github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/iam/passwords.go (about)

     1  package iam
     2  
     3  import (
     4  	"math"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    11  )
    12  
    13  func adaptPasswordPolicy(modules terraform.Modules) iam.PasswordPolicy {
    14  
    15  	policy := iam.PasswordPolicy{
    16  		Metadata:             defsecTypes.NewUnmanagedMetadata(),
    17  		ReusePreventionCount: defsecTypes.IntDefault(0, defsecTypes.NewUnmanagedMetadata()),
    18  		RequireLowercase:     defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
    19  		RequireUppercase:     defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
    20  		RequireNumbers:       defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
    21  		RequireSymbols:       defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
    22  		MaxAgeDays:           defsecTypes.IntDefault(math.MaxInt, defsecTypes.NewUnmanagedMetadata()),
    23  		MinimumLength:        defsecTypes.IntDefault(0, defsecTypes.NewUnmanagedMetadata()),
    24  	}
    25  
    26  	passwordPolicies := modules.GetResourcesByType("aws_iam_account_password_policy")
    27  	if len(passwordPolicies) == 0 {
    28  		return policy
    29  	}
    30  
    31  	// aws only allows a single password policy resource
    32  	policyBlock := passwordPolicies[0]
    33  
    34  	policy.Metadata = policyBlock.GetMetadata()
    35  
    36  	if attr := policyBlock.GetAttribute("require_lowercase_characters"); attr.IsNotNil() {
    37  		policy.RequireLowercase = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata())
    38  	} else {
    39  		policy.RequireLowercase = defsecTypes.BoolDefault(false, policyBlock.GetMetadata())
    40  	}
    41  	if attr := policyBlock.GetAttribute("require_uppercase_characters"); attr.IsNotNil() {
    42  		policy.RequireUppercase = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata())
    43  	} else {
    44  		policy.RequireUppercase = defsecTypes.BoolDefault(false, policyBlock.GetMetadata())
    45  	}
    46  	if attr := policyBlock.GetAttribute("require_numbers"); attr.IsNotNil() {
    47  		policy.RequireNumbers = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata())
    48  	} else {
    49  		policy.RequireNumbers = defsecTypes.BoolDefault(false, policyBlock.GetMetadata())
    50  	}
    51  	if attr := policyBlock.GetAttribute("require_symbols"); attr.IsNotNil() {
    52  		policy.RequireSymbols = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata())
    53  	} else {
    54  		policy.RequireSymbols = defsecTypes.BoolDefault(false, policyBlock.GetMetadata())
    55  	}
    56  	if attr := policyBlock.GetAttribute("password_reuse_prevention"); attr.IsNumber() {
    57  		value := attr.AsNumber()
    58  		policy.ReusePreventionCount = defsecTypes.IntExplicit(int(value), attr.GetMetadata())
    59  	} else {
    60  		policy.ReusePreventionCount = defsecTypes.IntDefault(0, policyBlock.GetMetadata())
    61  	}
    62  	if attr := policyBlock.GetAttribute("max_password_age"); attr.IsNumber() {
    63  		value := attr.AsNumber()
    64  		policy.MaxAgeDays = defsecTypes.IntExplicit(int(value), attr.GetMetadata())
    65  	} else {
    66  		policy.MaxAgeDays = defsecTypes.IntDefault(math.MaxInt, policyBlock.GetMetadata())
    67  	}
    68  	if attr := policyBlock.GetAttribute("minimum_password_length"); attr.IsNumber() {
    69  		value := attr.AsNumber()
    70  		policy.MinimumLength = defsecTypes.IntExplicit(int(value), attr.GetMetadata())
    71  	} else {
    72  		policy.MinimumLength = defsecTypes.IntDefault(0, policyBlock.GetMetadata())
    73  	}
    74  
    75  	return policy
    76  }