Merge pull request #313 from accurics/kubernetes-support

initial kubernetes support

go.mod

@@ -3,12 +3,13 @@ module github.com/accurics/terrascan
 go 1.14
 
 require (
+	github.com/ghodss/yaml v1.0.0
 	github.com/gorilla/mux v1.7.4
 	github.com/hashicorp/go-retryablehttp v0.6.6
 	github.com/hashicorp/go-version v1.2.0
 	github.com/hashicorp/hcl/v2 v2.3.0
 	github.com/hashicorp/terraform v0.12.28
-	github.com/mitchellh/go-homedir v1.1.0
+	github.com/iancoleman/strcase v0.1.1
 	github.com/open-policy-agent/opa v0.22.0
 	github.com/pelletier/go-toml v1.8.0
 	github.com/pkg/errors v0.9.1
@@ -17,10 +18,9 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/zclconf/go-cty v1.2.1
 	go.uber.org/zap v1.10.0
-	golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect
+	golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect
 	golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/apimachinery v0.18.8 // indirect
-	k8s.io/client-go v11.0.0+incompatible
+	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
 )

pkg/cli/run.go

@@ -17,6 +17,7 @@
 package cli
 
 import (
+	"flag"
 	"os"
 
 	"github.com/accurics/terrascan/pkg/runtime"
@@ -39,12 +40,14 @@ func Run(iacType, iacVersion, cloudType, iacFilePath, iacDirPath, configFile,
 	if err != nil {
 		return
 	}
+
 	if configOnly {
 		writer.Write(format, results.ResourceConfig, os.Stdout)
 	} else {
 		writer.Write(format, results.Violations, os.Stdout)
 	}
-	if results.Violations.ViolationStore.Count.TotalCount != 0 {
+
+	if results.Violations.ViolationStore.Count.TotalCount != 0 && flag.Lookup("test.v") == nil {
 		os.Exit(3)
 	}
 }

pkg/cli/run_test.go

@@ -0,0 +1,66 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
+package cli
+
+import (
+	"testing"
+)
+
+func TestRun(t *testing.T) {
+	table := []struct {
+		name        string
+		iacType     string
+		iacVersion  string
+		cloudType   string
+		iacFilePath string
+		iacDirPath  string
+		configFile  string
+		configOnly  bool
+		stdOut      string
+		want        string
+		wantErr     error
+	}{
+		{
+			name:       "normal terraform run",
+			cloudType:  "terraform",
+			iacDirPath: "testdata/run-test",
+		},
+		{
+			name:       "normal k8s run",
+			cloudType:  "k8s",
+			iacDirPath: "testdata/run-test",
+		},
+		{
+			name:        "config-only flag terraform",
+			cloudType:   "terraform",
+			iacFilePath: "testdata/run-test/config-only.tf",
+			configOnly:  true,
+		},
+		{
+			name:        "config-only flag k8s",
+			cloudType:   "k8s",
+			iacFilePath: "testdata/run-test/config-only.yaml",
+			configOnly:  true,
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			Run(tt.iacType, tt.iacVersion, tt.cloudType, tt.iacFilePath, tt.iacDirPath, tt.configFile, "", "", tt.configOnly)
+		})
+	}
+}

pkg/cli/scan.go

@@ -57,9 +57,9 @@ func scan(cmd *cobra.Command, args []string) {
 }
 
 func init() {
-	scanCmd.Flags().StringVarP(&PolicyType, "policy-type", "t", "", "<required> policy type (aws, azure, gcp)")
-	scanCmd.Flags().StringVarP(&IacType, "iac-type", "i", "terraform", "iac type (terraform)")
-	scanCmd.Flags().StringVarP(&IacVersion, "iac-version", "", "v12", "iac version (v12)")
+	scanCmd.Flags().StringVarP(&PolicyType, "policy-type", "t", "", "<required> policy type (aws, azure, gcp, k8s)")
+	scanCmd.Flags().StringVarP(&IacType, "iac-type", "i", "", "iac type (terraform, k8s)")
+	scanCmd.Flags().StringVarP(&IacVersion, "iac-version", "", "", "iac version terraform:(v12) k8s:(v1)")
 	scanCmd.Flags().StringVarP(&IacFilePath, "iac-file", "f", "", "path to a single IaC file")
 	scanCmd.Flags().StringVarP(&IacDirPath, "iac-dir", "d", ".", "path to a directory containing one or more IaC files")
 	scanCmd.Flags().StringVarP(&PolicyPath, "policy-path", "p", "", "policy path directory")

pkg/cli/testdata/run-test/config-only.tf

@@ -0,0 +1,6 @@
+resource "aws_subnet" "default" {
+  vpc_id                  = aws_vpc.default.id
+  cidr_block              = "10.0.1.0/24"
+  map_public_ip_on_launch = true
+}
+

pkg/cli/testdata/run-test/config-only.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: accurics

