feat(misconf): support for VPC resources for inbound/outbound rules (#…

…6779)
aquasecurity · May 27, 2024 · 349caf9 · 349caf9
1 parent 21114c9
commit 349caf9
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 0 deletions.
diff --git a/pkg/iac/adapters/terraform/aws/ec2/vpc.go b/pkg/iac/adapters/terraform/aws/ec2/vpc.go
@@ -134,6 +134,16 @@ func (a *sgAdapter) adaptSecurityGroup(resource *terraform.Block, module terrafo
 		}
 	}
 
+	for _, r := range module.GetReferencingResources(resource, "aws_vpc_security_group_ingress_rule", "security_group_id") {
+		a.sgRuleIDs.Resolve(r.ID())
+		ingressRules = append(ingressRules, adaptSingleSGRule(r))
+	}
+
+	for _, r := range module.GetReferencingResources(resource, "aws_vpc_security_group_egress_rule", "security_group_id") {
+		a.sgRuleIDs.Resolve(r.ID())
+		egressRules = append(egressRules, adaptSingleSGRule(r))
+	}
+
 	return ec2.SecurityGroup{
 		Metadata:     resource.GetMetadata(),
 		Description:  descriptionVal,
@@ -178,6 +188,24 @@ func adaptSGRule(resource *terraform.Block, modules terraform.Modules) ec2.Secur
 	}
 }
 
+func adaptSingleSGRule(resource *terraform.Block) ec2.SecurityGroupRule {
+	description := resource.GetAttribute("description").AsStringValueOrDefault("", resource)
+
+	var cidrs []iacTypes.StringValue
+	if ipv4 := resource.GetAttribute("cidr_ipv4"); ipv4.IsNotNil() {
+		cidrs = append(cidrs, ipv4.AsStringValueOrDefault("", resource))
+	}
+	if ipv6 := resource.GetAttribute("cidr_ipv6"); ipv6.IsNotNil() {
+		cidrs = append(cidrs, ipv6.AsStringValueOrDefault("", resource))
+	}
+
+	return ec2.SecurityGroupRule{
+		Metadata:    resource.GetMetadata(),
+		Description: description,
+		CIDRs:       cidrs,
+	}
+}
+
 func (a *naclAdapter) adaptNetworkACL(resource *terraform.Block, module *terraform.Module) ec2.NetworkACL {
 	var networkRules []ec2.NetworkACLRule
 	rulesBlocks := module.GetReferencingResources(resource, "aws_network_acl_rule", "network_acl_id")

diff --git a/pkg/iac/adapters/terraform/aws/ec2/vpc_test.go b/pkg/iac/adapters/terraform/aws/ec2/vpc_test.go
@@ -221,6 +221,50 @@ resource "aws_flow_log" "this" {
 				},
 			},
 		},
+		{
+			name: "ingress and egress rules",
+			terraform: `
+resource "aws_security_group" "example" {
+  name        = "example"
+  description = "example"
+}
+
+resource "aws_vpc_security_group_egress_rule" "test" {
+  security_group_id = aws_security_group.example.id
+  cidr_ipv4         = "0.0.0.0/0"
+  ip_protocol       = "-1" # semantically equivalent to all ports
+}
+
+resource "aws_vpc_security_group_ingress_rule" "test" {
+  security_group_id = aws_security_group.example.id
+  cidr_ipv4         = "0.0.0.0/0"
+  from_port         = "22"
+  to_port           = "22"
+  ip_protocol       = "tcp"
+}
+`,
+			expected: ec2.EC2{
+				SecurityGroups: []ec2.SecurityGroup{
+					{
+						Description: iacTypes.StringTest("example"),
+						IngressRules: []ec2.SecurityGroupRule{
+							{
+								CIDRs: []iacTypes.StringValue{
+									iacTypes.StringTest("0.0.0.0/0"),
+								},
+							},
+						},
+						EgressRules: []ec2.SecurityGroupRule{
+							{
+								CIDRs: []iacTypes.StringValue{
+									iacTypes.StringTest("0.0.0.0/0"),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {