github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/cloudformation/aws/rds/instance.go (about)

     1  package rds
     2  
     3  import (
     4  	"github.com/aquasecurity/defsec/pkg/providers/aws/rds"
     5  	"github.com/aquasecurity/defsec/pkg/types"
     6  	"github.com/aquasecurity/trivy-iac/pkg/scanners/cloudformation/parser"
     7  )
     8  
     9  func getClustersAndInstances(ctx parser.FileContext) ([]rds.Cluster, []rds.Instance) {
    10  
    11  	clusterMap := getClusters(ctx)
    12  
    13  	var orphans []rds.Instance
    14  
    15  	for _, r := range ctx.GetResourcesByType("AWS::RDS::DBInstance") {
    16  
    17  		instance := rds.Instance{
    18  			Metadata:                  r.Metadata(),
    19  			BackupRetentionPeriodDays: r.GetIntProperty("BackupRetentionPeriod", 1),
    20  			ReplicationSourceARN:      r.GetStringProperty("SourceDBInstanceIdentifier"),
    21  			PerformanceInsights: rds.PerformanceInsights{
    22  				Metadata: r.Metadata(),
    23  				Enabled:  r.GetBoolProperty("EnablePerformanceInsights"),
    24  				KMSKeyID: r.GetStringProperty("PerformanceInsightsKMSKeyId"),
    25  			},
    26  			Encryption: rds.Encryption{
    27  				Metadata:       r.Metadata(),
    28  				EncryptStorage: r.GetBoolProperty("StorageEncrypted"),
    29  				KMSKeyID:       r.GetStringProperty("KmsKeyId"),
    30  			},
    31  			PublicAccess:                     r.GetBoolProperty("PubliclyAccessible", true),
    32  			Engine:                           r.GetStringProperty("Engine"),
    33  			IAMAuthEnabled:                   r.GetBoolProperty("EnableIAMDatabaseAuthentication"),
    34  			DeletionProtection:               r.GetBoolProperty("DeletionProtection", false),
    35  			DBInstanceArn:                    r.GetStringProperty("DBInstanceArn"),
    36  			StorageEncrypted:                 r.GetBoolProperty("StorageEncrypted", false),
    37  			DBInstanceIdentifier:             r.GetStringProperty("DBInstanceIdentifier"),
    38  			DBParameterGroups:                getDBParameterGroups(ctx, r),
    39  			TagList:                          getTagList(r),
    40  			EnabledCloudwatchLogsExports:     getEnabledCloudwatchLogsExports(r),
    41  			EngineVersion:                    r.GetStringProperty("EngineVersion"),
    42  			AutoMinorVersionUpgrade:          r.GetBoolProperty("AutoMinorVersionUpgrade"),
    43  			MultiAZ:                          r.GetBoolProperty("MultiAZ"),
    44  			PubliclyAccessible:               r.GetBoolProperty("PubliclyAccessible"),
    45  			LatestRestorableTime:             types.TimeUnresolvable(r.Metadata()),
    46  			ReadReplicaDBInstanceIdentifiers: getReadReplicaDBInstanceIdentifiers(r),
    47  		}
    48  
    49  		if clusterID := r.GetProperty("DBClusterIdentifier"); clusterID.IsString() {
    50  			if cluster, exist := clusterMap[clusterID.AsString()]; exist {
    51  				cluster.Instances = append(cluster.Instances, rds.ClusterInstance{
    52  					Instance:          instance,
    53  					ClusterIdentifier: clusterID.AsStringValue(),
    54  				})
    55  				clusterMap[clusterID.AsString()] = cluster
    56  			}
    57  		} else {
    58  			orphans = append(orphans, instance)
    59  		}
    60  	}
    61  
    62  	clusters := make([]rds.Cluster, 0, len(clusterMap))
    63  
    64  	for _, cluster := range clusterMap {
    65  		clusters = append(clusters, cluster)
    66  	}
    67  
    68  	return clusters, orphans
    69  }
    70  
    71  func getDBParameterGroups(ctx parser.FileContext, r *parser.Resource) (dbParameterGroup []rds.DBParameterGroupsList) {
    72  
    73  	dbParameterGroupName := r.GetStringProperty("DBParameterGroupName")
    74  
    75  	for _, r := range ctx.GetResourcesByType("AWS::RDS::DBParameterGroup") {
    76  		name := r.GetStringProperty("DBParameterGroupName")
    77  		if !dbParameterGroupName.EqualTo(name.Value()) {
    78  			continue
    79  		}
    80  		dbpmgl := rds.DBParameterGroupsList{
    81  			Metadata:             r.Metadata(),
    82  			DBParameterGroupName: name,
    83  			KMSKeyID:             types.StringUnresolvable(r.Metadata()),
    84  		}
    85  		dbParameterGroup = append(dbParameterGroup, dbpmgl)
    86  	}
    87  
    88  	return dbParameterGroup
    89  }
    90  
    91  func getEnabledCloudwatchLogsExports(r *parser.Resource) (enabledcloudwatchlogexportslist []types.StringValue) {
    92  	enabledCloudwatchLogExportList := r.GetProperty("EnableCloudwatchLogsExports")
    93  
    94  	if enabledCloudwatchLogExportList.IsNil() || enabledCloudwatchLogExportList.IsNotList() {
    95  		return enabledcloudwatchlogexportslist
    96  	}
    97  
    98  	for _, ecle := range enabledCloudwatchLogExportList.AsList() {
    99  		enabledcloudwatchlogexportslist = append(enabledcloudwatchlogexportslist, ecle.AsStringValue())
   100  	}
   101  	return enabledcloudwatchlogexportslist
   102  }
   103  
   104  func getTagList(r *parser.Resource) (taglist []rds.TagList) {
   105  	tagLists := r.GetProperty("Tags")
   106  
   107  	if tagLists.IsNil() || tagLists.IsNotList() {
   108  		return taglist
   109  	}
   110  
   111  	for _, tl := range tagLists.AsList() {
   112  		taglist = append(taglist, rds.TagList{
   113  			Metadata: tl.Metadata(),
   114  		})
   115  	}
   116  	return taglist
   117  }
   118  
   119  func getReadReplicaDBInstanceIdentifiers(r *parser.Resource) (readreplicadbidentifier []types.StringValue) {
   120  	readReplicaDBIdentifier := r.GetProperty("SourceDBInstanceIdentifier")
   121  
   122  	if readReplicaDBIdentifier.IsNil() || readReplicaDBIdentifier.IsNotList() {
   123  		return readreplicadbidentifier
   124  	}
   125  
   126  	for _, rr := range readReplicaDBIdentifier.AsList() {
   127  		readreplicadbidentifier = append(readreplicadbidentifier, rr.AsStringValue())
   128  	}
   129  	return readreplicadbidentifier
   130  }