pkg/cli/testdata/run-test/main.tf

@@ -0,0 +1,76 @@
+# Specify the provider and access details
+provider "aws" {
+   region = "var.aws_region"
+}
+
+provider "kubernetes" {
+}
+
+# Create a VPC to launch our instances into
+resource "aws_vpc" "acme_root" {
+  cidr_block = "10.0.0.0/16"
+  tags = {
+    Name = "acme_root"
+  }
+}
+
+# Create an internet gateway to give our subnet access to the outside world
+resource "aws_internet_gateway" "acme_root" {
+  vpc_id = "aws_vpc.acme_root.id"
+  tags = {
+    Name = "acme_root"
+  }
+}
+
+# Grant the VPC internet access on its main route table
+resource "aws_route" "acme_root" {
+  route_table_id         = "aws_vpc.acme_root.main_route_table_id"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "aws_internet_gateway.acme_root.id"
+}
+
+# Create a subnet to launch our instances into
+resource "aws_subnet" "acme_web" {
+  vpc_id                  = "aws_vpc.acme_root.id"
+  cidr_block              = "10.0.1.0/24"
+  map_public_ip_on_launch = true
+  tags = {
+    Name = "acme_web"
+  }
+}
+
+resource "aws_key_pair" "auth" {
+  key_name   = "var.key_name"
+  public_key = "file(var.public_key_path)"
+}
+
+# resource "aws_s3_bucket" "acme_main" {
+#   bucket = "main-bucket"
+#   acl    = "private"
+# }
+
+resource "aws_ecr_repository" "scanOnPushDisabled" {
+  name                 = "test"
+
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+}
+
+resource "aws_ecr_repository_policy" "ecrRepoIsPublic" {
+  repository = "some-Repo-Name"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Sid": "new policy",
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": ["*"]
+        }
+    ]
+}
+EOF
+}

pkg/cli/testdata/run-test/test_pod.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+    test: someupdate
+    test2: someupdate3
+spec:
+  containers:
+  - name: myapp-container
+    image: busybox
+    command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600']
+    securityContext:
+      allowPrivilegeEscalation: true
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: myapp-deployment2
+  labels:
+    app: myapp
+    test: someupdate
+    test2: someupdate3
+spec:
+  template:
+    spec:
+      containers:
+      - name: myapp-container2
+        image: busybox
+        command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600']
+        securityContext:
+          allowPrivilegeEscalation: true

pkg/cli/testdata/run-test/variable.tf

@@ -0,0 +1,35 @@
+variable "public_key_path" {
+  description = <<DESCRIPTION
+Path to the SSH public key to be used for authentication.
+Ensure this keypair is added to your local SSH agent so provisioners can
+connect.
+
+Example: ~/.ssh/terraform.pub
+DESCRIPTION
+default = "terraform-poc01.pub"
+}
+
+variable "key_name" {
+  description = "Desired name of AWS key pair"
+  default = "terraform-poc01"
+}
+
+variable "aws_region" {
+  description = "AWS region to launch servers."
+  default     = "ap-south-1"
+}
+
+# Ubuntu Precise 12.04 LTS (x64)
+variable "aws_amis" {
+  default = {
+    eu-west-1 = "ami-674cbc1e"
+    us-east-1 = "ami-1d4e7a66"
+    us-west-1 = "ami-969ab1f6"
+    us-west-2 = "ami-8803e0f0"
+    ap-south-1 = "ami-0123b531fc646552f"
+  }
+}
+
+variable "sample" {
+  default = "demo"
+}

pkg/cli/testdata/run-test/web.tf

@@ -0,0 +1,81 @@
+###
+# Our default security group to access
+# the instances over SSH and HTTP
+resource "aws_security_group" "acme_web" {
+  name        = "acme_web"
+  description = "Used in the terraform"
+  vpc_id      = "aws_vpc.acme_root.id"
+
+  tags = {
+    Name = "acme_web"
+  }
+
+  # SSH access from anywhere
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+
+  # HTTP access from the VPC
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+}
+
+resource "aws_instance" "acem_web" {
+  # The connection block tells our provisioner how to
+  # communicate with the resource (instance)
+  # connection {
+  #   # The default username for our AMI
+  #   user = "ubuntu"
+  #   host = "acme"
+  #   # The connection will use the local SSH agent for authentication.
+  # }
+
+  tags = {
+    Name = "acem_web"
+  }
+
+  instance_type = "t2.micro"
+
+  # Lookup the correct AMI based on the region
+  # we specified
+  ami = "lookup(var.aws_amis, var.aws_region)"
+
+  # The name of our SSH keypair we created above.
+  key_name = "aws_key_pair.auth.id"
+
+  # Our Security group to allow HTTP and SSH access
+  vpc_security_group_ids = ["aws_security_group.acme_web.id"]
+
+  # We're going to launch into the same subnet as our ELB. In a production
+  # environment it's more common to have a separate private subnet for
+  # backend instances.
+  subnet_id = "aws_subnet.acme_web.id"
+
+  # We run a remote provisioner on the instance after creating it.
+  # In this case, we just install nginx and start it. By default,
+  # this should be on port 80
+  # provisioner "remote-exec" {
+  #   inline = [
+  #     "sudo apt-get -y update",
+  #     "sudo apt-get -y install nginx",
+  #     "sudo service nginx start",
+  #   ]
+  # }
+}