github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/eks/adapt.go (about) 1 package eks 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/eks" 5 "github.com/khulnasoft-lab/defsec/pkg/terraform" 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 ) 8 9 func Adapt(modules terraform.Modules) eks.EKS { 10 return eks.EKS{ 11 Clusters: adaptClusters(modules), 12 } 13 } 14 15 func adaptClusters(modules terraform.Modules) []eks.Cluster { 16 var clusters []eks.Cluster 17 for _, module := range modules { 18 for _, resource := range module.GetResourcesByType("aws_eks_cluster") { 19 clusters = append(clusters, adaptCluster(resource)) 20 } 21 } 22 return clusters 23 } 24 25 func adaptCluster(resource *terraform.Block) eks.Cluster { 26 27 cluster := eks.Cluster{ 28 Metadata: resource.GetMetadata(), 29 Logging: eks.Logging{ 30 Metadata: resource.GetMetadata(), 31 API: defsecTypes.BoolDefault(false, resource.GetMetadata()), 32 Audit: defsecTypes.BoolDefault(false, resource.GetMetadata()), 33 Authenticator: defsecTypes.BoolDefault(false, resource.GetMetadata()), 34 ControllerManager: defsecTypes.BoolDefault(false, resource.GetMetadata()), 35 Scheduler: defsecTypes.BoolDefault(false, resource.GetMetadata()), 36 }, 37 Encryption: eks.Encryption{ 38 Metadata: resource.GetMetadata(), 39 Secrets: defsecTypes.BoolDefault(false, resource.GetMetadata()), 40 KMSKeyID: defsecTypes.StringDefault("", resource.GetMetadata()), 41 }, 42 PublicAccessEnabled: defsecTypes.BoolDefault(true, resource.GetMetadata()), 43 PublicAccessCIDRs: nil, 44 } 45 46 if logTypesAttr := resource.GetAttribute("enabled_cluster_log_types"); logTypesAttr.IsNotNil() { 47 cluster.Logging.Metadata = logTypesAttr.GetMetadata() 48 for _, logType := range logTypesAttr.AsStringValues() { 49 switch logType.Value() { 50 case "api": 51 cluster.Logging.API = defsecTypes.Bool(true, logTypesAttr.GetMetadata()) 52 case "audit": 53 cluster.Logging.Audit = defsecTypes.Bool(true, logTypesAttr.GetMetadata()) 54 case "authenticator": 55 cluster.Logging.Authenticator = defsecTypes.Bool(true, logTypesAttr.GetMetadata()) 56 case "controllerManager": 57 cluster.Logging.ControllerManager = defsecTypes.Bool(true, logTypesAttr.GetMetadata()) 58 case "scheduler": 59 cluster.Logging.Scheduler = defsecTypes.Bool(true, logTypesAttr.GetMetadata()) 60 } 61 } 62 } 63 64 if encryptBlock := resource.GetBlock("encryption_config"); encryptBlock.IsNotNil() { 65 cluster.Encryption.Metadata = encryptBlock.GetMetadata() 66 resourcesAttr := encryptBlock.GetAttribute("resources") 67 if resourcesAttr.Contains("secrets") { 68 cluster.Encryption.Secrets = defsecTypes.Bool(true, resourcesAttr.GetMetadata()) 69 } 70 if providerBlock := encryptBlock.GetBlock("provider"); providerBlock.IsNotNil() { 71 keyArnAttr := providerBlock.GetAttribute("key_arn") 72 cluster.Encryption.KMSKeyID = keyArnAttr.AsStringValueOrDefault("", providerBlock) 73 } 74 } 75 76 if vpcBlock := resource.GetBlock("vpc_config"); vpcBlock.IsNotNil() { 77 publicAccessAttr := vpcBlock.GetAttribute("endpoint_public_access") 78 cluster.PublicAccessEnabled = publicAccessAttr.AsBoolValueOrDefault(true, vpcBlock) 79 80 publicAccessCidrsAttr := vpcBlock.GetAttribute("public_access_cidrs") 81 cidrList := publicAccessCidrsAttr.AsStringValues() 82 for _, cidr := range cidrList { 83 cluster.PublicAccessCIDRs = append(cluster.PublicAccessCIDRs, cidr) 84 } 85 if len(cidrList) == 0 { 86 cluster.PublicAccessCIDRs = append(cluster.PublicAccessCIDRs, defsecTypes.StringDefault("0.0.0.0/0", vpcBlock.GetMetadata())) 87 } 88 } 89 90 return cluster 91 }