github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/ec2/adapt.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/ec2/adapt.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2"
     5  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     6  	"github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func Adapt(modules terraform.Modules) ec2.EC2 {
    10  
    11  	naclAdapter := naclAdapter{naclRuleIDs: modules.GetChildResourceIDMapByType("aws_network_acl_rule")}
    12  	sgAdapter := sgAdapter{sgRuleIDs: modules.GetChildResourceIDMapByType("aws_security_group_rule")}
    13  
    14  	return ec2.EC2{
    15  		Instances:            getInstances(modules),
    16  		VPCs:                 adaptVPCs(modules),
    17  		SecurityGroups:       sgAdapter.adaptSecurityGroups(modules),
    18  		Subnets:              adaptSubnets(modules),
    19  		NetworkACLs:          naclAdapter.adaptNetworkACLs(modules),
    20  		LaunchConfigurations: adaptLaunchConfigurations(modules),
    21  		LaunchTemplates:      adaptLaunchTemplates(modules),
    22  		Volumes:              adaptVolumes(modules),
    23  	}
    24  }
    25  
    26  func getInstances(modules terraform.Modules) []ec2.Instance {
    27  	var instances []ec2.Instance
    28  
    29  	blocks := modules.GetResourcesByType("aws_instance")
    30  
    31  	for _, b := range blocks {
    32  
    33  		metadataOptions := getMetadataOptions(b)
    34  		userData := b.GetAttribute("user_data").AsStringValueOrDefault("", b)
    35  
    36  		instance := ec2.Instance{
    37  			Metadata:        b.GetMetadata(),
    38  			MetadataOptions: metadataOptions,
    39  			UserData:        userData,
    40  			SecurityGroups:  nil,
    41  			RootBlockDevice: &ec2.BlockDevice{
    42  				Metadata:  b.GetMetadata(),
    43  				Encrypted: types.BoolDefault(false, b.GetMetadata()),
    44  			},
    45  			EBSBlockDevices: nil,
    46  		}
    47  
    48  		if rootBlockDevice := b.GetBlock("root_block_device"); rootBlockDevice.IsNotNil() {
    49  			instance.RootBlockDevice.Metadata = rootBlockDevice.GetMetadata()
    50  			instance.RootBlockDevice.Encrypted = rootBlockDevice.GetAttribute("encrypted").AsBoolValueOrDefault(false, b)
    51  		}
    52  
    53  		for _, ebsBlock := range b.GetBlocks("ebs_block_device") {
    54  			instance.EBSBlockDevices = append(instance.EBSBlockDevices, &ec2.BlockDevice{
    55  				Metadata:  ebsBlock.GetMetadata(),
    56  				Encrypted: ebsBlock.GetAttribute("encrypted").AsBoolValueOrDefault(false, b),
    57  			})
    58  		}
    59  
    60  		for _, resource := range modules.GetResourcesByType("aws_ebs_encryption_by_default") {
    61  			if resource.GetAttribute("enabled").NotEqual(false) {
    62  				instance.RootBlockDevice.Encrypted = types.BoolDefault(true, resource.GetMetadata())
    63  				for i := 0; i < len(instance.EBSBlockDevices); i++ {
    64  					ebs := instance.EBSBlockDevices[i]
    65  					ebs.Encrypted = types.BoolDefault(true, resource.GetMetadata())
    66  				}
    67  			}
    68  		}
    69  
    70  		instances = append(instances, instance)
    71  	}
    72  
    73  	return instances
    74  }