github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/iam/passwords.go (about) 1 package iam 2 3 import ( 4 "math" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/terraform" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 11 ) 12 13 func adaptPasswordPolicy(modules terraform.Modules) iam.PasswordPolicy { 14 15 policy := iam.PasswordPolicy{ 16 Metadata: defsecTypes.NewUnmanagedMetadata(), 17 ReusePreventionCount: defsecTypes.IntDefault(0, defsecTypes.NewUnmanagedMetadata()), 18 RequireLowercase: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 19 RequireUppercase: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 20 RequireNumbers: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 21 RequireSymbols: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 22 MaxAgeDays: defsecTypes.IntDefault(math.MaxInt, defsecTypes.NewUnmanagedMetadata()), 23 MinimumLength: defsecTypes.IntDefault(0, defsecTypes.NewUnmanagedMetadata()), 24 } 25 26 passwordPolicies := modules.GetResourcesByType("aws_iam_account_password_policy") 27 if len(passwordPolicies) == 0 { 28 return policy 29 } 30 31 // aws only allows a single password policy resource 32 policyBlock := passwordPolicies[0] 33 34 policy.Metadata = policyBlock.GetMetadata() 35 36 if attr := policyBlock.GetAttribute("require_lowercase_characters"); attr.IsNotNil() { 37 policy.RequireLowercase = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata()) 38 } else { 39 policy.RequireLowercase = defsecTypes.BoolDefault(false, policyBlock.GetMetadata()) 40 } 41 if attr := policyBlock.GetAttribute("require_uppercase_characters"); attr.IsNotNil() { 42 policy.RequireUppercase = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata()) 43 } else { 44 policy.RequireUppercase = defsecTypes.BoolDefault(false, policyBlock.GetMetadata()) 45 } 46 if attr := policyBlock.GetAttribute("require_numbers"); attr.IsNotNil() { 47 policy.RequireNumbers = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata()) 48 } else { 49 policy.RequireNumbers = defsecTypes.BoolDefault(false, policyBlock.GetMetadata()) 50 } 51 if attr := policyBlock.GetAttribute("require_symbols"); attr.IsNotNil() { 52 policy.RequireSymbols = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata()) 53 } else { 54 policy.RequireSymbols = defsecTypes.BoolDefault(false, policyBlock.GetMetadata()) 55 } 56 if attr := policyBlock.GetAttribute("password_reuse_prevention"); attr.IsNumber() { 57 value := attr.AsNumber() 58 policy.ReusePreventionCount = defsecTypes.IntExplicit(int(value), attr.GetMetadata()) 59 } else { 60 policy.ReusePreventionCount = defsecTypes.IntDefault(0, policyBlock.GetMetadata()) 61 } 62 if attr := policyBlock.GetAttribute("max_password_age"); attr.IsNumber() { 63 value := attr.AsNumber() 64 policy.MaxAgeDays = defsecTypes.IntExplicit(int(value), attr.GetMetadata()) 65 } else { 66 policy.MaxAgeDays = defsecTypes.IntDefault(math.MaxInt, policyBlock.GetMetadata()) 67 } 68 if attr := policyBlock.GetAttribute("minimum_password_length"); attr.IsNumber() { 69 value := attr.AsNumber() 70 policy.MinimumLength = defsecTypes.IntExplicit(int(value), attr.GetMetadata()) 71 } else { 72 policy.MinimumLength = defsecTypes.IntDefault(0, policyBlock.GetMetadata()) 73 } 74 75 return policy 76 }