github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/rds/instance.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/rds/instance.go (about)

     1  package rds
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/rds"
     5  	"github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser"
     6  	"github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func getClustersAndInstances(ctx parser.FileContext) (clusters []rds.Cluster, orphans []rds.Instance) {
    10  
    11  	clusterMap := getClusters(ctx)
    12  
    13  	for _, r := range ctx.GetResourcesByType("AWS::RDS::DBInstance") {
    14  
    15  		instance := rds.Instance{
    16  			Metadata:                  r.Metadata(),
    17  			BackupRetentionPeriodDays: r.GetIntProperty("BackupRetentionPeriod", 1),
    18  			ReplicationSourceARN:      r.GetStringProperty("SourceDBInstanceIdentifier"),
    19  			PerformanceInsights: rds.PerformanceInsights{
    20  				Metadata: r.Metadata(),
    21  				Enabled:  r.GetBoolProperty("EnablePerformanceInsights"),
    22  				KMSKeyID: r.GetStringProperty("PerformanceInsightsKMSKeyId"),
    23  			},
    24  			Encryption: rds.Encryption{
    25  				Metadata:       r.Metadata(),
    26  				EncryptStorage: r.GetBoolProperty("StorageEncrypted"),
    27  				KMSKeyID:       r.GetStringProperty("KmsKeyId"),
    28  			},
    29  			PublicAccess:                     r.GetBoolProperty("PubliclyAccessible", true),
    30  			Engine:                           r.GetStringProperty("Engine"),
    31  			IAMAuthEnabled:                   r.GetBoolProperty("EnableIAMDatabaseAuthentication"),
    32  			DeletionProtection:               r.GetBoolProperty("DeletionProtection", false),
    33  			DBInstanceArn:                    r.GetStringProperty("DBInstanceArn"),
    34  			StorageEncrypted:                 r.GetBoolProperty("StorageEncrypted", false),
    35  			DBInstanceIdentifier:             r.GetStringProperty("DBInstanceIdentifier"),
    36  			DBParameterGroups:                getDBParameterGroups(ctx, r),
    37  			TagList:                          getTagList(r),
    38  			EnabledCloudwatchLogsExports:     getEnabledCloudwatchLogsExports(r),
    39  			EngineVersion:                    r.GetStringProperty("EngineVersion"),
    40  			AutoMinorVersionUpgrade:          r.GetBoolProperty("AutoMinorVersionUpgrade"),
    41  			MultiAZ:                          r.GetBoolProperty("MultiAZ"),
    42  			PubliclyAccessible:               r.GetBoolProperty("PubliclyAccessible"),
    43  			LatestRestorableTime:             types.TimeUnresolvable(r.Metadata()),
    44  			ReadReplicaDBInstanceIdentifiers: getReadReplicaDBInstanceIdentifiers(r),
    45  		}
    46  
    47  		if clusterID := r.GetProperty("DBClusterIdentifier"); clusterID.IsString() {
    48  			var found bool
    49  			for key, cluster := range clusterMap {
    50  				if key == clusterID.AsString() {
    51  					cluster.Instances = append(cluster.Instances, rds.ClusterInstance{
    52  						Instance:          instance,
    53  						ClusterIdentifier: clusterID.AsStringValue(),
    54  					})
    55  					clusterMap[key] = cluster
    56  					found = true
    57  					break
    58  				}
    59  			}
    60  			if found {
    61  				continue
    62  			}
    63  		}
    64  
    65  		orphans = append(orphans, instance)
    66  	}
    67  
    68  	for _, cluster := range clusterMap {
    69  		clusters = append(clusters, cluster)
    70  	}
    71  
    72  	return clusters, orphans
    73  }
    74  
    75  func getDBParameterGroups(ctx parser.FileContext, r *parser.Resource) (dbParameterGroup []rds.DBParameterGroupsList) {
    76  
    77  	for _, r := range ctx.GetResourcesByType("DBParameterGroups") {
    78  		dbpmgl := rds.DBParameterGroupsList{
    79  			Metadata:             r.Metadata(),
    80  			DBParameterGroupName: r.GetStringProperty("DBParameterGroupName"),
    81  			KMSKeyID:             types.StringUnresolvable(r.Metadata()),
    82  		}
    83  		dbParameterGroup = append(dbParameterGroup, dbpmgl)
    84  	}
    85  
    86  	return dbParameterGroup
    87  }
    88  
    89  func getEnabledCloudwatchLogsExports(r *parser.Resource) (enabledcloudwatchlogexportslist []types.StringValue) {
    90  	enabledCloudwatchLogExportList := r.GetProperty("EnableCloudwatchLogsExports")
    91  
    92  	if enabledCloudwatchLogExportList.IsNil() || enabledCloudwatchLogExportList.IsNotList() {
    93  		return enabledcloudwatchlogexportslist
    94  	}
    95  
    96  	for _, ecle := range enabledCloudwatchLogExportList.AsList() {
    97  		enabledcloudwatchlogexportslist = append(enabledcloudwatchlogexportslist, ecle.AsStringValue())
    98  	}
    99  	return enabledcloudwatchlogexportslist
   100  }
   101  
   102  func getTagList(r *parser.Resource) (taglist []rds.TagList) {
   103  	tagLists := r.GetProperty("tags")
   104  
   105  	if tagLists.IsNil() || tagLists.IsNotList() {
   106  		return taglist
   107  	}
   108  
   109  	for _, tl := range tagLists.AsList() {
   110  		taglist = append(taglist, rds.TagList{
   111  			Metadata: tl.Metadata(),
   112  		})
   113  	}
   114  	return taglist
   115  }
   116  
   117  func getReadReplicaDBInstanceIdentifiers(r *parser.Resource) (readreplicadbidentifier []types.StringValue) {
   118  	readReplicaDBIdentifier := r.GetProperty("EnableCloudwatchLogsExports")
   119  
   120  	if readReplicaDBIdentifier.IsNil() || readReplicaDBIdentifier.IsNotList() {
   121  		return readreplicadbidentifier
   122  	}
   123  
   124  	for _, rr := range readReplicaDBIdentifier.AsList() {
   125  		readreplicadbidentifier = append(readreplicadbidentifier, rr.AsStringValue())
   126  	}
   127  	return readreplicadbidentifier
   128  }