github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/provider/adapt.go (about) 1 package provider 2 3 import ( 4 "github.com/aquasecurity/defsec/pkg/providers/aws" 5 "github.com/aquasecurity/defsec/pkg/terraform" 6 "github.com/aquasecurity/defsec/pkg/types" 7 ) 8 9 const ( 10 defaultMaxRetires = 25 11 defaultSharedConfigFile = "~/.aws/config" 12 //#nosec G101 -- False positive 13 defaultSharedCredentialsFile = "~/.aws/credentials" 14 ) 15 16 func Adapt(modules terraform.Modules) []aws.TerraformProvider { 17 return adaptProviders(modules) 18 } 19 20 func adaptProviders(modules terraform.Modules) []aws.TerraformProvider { 21 var providers []aws.TerraformProvider 22 for _, providerBlock := range modules.GetBlocks().OfType("provider") { 23 if providerBlock.Label() == "aws" { 24 providers = append(providers, adaptProvider(providerBlock)) 25 } 26 } 27 28 return providers 29 } 30 31 func adaptProvider(b *terraform.Block) aws.TerraformProvider { 32 return aws.TerraformProvider{ 33 Metadata: b.GetMetadata(), 34 Alias: getStringAttrValue("alias", b), 35 Version: getStringAttrValue("version", b), 36 AccessKey: getStringAttrValue("access_key", b), 37 AllowedAccountsIDs: b.GetAttribute("allowed_account_ids").AsStringValueSliceOrEmpty(), 38 AssumeRole: adaptAssumeRole(b), 39 AssumeRoleWithWebIdentity: adaptAssumeRoleWithWebIdentity(b), 40 CustomCABundle: getStringAttrValue("custom_ca_bundle", b), 41 DefaultTags: adaptDefaultTags(b), 42 EC2MetadataServiceEndpoint: getStringAttrValue("ec2_metadata_service_endpoint", b), 43 EC2MetadataServiceEndpointMode: getStringAttrValue("ec2_metadata_service_endpoint_mode", b), 44 Endpoints: adaptEndpoints(b), 45 ForbiddenAccountIDs: b.GetAttribute("forbidden_account_ids").AsStringValueSliceOrEmpty(), 46 HttpProxy: getStringAttrValue("http_proxy", b), 47 IgnoreTags: adaptIgnoreTags(b), 48 Insecure: b.GetAttribute("insecure").AsBoolValueOrDefault(false, b), 49 MaxRetries: b.GetAttribute("max_retries").AsIntValueOrDefault(defaultMaxRetires, b), 50 Profile: getStringAttrValue("profile", b), 51 Region: getStringAttrValue("region", b), 52 RetryMode: getStringAttrValue("retry_mode", b), 53 S3UsePathStyle: b.GetAttribute("s3_use_path_style").AsBoolValueOrDefault(false, b), 54 S3USEast1RegionalEndpoint: getStringAttrValue("s3_us_east_1_regional_endpoint", b), 55 SecretKey: getStringAttrValue("secret_key", b), 56 SharedConfigFiles: b.GetAttribute("shared_config_files").AsStringValuesOrDefault(b, defaultSharedConfigFile), 57 SharedCredentialsFiles: b.GetAttribute("shared_credentials_files").AsStringValuesOrDefault(b, defaultSharedCredentialsFile), 58 SkipCredentialsValidation: b.GetAttribute("skip_credentials_validation").AsBoolValueOrDefault(false, b), 59 SkipMetadataAPICheck: b.GetAttribute("skip_metadata_api_check").AsBoolValueOrDefault(false, b), 60 SkipRegionValidation: b.GetAttribute("skip_region_validation").AsBoolValueOrDefault(false, b), 61 SkipRequestingAccountID: b.GetAttribute("skip_requesting_account_id").AsBoolValueOrDefault(false, b), 62 STSRegion: getStringAttrValue("sts_region", b), 63 Token: getStringAttrValue("token", b), 64 UseDualstackEndpoint: b.GetAttribute("use_dualstack_endpoint").AsBoolValueOrDefault(false, b), 65 UseFIPSEndpoint: b.GetAttribute("use_fips_endpoint").AsBoolValueOrDefault(false, b), 66 } 67 } 68 69 func adaptAssumeRole(p *terraform.Block) aws.AssumeRole { 70 assumeRoleBlock := p.GetBlock("assume_role") 71 72 