github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/kubernetes/adapt.go (about) 1 package kubernetes 2 3 import ( 4 "regexp" 5 "strings" 6 7 "github.com/aquasecurity/defsec/pkg/providers/kubernetes" 8 "github.com/aquasecurity/defsec/pkg/terraform" 9 ) 10 11 var versionRegex = regexp.MustCompile(`^v\d+(beta\d+)?$`) 12 13 func Adapt(modules terraform.Modules) kubernetes.Kubernetes { 14 return kubernetes.Kubernetes{ 15 NetworkPolicies: adaptNetworkPolicies(modules), 16 } 17 } 18 19 func adaptNetworkPolicies(modules terraform.Modules) []kubernetes.NetworkPolicy { 20 var networkPolicies []kubernetes.NetworkPolicy 21 for _, module := range modules { 22 for _, resource := range getBlocksIgnoreVersion(module, "resource", "kubernetes_network_policy") { 23 networkPolicies = append(networkPolicies, adaptNetworkPolicy(resource)) 24 } 25 } 26 return networkPolicies 27 } 28 29 func adaptNetworkPolicy(resourceBlock *terraform.Block) kubernetes.NetworkPolicy { 30 31 policy := kubernetes.NetworkPolicy{ 32 Metadata: resourceBlock.GetMetadata(), 33 Spec: kubernetes.NetworkPolicySpec{ 34 Metadata: resourceBlock.GetMetadata(), 35 Egress: kubernetes.Egress{ 36 Metadata: resourceBlock.GetMetadata(), 37 Ports: nil, 38 DestinationCIDRs: nil, 39 }, 40 Ingress: kubernetes.Ingress{ 41 Metadata: resourceBlock.GetMetadata(), 42 Ports: nil, 43 SourceCIDRs: nil, 44 }, 45 }, 46 } 47 48 if specBlock := resourceBlock.GetBlock("spec"); specBlock.IsNotNil() { 49 if egressBlock := specBlock.GetBlock("egress"); egressBlock.IsNotNil() { 50 policy.Spec.Egress.Metadata = egressBlock.GetMetadata() 51 for _, port := range egressBlock.GetBlocks("ports") { 52 numberAttr := port.GetAttribute("number") 53 numberVal := numberAttr.AsStringValueOrDefault("", port) 54 55 protocolAttr := port.GetAttribute("protocol") 56 protocolVal := protocolAttr.AsStringValueOrDefault("", port) 57 58 policy.Spec.Egress.Ports = append(policy.Spec.Egress.Ports, kubernetes.Port{ 59 Metadata: port.GetMetadata(), 60 Number: numberVal, 61 Protocol: protocolVal, 62 }) 63 } 64 65 for _, to := range egressBlock.GetBlocks("to") { 66 cidrAtrr := to.GetBlock("ip_block").GetAttribute("cidr") 67 cidrVal := cidrAtrr.AsStringValueOrDefault("", to) 68 69 policy.Spec.Egress.DestinationCIDRs = append(policy.Spec.Egress.DestinationCIDRs, cidrVal) 70 } 71 } 72 73 if ingressBlock := specBlock.GetBlock("ingress"); ingressBlock.IsNotNil() { 74 policy.Spec.Ingress.Metadata = ingressBlock.GetMetadata() 75 for _, port := range ingressBlock.GetBlocks("ports") { 76 numberAttr := port.GetAttribute("number") 77 numberVal := numberAttr.AsStringValueOrDefault("", port) 78 79 protocolAttr := port.GetAttribute("protocol") 80 protocolVal := protocolAttr.AsStringValueOrDefault("", port) 81 82 policy.Spec.Ingress.Ports = append(policy.Spec.Ingress.Ports, kubernetes.Port{ 83 Metadata: port.GetMetadata(), 84 Number: numberVal, 85 Protocol: protocolVal, 86 }) 87 } 88 89 for _, from := range ingressBlock.GetBlocks("from") { 90 cidrAtrr := from.GetBlock("ip_block").GetAttribute("cidr") 91 cidrVal := cidrAtrr.AsStringValueOrDefault("", from) 92 93 policy.Spec.Ingress.SourceCIDRs = append(policy.Spec.Ingress.SourceCIDRs, cidrVal) 94 } 95 } 96 } 97 98 return policy 99 } 100 101 // https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/guides/versioned-resources 102 func getBlocksIgnoreVersion(module *terraform.Module, blockType string, resourceType string) terraform.Blocks { 103 var res terraform.Blocks 104 for _, block := range module.GetBlocks().OfType(blockType) { 105 if isMatchingTypeLabel(block.TypeLabel(), resourceType) { 106 res = append(res, block) 107 } 108 } 109 return res 110 } 111 112 func isMatchingTypeLabel(typeLabel string, resourceType string) bool { 113 if typeLabel == resourceType { 114 return true 115 } 116 117 versionPart, found := strings.CutPrefix(typeLabel, resourceType+"_") 118 if !found { 119 return false 120 } 121 122 return versionRegex.MatchString(versionPart) 123 }