github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/elasticsearch/adapt.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/elasticsearch/adapt.go (about)

     1  package elasticsearch
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/elasticsearch"
     5  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func Adapt(modules terraform.Modules) elasticsearch.Elasticsearch {
    10  	return elasticsearch.Elasticsearch{
    11  		Domains: adaptDomains(modules),
    12  	}
    13  }
    14  
    15  func adaptDomains(modules terraform.Modules) []elasticsearch.Domain {
    16  	var domains []elasticsearch.Domain
    17  	for _, module := range modules {
    18  		for _, resource := range module.GetResourcesByType("aws_elasticsearch_domain") {
    19  			domains = append(domains, adaptDomain(resource))
    20  		}
    21  	}
    22  	return domains
    23  }
    24  
    25  func adaptDomain(resource *terraform.Block) elasticsearch.Domain {
    26  	domain := elasticsearch.Domain{
    27  		Metadata:               resource.GetMetadata(),
    28  		DomainName:             defsecTypes.StringDefault("", resource.GetMetadata()),
    29  		AccessPolicies:         resource.GetAttribute("access_policies").AsStringValueOrDefault("", resource),
    30  		VpcId:                  resource.GetAttribute("vpc_options.0.vpc_id").AsStringValueOrDefault("", resource),
    31  		DedicatedMasterEnabled: defsecTypes.Bool(false, resource.GetMetadata()),
    32  		LogPublishing: elasticsearch.LogPublishing{
    33  			Metadata:              resource.GetMetadata(),
    34  			AuditEnabled:          defsecTypes.BoolDefault(false, resource.GetMetadata()),
    35  			CloudWatchLogGroupArn: defsecTypes.String("", resource.GetMetadata()),
    36  		},
    37  		TransitEncryption: elasticsearch.TransitEncryption{
    38  			Metadata: resource.GetMetadata(),
    39  			Enabled:  defsecTypes.BoolDefault(false, resource.GetMetadata()),
    40  		},
    41  		AtRestEncryption: elasticsearch.AtRestEncryption{
    42  			Metadata: resource.GetMetadata(),
    43  			Enabled:  defsecTypes.BoolDefault(false, resource.GetMetadata()),
    44  			KmsKeyId: defsecTypes.String("", resource.GetMetadata()),
    45  		},
    46  		Endpoint: elasticsearch.Endpoint{
    47  			Metadata:     resource.GetMetadata(),
    48  			EnforceHTTPS: defsecTypes.BoolDefault(false, resource.GetMetadata()),
    49  			TLSPolicy:    defsecTypes.StringDefault("", resource.GetMetadata()),
    50  		},
    51  		ServiceSoftwareOptions: elasticsearch.ServiceSoftwareOptions{
    52  			Metadata:        resource.GetMetadata(),
    53  			CurrentVersion:  defsecTypes.String("", resource.GetMetadata()),
    54  			NewVersion:      defsecTypes.String("", resource.GetMetadata()),
    55  			UpdateAvailable: defsecTypes.Bool(false, resource.GetMetadata()),
    56  			UpdateStatus:    defsecTypes.String("", resource.GetMetadata()),
    57  		},
    58  	}
    59  
    60  	nameAttr := resource.GetAttribute("domain_name")
    61  	domain.DomainName = nameAttr.AsStringValueOrDefault("", resource)
    62  
    63  	for _, logOptionsBlock := range resource.GetBlocks("log_publishing_options") {
    64  		domain.LogPublishing.Metadata = logOptionsBlock.GetMetadata()
    65  		domain.LogPublishing.CloudWatchLogGroupArn = logOptionsBlock.GetAttribute("cloudwatch_log_group_arn").AsStringValueOrDefault("", resource)
    66  		enabledAttr := logOptionsBlock.GetAttribute("enabled")
    67  		enabledVal := enabledAttr.AsBoolValueOrDefault(true, logOptionsBlock)
    68  		logTypeAttr := logOptionsBlock.GetAttribute("log_type")
    69  		if logTypeAttr.Equals("AUDIT_LOGS") {
    70  			domain.LogPublishing.AuditEnabled = enabledVal
    71  		}
    72  	}
    73  
    74  	if transitEncryptBlock := resource.GetBlock("node_to_node_encryption"); transitEncryptBlock.IsNotNil() {
    75  		enabledAttr := transitEncryptBlock.GetAttribute("enabled")
    76  		domain.TransitEncryption.Metadata = transitEncryptBlock.GetMetadata()
    77  		domain.TransitEncryption.Enabled = enabledAttr.AsBoolValueOrDefault(false, transitEncryptBlock)
    78  	}
    79  
    80  	if clusterconfigBlock := resource.GetBlock("cluster_config"); clusterconfigBlock.IsNotNil() {
    81  		domain.DedicatedMasterEnabled = clusterconfigBlock.GetAttribute("dedicated_master_enabled").AsBoolValueOrDefault(false, clusterconfigBlock)
    82  	}
    83  
    84  	if atRestEncryptBlock := resource.GetBlock("encrypt_at_rest"); atRestEncryptBlock.IsNotNil() {
    85  		enabledAttr := atRestEncryptBlock.GetAttribute("enabled")
    86  		domain.AtRestEncryption.Metadata = atRestEncryptBlock.GetMetadata()
    87  		domain.AtRestEncryption.Enabled = enabledAttr.AsBoolValueOrDefault(false, atRestEncryptBlock)
    88  		domain.AtRestEncryption.KmsKeyId = atRestEncryptBlock.GetAttribute("kms_key_id").AsStringValueOrDefault("", resource)
    89  	}
    90  
    91  	if endpointBlock := resource.GetBlock("domain_endpoint_options"); endpointBlock.IsNotNil() {
    92  		domain.Endpoint.Metadata = endpointBlock.GetMetadata()
    93  		enforceHTTPSAttr := endpointBlock.GetAttribute("enforce_https")
    94  		domain.Endpoint.EnforceHTTPS = enforceHTTPSAttr.AsBoolValueOrDefault(true, endpointBlock)
    95  		TLSPolicyAttr := endpointBlock.GetAttribute("tls_security_policy")
    96  		domain.Endpoint.TLSPolicy = TLSPolicyAttr.AsStringValueOrDefault("", endpointBlock)
    97  	}
    98  
    99  	return domain
   100  }