github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/ec2/autoscaling.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/ec2/autoscaling.go (about)

     1  package ec2
     2  
     3  import (
     4  	"encoding/base64"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2"
    11  )
    12  
    13  func adaptLaunchTemplates(modules terraform.Modules) (templates []ec2.LaunchTemplate) {
    14  
    15  	blocks := modules.GetResourcesByType("aws_launch_template")
    16  
    17  	for _, b := range blocks {
    18  
    19  		metadataOptions := getMetadataOptions(b)
    20  		userData := b.GetAttribute("user_data").AsStringValueOrDefault("", b)
    21  
    22  		templates = append(templates, ec2.LaunchTemplate{
    23  			Metadata: b.GetMetadata(),
    24  			Instance: ec2.Instance{
    25  				Metadata:        b.GetMetadata(),
    26  				MetadataOptions: metadataOptions,
    27  				UserData:        userData,
    28  				SecurityGroups:  nil,
    29  				RootBlockDevice: nil,
    30  				EBSBlockDevices: nil,
    31  			},
    32  		})
    33  	}
    34  
    35  	return templates
    36  }
    37  
    38  func adaptLaunchConfigurations(modules terraform.Modules) []ec2.LaunchConfiguration {
    39  	var launchConfigurations []ec2.LaunchConfiguration
    40  
    41  	for _, module := range modules {
    42  		for _, resource := range module.GetResourcesByType("aws_launch_configuration") {
    43  			launchConfig := adaptLaunchConfiguration(resource)
    44  			for _, resource := range module.GetResourcesByType("aws_ebs_encryption_by_default") {
    45  				if resource.GetAttribute("enabled").NotEqual(false) {
    46  					launchConfig.RootBlockDevice.Encrypted = defsecTypes.BoolDefault(true, resource.GetMetadata())
    47  					for i := 0; i < len(launchConfig.EBSBlockDevices); i++ {
    48  						ebs := launchConfig.EBSBlockDevices[i]
    49  						ebs.Encrypted = defsecTypes.BoolDefault(true, resource.GetMetadata())
    50  					}
    51  				}
    52  			}
    53  			launchConfigurations = append(launchConfigurations, launchConfig)
    54  		}
    55  	}
    56  	return launchConfigurations
    57  }
    58  
    59  func adaptLaunchConfiguration(resource *terraform.Block) ec2.LaunchConfiguration {
    60  	launchConfig := ec2.LaunchConfiguration{
    61  		Metadata:          resource.GetMetadata(),
    62  		Name:              defsecTypes.StringDefault("", resource.GetMetadata()),
    63  		AssociatePublicIP: resource.GetAttribute("associate_public_ip_address").AsBoolValueOrDefault(false, resource),
    64  		RootBlockDevice: &ec2.BlockDevice{
    65  			Metadata:  resource.GetMetadata(),
    66  			Encrypted: defsecTypes.BoolDefault(false, resource.GetMetadata()),
    67  		},
    68  		EBSBlockDevices: nil,
    69  		MetadataOptions: getMetadataOptions(resource),
    70  		UserData:        defsecTypes.StringDefault("", resource.GetMetadata()),
    71  	}
    72  
    73  	if resource.TypeLabel() == "aws_launch_configuration" {
    74  		nameAttr := resource.GetAttribute("name")
    75  		launchConfig.Name = nameAttr.AsStringValueOrDefault("", resource)
    76  	}
    77  
    78  	if rootBlockDeviceBlock := resource.GetBlock("root_block_device"); rootBlockDeviceBlock.IsNotNil() {
    79  		encryptedAttr := rootBlockDeviceBlock.GetAttribute("encrypted")
    80  		launchConfig.RootBlockDevice.Encrypted = encryptedAttr.AsBoolValueOrDefault(false, rootBlockDeviceBlock)
    81  		launchConfig.RootBlockDevice.Metadata = rootBlockDeviceBlock.GetMetadata()
    82  	}
    83  
    84  	EBSBlockDevicesBlocks := resource.GetBlocks("ebs_block_device")
    85  	for _, EBSBlockDevicesBlock := range EBSBlockDevicesBlocks {
    86  		encryptedAttr := EBSBlockDevicesBlock.GetAttribute("encrypted")
    87  		encryptedVal := encryptedAttr.AsBoolValueOrDefault(false, EBSBlockDevicesBlock)
    88  		launchConfig.EBSBlockDevices = append(launchConfig.EBSBlockDevices, &ec2.BlockDevice{
    89  			Metadata:  EBSBlockDevicesBlock.GetMetadata(),
    90  			Encrypted: encryptedVal,
    91  		})
    92  	}
    93  
    94  	if userDataAttr := resource.GetAttribute("user_data"); userDataAttr.IsNotNil() {
    95  		launchConfig.UserData = userDataAttr.AsStringValueOrDefault("", resource)
    96  	} else if userDataBase64Attr := resource.GetAttribute("user_data_base64"); userDataBase64Attr.IsString() {
    97  		encoded, err := base64.StdEncoding.DecodeString(userDataBase64Attr.Value().AsString())
    98  		if err == nil {
    99  			launchConfig.UserData = defsecTypes.String(string(encoded), userDataBase64Attr.GetMetadata())
   100  		}
   101  	}
   102  
   103  	return launchConfig
   104  }
   105  
   106  func getMetadataOptions(b *terraform.Block) ec2.MetadataOptions {
   107  	options := ec2.MetadataOptions{
   108  		Metadata:     b.GetMetadata(),
   109  		HttpTokens:   defsecTypes.StringDefault("", b.GetMetadata()),
   110  		HttpEndpoint: defsecTypes.StringDefault("", b.GetMetadata()),
   111  	}
   112  
   113  	if metadataOptions := b.GetBlock("metadata_options"); metadataOptions.IsNotNil() {
   114  		options.Metadata = metadataOptions.GetMetadata()
   115  		options.HttpTokens = metadataOptions.GetAttribute("http_tokens").AsStringValueOrDefault("", metadataOptions)
   116  		options.HttpEndpoint = metadataOptions.GetAttribute("http_endpoint").AsStringValueOrDefault("", metadataOptions)
   117  	}
   118  
   119  	return options
   120  }