github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/ecr/adapt.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/ecr/adapt.go (about)

     1  package ecr
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/adapters/terraform/aws/iam"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ecr"
     6  	iamp "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
     7  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     8  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     9  	"github.com/liamg/iamgo"
    10  )
    11  
    12  func Adapt(modules terraform.Modules) ecr.ECR {
    13  	return ecr.ECR{
    14  		Repositories: adaptRepositories(modules),
    15  	}
    16  }
    17  
    18  func adaptRepositories(modules terraform.Modules) []ecr.Repository {
    19  	var repositories []ecr.Repository
    20  	for _, module := range modules {
    21  		for _, resource := range module.GetResourcesByType("aws_ecr_repository") {
    22  			repositories = append(repositories, adaptRepository(resource, module, modules))
    23  		}
    24  	}
    25  	return repositories
    26  }
    27  
    28  func adaptRepository(resource *terraform.Block, module *terraform.Module, modules terraform.Modules) ecr.Repository {
    29  	repo := ecr.Repository{
    30  		Metadata: resource.GetMetadata(),
    31  		ImageScanning: ecr.ImageScanning{
    32  			Metadata:   resource.GetMetadata(),
    33  			ScanOnPush: defsecTypes.BoolDefault(false, resource.GetMetadata()),
    34  		},
    35  		ImageTagsImmutable: defsecTypes.BoolDefault(false, resource.GetMetadata()),
    36  		Policies:           nil,
    37  		Encryption: ecr.Encryption{
    38  			Metadata: resource.GetMetadata(),
    39  			Type:     defsecTypes.StringDefault("AES256", resource.GetMetadata()),
    40  			KMSKeyID: defsecTypes.StringDefault("", resource.GetMetadata()),
    41  		},
    42  	}
    43  
    44  	if imageScanningBlock := resource.GetBlock("image_scanning_configuration"); imageScanningBlock.IsNotNil() {
    45  		repo.ImageScanning.Metadata = imageScanningBlock.GetMetadata()
    46  		scanOnPushAttr := imageScanningBlock.GetAttribute("scan_on_push")
    47  		repo.ImageScanning.ScanOnPush = scanOnPushAttr.AsBoolValueOrDefault(false, imageScanningBlock)
    48  	}
    49  
    50  	mutabilityAttr := resource.GetAttribute("image_tag_mutability")
    51  	if mutabilityAttr.Equals("IMMUTABLE") {
    52  		repo.ImageTagsImmutable = defsecTypes.Bool(true, mutabilityAttr.GetMetadata())
    53  	} else if mutabilityAttr.Equals("MUTABLE") {
    54  		repo.ImageTagsImmutable = defsecTypes.Bool(false, mutabilityAttr.GetMetadata())
    55  	}
    56  
    57  	policyBlocks := module.GetReferencingResources(resource, "aws_ecr_repository_policy", "repository")
    58  	for _, policyRes := range policyBlocks {
    59  		if policyAttr := policyRes.GetAttribute("policy"); policyAttr.IsString() {
    60  
    61  			dataBlock, err := module.GetBlockByID(policyAttr.Value().AsString())
    62  			if err != nil {
    63  
    64  				parsed, err := iamgo.ParseString(policyAttr.Value().AsString())
    65  				if err != nil {
    66  					continue
    67  				}
    68  
    69  				policy := iamp.Policy{
    70  					Metadata: policyRes.GetMetadata(),
    71  					Name:     defsecTypes.StringDefault("", policyRes.GetMetadata()),
    72  					Document: iamp.Document{
    73  						Parsed:   *parsed,
    74  						Metadata: policyAttr.GetMetadata(),
    75  					},
    76  					Builtin: defsecTypes.Bool(false, policyRes.GetMetadata()),
    77  				}
    78  
    79  				repo.Policies = append(repo.Policies, policy)
    80  			} else if dataBlock.Type() == "data" && dataBlock.TypeLabel() == "aws_iam_policy_document" {
    81  				if doc, err := iam.ConvertTerraformDocument(modules, dataBlock); err == nil {
    82  					policy := iamp.Policy{
    83  						Metadata: policyRes.GetMetadata(),
    84  						Name:     defsecTypes.StringDefault("", policyRes.GetMetadata()),
    85  						Document: iamp.Document{
    86  							Parsed:   doc.Document,
    87  							Metadata: doc.Source.GetMetadata(),
    88  							IsOffset: true,
    89  						},
    90  						Builtin: defsecTypes.Bool(false, policyRes.GetMetadata()),
    91  					}
    92  					repo.Policies = append(repo.Policies, policy)
    93  				}
    94  			}
    95  		}
    96  	}
    97  
    98  	if encryptBlock := resource.GetBlock("encryption_configuration"); encryptBlock.IsNotNil() {
    99  		repo.Encryption.Metadata = encryptBlock.GetMetadata()
   100  		encryptionTypeAttr := encryptBlock.GetAttribute("encryption_type")
   101  		repo.Encryption.Type = encryptionTypeAttr.AsStringValueOrDefault("AES256", encryptBlock)
   102  
   103  		kmsKeyAttr := encryptBlock.GetAttribute("kms_key")
   104  		repo.Encryption.KMSKeyID = kmsKeyAttr.AsStringValueOrDefault("", encryptBlock)
   105  		if kmsKeyAttr.IsResourceBlockReference("aws_kms_key") {
   106  			if keyBlock, err := module.GetReferencedBlock(kmsKeyAttr, encryptBlock); err == nil {
   107  				repo.Encryption.KMSKeyID = defsecTypes.String(keyBlock.FullName(), keyBlock.GetMetadata())
   108  			}
   109  		}
   110  	}
   111  
   112  	return repo
   113  }