github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/rds/cluster.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/rds/cluster.go (about)

     1  package rds
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/rds"
     5  	"github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser"
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func getClusters(ctx parser.FileContext) (clusters map[string]rds.Cluster) {
    10  	clusters = make(map[string]rds.Cluster)
    11  	for _, clusterResource := range ctx.GetResourcesByType("AWS::RDS::DBCluster") {
    12  		cluster := rds.Cluster{
    13  			Metadata:                  clusterResource.Metadata(),
    14  			BackupRetentionPeriodDays: defsecTypes.IntDefault(1, clusterResource.Metadata()),
    15  			ReplicationSourceARN:      defsecTypes.StringDefault("", clusterResource.Metadata()),
    16  			PerformanceInsights: rds.PerformanceInsights{
    17  				Metadata: clusterResource.Metadata(),
    18  				Enabled:  defsecTypes.BoolDefault(false, clusterResource.Metadata()),
    19  				KMSKeyID: defsecTypes.StringDefault("", clusterResource.Metadata()),
    20  			},
    21  			Instances: nil,
    22  			Encryption: rds.Encryption{
    23  				Metadata:       clusterResource.Metadata(),
    24  				EncryptStorage: defsecTypes.BoolDefault(false, clusterResource.Metadata()),
    25  				KMSKeyID:       defsecTypes.StringDefault("", clusterResource.Metadata()),
    26  			},
    27  			PublicAccess:         defsecTypes.BoolDefault(false, clusterResource.Metadata()),
    28  			Engine:               defsecTypes.StringDefault(rds.EngineAurora, clusterResource.Metadata()),
    29  			LatestRestorableTime: defsecTypes.TimeUnresolvable(clusterResource.Metadata()),
    30  		}
    31  
    32  		if engineProp := clusterResource.GetProperty("Engine"); engineProp.IsString() {
    33  			cluster.Engine = engineProp.AsStringValue()
    34  		}
    35  
    36  		if backupProp := clusterResource.GetProperty("BackupRetentionPeriod"); backupProp.IsInt() {
    37  			cluster.BackupRetentionPeriodDays = backupProp.AsIntValue()
    38  		}
    39  
    40  		if replicaProp := clusterResource.GetProperty("SourceDBInstanceIdentifier"); replicaProp.IsString() {
    41  			cluster.ReplicationSourceARN = replicaProp.AsStringValue()
    42  		}
    43  
    44  		if piProp := clusterResource.GetProperty("EnablePerformanceInsights"); piProp.IsBool() {
    45  			cluster.PerformanceInsights.Enabled = piProp.AsBoolValue()
    46  		}
    47  
    48  		if insightsKeyProp := clusterResource.GetProperty("PerformanceInsightsKMSKeyId"); insightsKeyProp.IsString() {
    49  			cluster.PerformanceInsights.KMSKeyID = insightsKeyProp.AsStringValue()
    50  		}
    51  
    52  		if encryptedProp := clusterResource.GetProperty("StorageEncrypted"); encryptedProp.IsBool() {
    53  			cluster.Encryption.EncryptStorage = encryptedProp.AsBoolValue()
    54  		}
    55  
    56  		if keyProp := clusterResource.GetProperty("KmsKeyId"); keyProp.IsString() {
    57  			cluster.Encryption.KMSKeyID = keyProp.AsStringValue()
    58  		}
    59  
    60  		clusters[clusterResource.ID()] = cluster
    61  	}
    62  	return clusters
    63  }
    64  
    65  func getClassic(ctx parser.FileContext) rds.Classic {
    66  	return rds.Classic{
    67  		DBSecurityGroups: getClassicSecurityGroups(ctx),
    68  	}
    69  }
    70  
    71  func getClassicSecurityGroups(ctx parser.FileContext) (groups []rds.DBSecurityGroup) {
    72  	for _, dbsgResource := range ctx.GetResourcesByType("AWS::RDS::DBSecurityGroup") {
    73  		group := rds.DBSecurityGroup{
    74  			Metadata: dbsgResource.Metadata(),
    75  		}
    76  		groups = append(groups, group)
    77  	}
    78  	return groups
    79  }