040354-0572a07131c2/go.mod h1:Wqj81EIp4lDQGVzbPalKLNucR7c96YLQbfdA60KpEkQ= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -292,9 +288,11 @@ github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= -github.com/containerd/containerd v1.7.6 h1:oNAVsnhPoy4BTPQivLgTzI9Oleml9l/+eYIDYXRCYo8= -github.com/containerd/containerd v1.7.6/go.mod h1:SY6lrkkuJT40BVNO37tlYTSnKJnP5AXBc0fhx0q+TJ4= +github.com/containerd/containerd v1.7.7 h1:QOC2K4A42RQpcrZyptP6z9EJZnlHfHJUfZrAAHe15q4= +github.com/containerd/containerd v1.7.7/go.mod h1:3c4XZv6VeT9qgf9GMTxNTMFxGJrGpI2vz1yk4ye+YY8= github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY= github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -316,8 +314,8 @@ github.com/docker/cli v24.0.5+incompatible h1:WeBimjvS0eKdH4Ygx+ihVq1Q++xg36M/rM github.com/docker/cli v24.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE= -github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= +github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -669,6 +667,10 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nikpivkin/defsec v0.0.0-20231114084431-b974397eaa64 h1:UzXsfnEuDKXOABg73/b4dYTSxbC/KmRMqNS7HEh/aVY= +github.com/nikpivkin/defsec v0.0.0-20231114084431-b974397eaa64/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0= +github.com/nikpivkin/trivy-policies v0.0.0-20231114085710-41b0ffa48745 h1:i598B4lU7jVU4J9ytDuVpaThThrJYfpK6OeQRLtNEgY= +github.com/nikpivkin/trivy-policies v0.0.0-20231114085710-41b0ffa48745/go.mod h1:gDIFncR+wsAclPA+nwe3840uHqqc4hLlxbTPGHnE0mc= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= @@ -677,8 +679,8 @@ github.com/open-policy-agent/opa v0.57.0 h1:DftxYfOEHOheXvO2Q6HCIM2ZVdKrvnF4cZlU github.com/open-policy-agent/opa v0.57.0/go.mod h1:3FY6GNSbUqOhjCdvTXCBJ2rNuh66p/XrIc2owr/hSwo= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= -github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= +github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= github.com/owenrumney/squealer v1.2.1 h1:4ryMMT59aaz8VMsqsD+FDkarADJz0F1dcq2fd0DRR+c= github.com/owenrumney/squealer v1.2.1/go.mod h1:7D0a/+Bouwy504YhaWsBYW73kyklSEq1MNf6zsNoTRg= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= @@ -920,8 +922,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= -golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= diff --git a/internal/adapters/terraform/aws/cloudfront/adapt.go b/internal/adapters/terraform/aws/cloudfront/adapt.go index cbddcd42..dba2662f 100644 --- a/internal/adapters/terraform/aws/cloudfront/adapt.go +++ b/internal/adapters/terraform/aws/cloudfront/adapt.go @@ -67,9 +67,12 @@ func adaptDistribution(resource *terraform.Block) cloudfront.Distribution { } if viewerCertBlock := resource.GetBlock("viewer_certificate"); viewerCertBlock.IsNotNil() { - distribution.ViewerCertificate.Metadata = viewerCertBlock.GetMetadata() - minProtocolAttr := viewerCertBlock.GetAttribute("minimum_protocol_version") - distribution.ViewerCertificate.MinimumProtocolVersion = minProtocolAttr.AsStringValueOrDefault("TLSv1", viewerCertBlock) + distribution.ViewerCertificate = cloudfront.ViewerCertificate{ + Metadata: viewerCertBlock.GetMetadata(), + MinimumProtocolVersion: viewerCertBlock.GetAttribute("minimum_protocol_version").AsStringValueOrDefault("TLSv1", viewerCertBlock), + SSLSupportMethod: viewerCertBlock.GetAttribute("ssl_support_method").AsStringValueOrDefault("", viewerCertBlock), + CloudfrontDefaultCertificate: viewerCertBlock.GetAttribute("cloudfront_default_certificate").AsBoolValueOrDefault(false, viewerCertBlock), + } } return distribution diff --git a/internal/adapters/terraform/aws/cloudfront/adapt_test.go b/internal/adapters/terraform/aws/cloudfront/adapt_test.go index 59ed4a10..0a4a8695 100644 --- a/internal/adapters/terraform/aws/cloudfront/adapt_test.go +++ b/internal/adapters/terraform/aws/cloudfront/adapt_test.go @@ -41,6 +41,7 @@ func Test_adaptDistribution(t *testing.T) { viewer_certificate { cloudfront_default_certificate = true minimum_protocol_version = "TLSv1.2_2021" + ssl_support_method = "sni-only" } } `, @@ -62,8 +63,10 @@ func Test_adaptDistribution(t *testing.T) { }, }, ViewerCertificate: cloudfront.ViewerCertificate{ - Metadata: defsecTypes.NewTestMetadata(), - MinimumProtocolVersion: defsecTypes.String("TLSv1.2_2021", defsecTypes.NewTestMetadata()), + Metadata: