github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/msk/cluster.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/msk/cluster.go (about)

     1  package msk
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/msk"
     5  	"github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser"
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func getClusters(ctx parser.FileContext) (clusters []msk.Cluster) {
    10  	for _, r := range ctx.GetResourcesByType("AWS::MSK::Cluster") {
    11  
    12  		cluster := msk.Cluster{
    13  			Metadata: r.Metadata(),
    14  			EncryptionInTransit: msk.EncryptionInTransit{
    15  				Metadata:     r.Metadata(),
    16  				ClientBroker: defsecTypes.StringDefault("TLS", r.Metadata()),
    17  			},
    18  			EncryptionAtRest: msk.EncryptionAtRest{
    19  				Metadata:  r.Metadata(),
    20  				KMSKeyARN: defsecTypes.StringDefault("", r.Metadata()),
    21  				Enabled:   defsecTypes.BoolDefault(false, r.Metadata()),
    22  			},
    23  			Logging: msk.Logging{
    24  				Metadata: r.Metadata(),
    25  				Broker: msk.BrokerLogging{
    26  					Metadata: r.Metadata(),
    27  					S3: msk.S3Logging{
    28  						Metadata: r.Metadata(),
    29  						Enabled:  defsecTypes.BoolDefault(false, r.Metadata()),
    30  					},
    31  					Cloudwatch: msk.CloudwatchLogging{
    32  						Metadata: r.Metadata(),
    33  						Enabled:  defsecTypes.BoolDefault(false, r.Metadata()),
    34  					},
    35  					Firehose: msk.FirehoseLogging{
    36  						Metadata: r.Metadata(),
    37  						Enabled:  defsecTypes.BoolDefault(false, r.Metadata()),
    38  					},
    39  				},
    40  			},
    41  		}
    42  
    43  		if encProp := r.GetProperty("EncryptionInfo.EncryptionInTransit"); encProp.IsNotNil() {
    44  			cluster.EncryptionInTransit = msk.EncryptionInTransit{
    45  				Metadata:     encProp.Metadata(),
    46  				ClientBroker: encProp.GetStringProperty("ClientBroker", "TLS"),
    47  			}
    48  		}
    49  
    50  		if encAtRestProp := r.GetProperty("EncryptionInfo.EncryptionAtRest"); encAtRestProp.IsNotNil() {
    51  			cluster.EncryptionAtRest = msk.EncryptionAtRest{
    52  				Metadata:  encAtRestProp.Metadata(),
    53  				KMSKeyARN: encAtRestProp.GetStringProperty("DataVolumeKMSKeyId", ""),
    54  				Enabled:   defsecTypes.BoolDefault(true, encAtRestProp.Metadata()),
    55  			}
    56  		}
    57  
    58  		if loggingProp := r.GetProperty("LoggingInfo"); loggingProp.IsNotNil() {
    59  			cluster.Logging.Metadata = loggingProp.Metadata()
    60  			if brokerLoggingProp := loggingProp.GetProperty("BrokerLogs"); brokerLoggingProp.IsNotNil() {
    61  				cluster.Logging.Broker.Metadata = brokerLoggingProp.Metadata()
    62  				if s3Prop := brokerLoggingProp.GetProperty("S3"); s3Prop.IsNotNil() {
    63  					cluster.Logging.Broker.S3.Metadata = s3Prop.Metadata()
    64  					cluster.Logging.Broker.S3.Enabled = s3Prop.GetBoolProperty("Enabled", false)
    65  				}
    66  				if cwProp := brokerLoggingProp.GetProperty("CloudWatchLogs"); cwProp.IsNotNil() {
    67  					cluster.Logging.Broker.Cloudwatch.Metadata = cwProp.Metadata()
    68  					cluster.Logging.Broker.Cloudwatch.Enabled = cwProp.GetBoolProperty("Enabled", false)
    69  				}
    70  				if fhProp := brokerLoggingProp.GetProperty("Firehose"); fhProp.IsNotNil() {
    71  					cluster.Logging.Broker.Firehose.Metadata = fhProp.Metadata()
    72  					cluster.Logging.Broker.Firehose.Enabled = fhProp.GetBoolProperty("Enabled", false)
    73  				}
    74  			}
    75  		}
    76  
    77  		clusters = append(clusters, cluster)
    78  	}
    79  	return clusters
    80  }