github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/ec2/autoscaling.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/ec2/autoscaling.go (about)

     1  package ec2
     2  
     3  import (
     4  	"encoding/base64"
     5  
     6  	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
     7  
     8  	"github.com/aquasecurity/defsec/pkg/terraform"
     9  
    10  	"github.com/aquasecurity/defsec/pkg/providers/aws/ec2"
    11  )
    12  
    13  func adaptLaunchTemplates(modules terraform.Modules) (templates []ec2.LaunchTemplate) {
    14  
    15  	blocks := modules.GetResourcesByType("aws_launch_template")
    16  
    17  	for _, b := range blocks {
    18  		templates = append(templates, adaptLaunchTemplate(b))
    19  	}
    20  
    21  	return templates
    22  }
    23  
    24  func adaptLaunchTemplate(b *terraform.Block) ec2.LaunchTemplate {
    25  	return ec2.LaunchTemplate{
    26  		Metadata: b.GetMetadata(),
    27  		Instance: ec2.Instance{
    28  			Metadata:        b.GetMetadata(),
    29  			MetadataOptions: getMetadataOptions(b),
    30  			UserData:        b.GetAttribute("user_data").AsStringValueOrDefault("", b),
    31  		},
    32  	}
    33  }
    34  
    35  func adaptLaunchConfigurations(modules terraform.Modules) []ec2.LaunchConfiguration {
    36  	var launchConfigurations []ec2.LaunchConfiguration
    37  
    38  	for _, module := range modules {
    39  		for _, resource := range module.GetResourcesByType("aws_launch_configuration") {
    40  			launchConfig := adaptLaunchConfiguration(resource)
    41  			for _, resource := range module.GetResourcesByType("aws_ebs_encryption_by_default") {
    42  				if resource.GetAttribute("enabled").NotEqual(false) {
    43  					launchConfig.RootBlockDevice.Encrypted = defsecTypes.BoolDefault(true, resource.GetMetadata())
    44  					for i := 0; i < len(launchConfig.EBSBlockDevices); i++ {
    45  						ebs := launchConfig.EBSBlockDevices[i]
    46  						ebs.Encrypted = defsecTypes.BoolDefault(true, resource.GetMetadata())
    47  					}
    48  				}
    49  			}
    50  			launchConfigurations = append(launchConfigurations, launchConfig)
    51  		}
    52  	}
    53  	return launchConfigurations
    54  }
    55  
    56  func adaptLaunchConfiguration(resource *terraform.Block) ec2.LaunchConfiguration {
    57  	launchConfig := ec2.LaunchConfiguration{
    58  		Metadata:          resource.GetMetadata(),
    59  		Name:              defsecTypes.StringDefault("", resource.GetMetadata()),
    60  		AssociatePublicIP: resource.GetAttribute("associate_public_ip_address").AsBoolValueOrDefault(false, resource),
    61  		RootBlockDevice: &ec2.BlockDevice{
    62  			Metadata:  resource.GetMetadata(),
    63  			Encrypted: defsecTypes.BoolDefault(false, resource.GetMetadata()),
    64  		},
    65  		EBSBlockDevices: nil,
    66  		MetadataOptions: getMetadataOptions(resource),
    67  		UserData:        defsecTypes.StringDefault("", resource.GetMetadata()),
    68  	}
    69  
    70  	//#nosec G101 -- False positive
    71  	if resource.TypeLabel() == "aws_launch_configuration" {
    72  		nameAttr := resource.GetAttribute("name")
    73  		launchConfig.Name = nameAttr.AsStringValueOrDefault("", resource)
    74  	}
    75  
    76  	if rootBlockDeviceBlock := resource.GetBlock("root_block_device"); rootBlockDeviceBlock.IsNotNil() {
    77  		encryptedAttr := rootBlockDeviceBlock.GetAttribute("encrypted")
    78  		launchConfig.RootBlockDevice.Encrypted = encryptedAttr.AsBoolValueOrDefault(false, rootBlockDeviceBlock)
    79  		launchConfig.RootBlockDevice.Metadata = rootBlockDeviceBlock.GetMetadata()
    80  	}
    81  
    82  	EBSBlockDevicesBlocks := resource.GetBlocks("ebs_block_device")
    83  	for _, EBSBlockDevicesBlock := range EBSBlockDevicesBlocks {
    84  		encryptedAttr := EBSBlockDevicesBlock.GetAttribute("encrypted")
    85  		encryptedVal := encryptedAttr.AsBoolValueOrDefault(false, EBSBlockDevicesBlock)
    86  		launchConfig.EBSBlockDevices = append(launchConfig.EBSBlockDevices, &ec2.BlockDevice{
    87  			Metadata:  EBSBlockDevicesBlock.GetMetadata(),
    88  			Encrypted: encryptedVal,
    89  		})
    90  	}
    91  
    92  	if userDataAttr := resource.GetAttribute("user_data"); userDataAttr.IsNotNil() {
    93  		launchConfig.UserData = userDataAttr.AsStringValueOrDefault("", resource)
    94  	} else if userDataBase64Attr := resource.GetAttribute("user_data_base64"); userDataBase64Attr.IsString() {
    95  		encoded, err := base64.StdEncoding.DecodeString(userDataBase64Attr.Value().AsString())
    96  		if err == nil {
    97  			launchConfig.UserData = defsecTypes.String(string(encoded), userDataBase64Attr.GetMetadata())
    98  		}
    99  	}
   100  
   101  	return launchConfig
   102  }
   103  
   104  func getMetadataOptions(b *terraform.Block) ec2.MetadataOptions {
   105  	options := ec2.MetadataOptions{
   106  		Metadata:     b.GetMetadata(),
   107  		HttpTokens:   defsecTypes.StringDefault("", b.GetMetadata()),
   108  		HttpEndpoint: defsecTypes.StringDefault("", b.GetMetadata()),
   109  	}
   110  
   111  	if metadataOptions := b.GetBlock("metadata_options"); metadataOptions.IsNotNil() {
   112  		options.Metadata = metadataOptions.GetMetadata()
   113  		options.HttpTokens = metadataOptions.GetAttribute("http_tokens").AsStringValueOrDefault("", metadataOptions)
   114  		options.HttpEndpoint = metadataOptions.GetAttribute("http_endpoint").AsStringValueOrDefault("", metadataOptions)
   115  	}
   116  
   117  	return options
   118  }