defsecTypes.NewTestMetadata(), + MinimumProtocolVersion: defsecTypes.String("TLSv1.2_2021", defsecTypes.NewTestMetadata()), + CloudfrontDefaultCertificate: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), + SSLSupportMethod: defsecTypes.String("sni-only", defsecTypes.NewTestMetadata()), }, }, }, @@ -117,7 +120,7 @@ func TestLines(t *testing.T) { ordered_cache_behavior { viewer_protocol_policy = "redirect-to-https" - } + } viewer_certificate { cloudfront_default_certificate = true diff --git a/pkg/rego/schemas/cloud.json b/pkg/rego/schemas/cloud.json index 3f3af2ed..5999adac 100644 --- a/pkg/rego/schemas/cloud.json +++ b/pkg/rego/schemas/cloud.json @@ -563,9 +563,17 @@ "github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.ViewerCertificate": { "type": "object", "properties": { + "cloudfrontdefaultcertificate": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" + }, "minimumprotocolversion": { "type": "object", "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "sslsupportmethod": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" } } }, @@ -5177,10 +5185,6 @@ "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.NodePool" } }, - "podsecuritypolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.PodSecurityPolicy" - }, "privatecluster": { "type": "object", "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.PrivateCluster" @@ -5305,15 +5309,6 @@ } } }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.PodSecurityPolicy": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, "github.com.aquasecurity.defsec.pkg.providers.google.gke.PrivateCluster": { "type": "object", "properties": { From 405634f2f04f2969c302adf4e7c45d325b3dcc71 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Mon, 20 Nov 2023 18:12:42 +0700 Subject: [PATCH 2/2] chore: bump defsec and trivy-policies --- go.mod | 8 ++------ go.sum | 8 ++++---- pkg/rego/schemas/cloud.json | 4 ++++ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 26a63c4e..6380c29f 100644 --- a/go.mod +++ b/go.mod @@ -6,8 +6,8 @@ require ( github.com/BurntSushi/toml v1.3.2 github.com/Masterminds/semver v1.5.0 github.com/apparentlymart/go-cidr v1.1.0 - github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898 - github.com/aquasecurity/trivy-policies v0.3.1-0.20231021040354-0572a07131c2 + github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5 + github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34 github.com/aws/smithy-go v1.14.2 github.com/bmatcuk/doublestar/v4 v4.6.0 github.com/google/uuid v1.3.1 @@ -219,7 +219,3 @@ require ( ) replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af - -replace github.com/aquasecurity/defsec => github.com/nikpivkin/defsec v0.0.0-20231114084431-b974397eaa64 - -replace github.com/aquasecurity/trivy-policies => github.com/nikpivkin/trivy-policies v0.0.0-20231114085710-41b0ffa48745 diff --git a/go.sum b/go.sum index 00cbf8e5..6768c1c0 100644 --- a/go.sum +++ b/go.sum @@ -238,6 +238,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= +github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5 h1:CkfFZpctJrH+oHWlvuAE2qV4DNDqaVtPlEkVksbwuwo= +github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34 h1:CWZNJiRB/IvS9ARjcY+7ZXWJ/jhVH5r4zoO06L+5DaE= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231117215321-f2affd629c34/go.mod h1:o4r41Ig5yRnyvUcHXEgQeQFatPbWICVTMidByyPawxc= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -667,10 +671,6 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nikpivkin/defsec v0.0.0-20231114084431-b974397eaa64 h1:UzXsfnEuDKXOABg73/b4dYTSxbC/KmRMqNS7HEh/aVY= -github.com/nikpivkin/defsec v0.0.0-20231114084431-b974397eaa64/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0= -github.com/nikpivkin/trivy-policies v0.0.0-20231114085710-41b0ffa48745 h1:i598B4lU7jVU4J9ytDuVpaThThrJYfpK6OeQRLtNEgY= -github.com/nikpivkin/trivy-policies v0.0.0-20231114085710-41b0ffa48745/go.mod h1:gDIFncR+wsAclPA+nwe3840uHqqc4hLlxbTPGHnE0mc= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= diff --git a/pkg/rego/schemas/cloud.json b/pkg/rego/schemas/cloud.json index 5999adac..b5865180 100644 --- a/pkg/rego/schemas/cloud.json +++ b/pkg/rego/schemas/cloud.json @@ -5063,6 +5063,10 @@ "name": { "type": "object", "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" + }, + "purpose": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" } } },