if assumeRoleBlock.IsNil() { 73 return aws.AssumeRole{ 74 Metadata: p.GetMetadata(), 75 Duration: types.StringDefault("", p.GetMetadata()), 76 ExternalID: types.StringDefault("", p.GetMetadata()), 77 Policy: types.StringDefault("", p.GetMetadata()), 78 RoleARN: types.StringDefault("", p.GetMetadata()), 79 SessionName: types.StringDefault("", p.GetMetadata()), 80 SourceIdentity: types.StringDefault("", p.GetMetadata()), 81 } 82 } 83 84 return aws.AssumeRole{ 85 Metadata: assumeRoleBlock.GetMetadata(), 86 Duration: getStringAttrValue("duration", p), 87 ExternalID: getStringAttrValue("external_id", p), 88 Policy: getStringAttrValue("policy", p), 89 PolicyARNs: p.GetAttribute("policy_arns").AsStringValueSliceOrEmpty(), 90 RoleARN: getStringAttrValue("role_arn", p), 91 SessionName: getStringAttrValue("session_name", p), 92 SourceIdentity: getStringAttrValue("source_identity", p), 93 Tags: p.GetAttribute("tags").AsMapValue(), 94 TransitiveTagKeys: p.GetAttribute("transitive_tag_keys").AsStringValueSliceOrEmpty(), 95 } 96 } 97 98 func adaptAssumeRoleWithWebIdentity(p *terraform.Block) aws.AssumeRoleWithWebIdentity { 99 block := p.GetBlock("assume_role_with_web_identity") 100 if block.IsNil() { 101 return aws.AssumeRoleWithWebIdentity{ 102 Metadata: p.GetMetadata(), 103 Duration: types.StringDefault("", p.GetMetadata()), 104 Policy: types.StringDefault("", p.GetMetadata()), 105 RoleARN: types.StringDefault("", p.GetMetadata()), 106 SessionName: types.StringDefault("", p.GetMetadata()), 107 WebIdentityToken: types.StringDefault("", p.GetMetadata()), 108 WebIdentityTokenFile: types.StringDefault("", p.GetMetadata()), 109 } 110 } 111 112 return aws.AssumeRoleWithWebIdentity{ 113 Metadata: block.GetMetadata(), 114 Duration: getStringAttrValue("duration", p), 115 Policy: getStringAttrValue("policy", p), 116 PolicyARNs: p.GetAttribute("policy_arns").AsStringValueSliceOrEmpty(), 117 RoleARN: getStringAttrValue("role_arn", p), 118 SessionName: getStringAttrValue("session_name", p), 119 WebIdentityToken: getStringAttrValue("web_identity_token", p), 120 WebIdentityTokenFile: getStringAttrValue("web_identity_token_file", p), 121 } 122 } 123 124 func adaptEndpoints(p *terraform.Block) types.MapValue { 125 block := p.GetBlock("endpoints") 126 if block.IsNil() { 127 return types.MapDefault(make(map[string]string), p.GetMetadata()) 128 } 129 130 values := make(map[string]string) 131 132 for name, attr := range block.Attributes() { 133 values[name] = attr.AsStringValueOrDefault("", block).Value() 134 } 135 136 return types.Map(values, block.GetMetadata()) 137 } 138 139 func adaptDefaultTags(p *terraform.Block) aws.DefaultTags { 140 attr, _ := p.GetNestedAttribute("default_tags.tags") 141 if attr.IsNil() { 142 return aws.DefaultTags{} 143 } 144 145 return aws.DefaultTags{ 146 Metadata: attr.GetMetadata(), 147 Tags: attr.AsMapValue(), 148 } 149 } 150 151 func adaptIgnoreTags(p *terraform.Block) aws.IgnoreTags { 152 block := p.GetBlock("ignore_tags") 153 if block.IsNil() { 154 return aws.IgnoreTags{} 155 } 156 157 return aws.IgnoreTags{ 158 Metadata: block.GetMetadata(), 159 Keys: block.GetAttribute("keys").AsStringValueSliceOrEmpty(), 160 KeyPrefixes: block.GetAttribute("key_prefixes").AsStringValueSliceOrEmpty(), 161 } 162 } 163 164 func getStringAttrValue(name string, parent *terraform.Block) types.StringValue { 165 return parent.GetAttribute(name).AsStringValueOrDefault("", parent) 166 }