github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/ec2/adapt.go (about) 1 package ec2 2 3 import ( 4 "github.com/aquasecurity/defsec/pkg/providers/aws/ec2" 5 "github.com/aquasecurity/defsec/pkg/terraform" 6 "github.com/aquasecurity/defsec/pkg/types" 7 ) 8 9 func Adapt(modules terraform.Modules) ec2.EC2 { 10 11 naclAdapter := naclAdapter{naclRuleIDs: modules.GetChildResourceIDMapByType("aws_network_acl_rule")} 12 sgAdapter := sgAdapter{sgRuleIDs: modules.GetChildResourceIDMapByType("aws_security_group_rule")} 13 14 return ec2.EC2{ 15 Instances: getInstances(modules), 16 VPCs: adaptVPCs(modules), 17 SecurityGroups: sgAdapter.adaptSecurityGroups(modules), 18 Subnets: adaptSubnets(modules), 19 NetworkACLs: naclAdapter.adaptNetworkACLs(modules), 20 LaunchConfigurations: adaptLaunchConfigurations(modules), 21 LaunchTemplates: adaptLaunchTemplates(modules), 22 Volumes: adaptVolumes(modules), 23 } 24 } 25 26 func getInstances(modules terraform.Modules) []ec2.Instance { 27 var instances []ec2.Instance 28 29 blocks := modules.GetResourcesByType("aws_instance") 30 31 for _, b := range blocks { 32 instance := ec2.Instance{ 33 Metadata: b.GetMetadata(), 34 MetadataOptions: getMetadataOptions(b), 35 UserData: b.GetAttribute("user_data").AsStringValueOrDefault("", b), 36 } 37 38 if launchTemplate := findRelatedLaunchTemplate(modules, b); launchTemplate != nil { 39 instance = launchTemplate.Instance 40 } 41 42 if instance.RootBlockDevice == nil { 43 instance.RootBlockDevice = &ec2.BlockDevice{ 44 Metadata: b.GetMetadata(), 45 Encrypted: types.BoolDefault(false, b.GetMetadata()), 46 } 47 } 48 49 if rootBlockDevice := b.GetBlock("root_block_device"); rootBlockDevice.IsNotNil() { 50 instance.RootBlockDevice = &ec2.BlockDevice{ 51 Metadata: rootBlockDevice.GetMetadata(), 52 Encrypted: rootBlockDevice.GetAttribute("encrypted").AsBoolValueOrDefault(false, b), 53 } 54 } 55 56 for _, ebsBlock := range b.GetBlocks("ebs_block_device") { 57 instance.EBSBlockDevices = append(instance.EBSBlockDevices, &ec2.BlockDevice{ 58 Metadata: ebsBlock.GetMetadata(), 59 Encrypted: ebsBlock.GetAttribute("encrypted").AsBoolValueOrDefault(false, b), 60 }) 61 } 62 63 for _, resource := range modules.GetResourcesByType("aws_ebs_encryption_by_default") { 64 if resource.GetAttribute("enabled").NotEqual(false) { 65 instance.RootBlockDevice.Encrypted = types.BoolDefault(true, resource.GetMetadata()) 66 for i := 0; i < len(instance.EBSBlockDevices); i++ { 67 ebs := instance.EBSBlockDevices[i] 68 ebs.Encrypted = types.BoolDefault(true, resource.GetMetadata()) 69 } 70 } 71 } 72 73 instances = append(instances, instance) 74 } 75 76 return instances 77 } 78 79 func findRelatedLaunchTemplate(modules terraform.Modules, instanceBlock *terraform.Block) *ec2.LaunchTemplate { 80 launchTemplateBlock := instanceBlock.GetBlock("launch_template") 81 if launchTemplateBlock.IsNil() { 82 return nil 83 } 84 85 templateRef := launchTemplateBlock.GetAttribute("name") 86 87 if !templateRef.IsResolvable() { 88 templateRef = launchTemplateBlock.GetAttribute("id") 89 } 90 91 if templateRef.IsString() { 92 for _, r := range modules.GetResourcesByType("aws_launch_template") { 93 templateName := r.GetAttribute("name").AsStringValueOrDefault("", r).Value() 94 if templateRef.Equals(r.ID()) || templateRef.Equals(templateName) { 95 launchTemplate := adaptLaunchTemplate(r) 96 return &launchTemplate 97 } 98 } 99 } 100 101 return nil 102 }