github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/sqs/adapt.go (about) 1 package sqs 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/aws/iam" 5 iamp "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/sqs" 7 "github.com/khulnasoft-lab/defsec/pkg/terraform" 8 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 9 "github.com/liamg/iamgo" 10 11 "github.com/google/uuid" 12 ) 13 14 func Adapt(modules terraform.Modules) sqs.SQS { 15 return sqs.SQS{ 16 Queues: (&adapter{ 17 modules: modules, 18 queues: make(map[string]sqs.Queue), 19 }).adaptQueues(), 20 } 21 } 22 23 type adapter struct { 24 modules terraform.Modules 25 queues map[string]sqs.Queue 26 } 27 28 func (a *adapter) adaptQueues() []sqs.Queue { 29 for _, resource := range a.modules.GetResourcesByType("aws_sqs_queue") { 30 a.adaptQueue(resource) 31 } 32 33 for _, policyBlock := range a.modules.GetResourcesByType("aws_sqs_queue_policy") { 34 35 policy := iamp.Policy{ 36 Metadata: policyBlock.GetMetadata(), 37 Name: defsecTypes.StringDefault("", policyBlock.GetMetadata()), 38 Document: iamp.Document{ 39 Metadata: policyBlock.GetMetadata(), 40 }, 41 Builtin: defsecTypes.Bool(false, policyBlock.GetMetadata()), 42 } 43 if attr := policyBlock.GetAttribute("policy"); attr.IsString() { 44 dataBlock, err := a.modules.GetBlockById(attr.Value().AsString()) 45 if err != nil { 46 parsed, err := iamgo.ParseString(attr.Value().AsString()) 47 if err != nil { 48 continue 49 } 50 policy.Document.Parsed = *parsed 51 policy.Document.Metadata = attr.GetMetadata() 52 } else if dataBlock.Type() == "data" && dataBlock.TypeLabel() == "aws_iam_policy_document" { 53 if doc, err := iam.ConvertTerraformDocument(a.modules, dataBlock); err == nil { 54 policy.Document.Parsed = doc.Document 55 policy.Document.Metadata = doc.Source.GetMetadata() 56 policy.Document.IsOffset = true 57 } 58 } 59 } else if refBlock, err := a.modules.GetReferencedBlock(attr, policyBlock); err == nil { 60 if refBlock.Type() == "data" && refBlock.TypeLabel() == "aws_iam_policy_document" { 61 if doc, err := iam.ConvertTerraformDocument(a.modules, refBlock); err == nil { 62 policy.Document.Parsed = doc.Document 63 policy.Document.Metadata = doc.Source.GetMetadata() 64 } 65 } 66 } 67 68 if urlAttr := policyBlock.GetAttribute("queue_url"); urlAttr.IsNotNil() { 69 if refBlock, err := a.modules.GetReferencedBlock(urlAttr, policyBlock); err == nil { 70 if queue, ok := a.queues[refBlock.ID()]; ok { 71 queue.Policies = append(queue.Policies, policy) 72 a.queues[refBlock.ID()] = queue 73 continue 74 } 75 } 76 } 77 78 a.queues[uuid.NewString()] = sqs.Queue{ 79 Metadata: defsecTypes.NewUnmanagedMetadata(), 80 QueueURL: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()), 81 Encryption: sqs.Encryption{ 82 Metadata: defsecTypes.NewUnmanagedMetadata(), 83 ManagedEncryption: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 84 KMSKeyID: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()), 85 }, 86 Policies: []iamp.Policy{policy}, 87 } 88 } 89 90 var queues []sqs.Queue 91 for _, queue := range a.queues { 92 queues = append(queues, queue) 93 } 94 return queues 95 } 96 97 func (a *adapter) adaptQueue(resource *terraform.Block) { 98 99 kmsKeyIdAttr := resource.GetAttribute("kms_master_key_id") 100 kmsKeyIdVal := kmsKeyIdAttr.AsStringValueOrDefault("", resource) 101 managedEncryption := resource.GetAttribute("sqs_managed_sse_enabled") 102 103 var policies []iamp.Policy 104 if attr := resource.GetAttribute("policy"); attr.IsString() { 105 106 dataBlock, err := a.modules.GetBlockById(attr.Value().AsString()) 107 if err != nil { 108 policy := iamp.Policy{ 109 Metadata: attr.GetMetadata(), 110 Name: defsecTypes.StringDefault("", attr.GetMetadata()), 111 Document: iamp.Document{ 112 Metadata: attr.GetMetadata(), 113 }, 114 Builtin: defsecTypes.Bool(false, attr.GetMetadata()), 115 } 116 parsed, err := iamgo.ParseString(attr.Value().AsString()) 117 if err == nil { 118 policy.Document.Parsed = *parsed 119 policy.Document.Metadata = attr.GetMetadata() 120 policy.Metadata = attr.GetMetadata() 121 policies = append(policies, policy) 122 } 123 } else if dataBlock.Type() == "data" && dataBlock.TypeLabel() == "aws_iam_policy_document" { 124 if doc, err := iam.ConvertTerraformDocument(a.modules, dataBlock); err == nil { 125 policy := iamp.Policy{ 126 Metadata: attr.GetMetadata(), 127 Name: defsecTypes.StringDefault("", attr.GetMetadata()), 128 Document: iamp.Document{ 129 Metadata: doc.Source.GetMetadata(), 130 Parsed: doc.Document, 131 IsOffset: true, 132 HasRefs: false, 133 }, 134 Builtin: defsecTypes.Bool(false, attr.GetMetadata()), 135 } 136 policies = append(policies, policy) 137 } 138 } 139 140 } else if refBlock, err := a.modules.GetReferencedBlock(attr, resource); err == nil { 141 if refBlock.Type() == "data" && refBlock.TypeLabel() == "aws_iam_policy_document" { 142 if doc, err := iam.ConvertTerraformDocument(a.modules, refBlock); err == nil { 143 policy := iamp.Policy{ 144 Metadata: doc.Source.GetMetadata(), 145 Name: defsecTypes.StringDefault("", doc.Source.GetMetadata()), 146 Document: iamp.Document{ 147 Metadata: doc.Source.GetMetadata(), 148 Parsed: doc.Document, 149 }, 150 Builtin: defsecTypes.Bool(false, refBlock.GetMetadata()), 151 } 152 policies = append(policies, policy) 153 } 154 } 155 } 156 157 a.queues[resource.ID()] = sqs.Queue{ 158 Metadata: resource.GetMetadata(), 159 QueueURL: defsecTypes.StringDefault("", resource.GetMetadata()), 160 Encryption: sqs.Encryption{ 161 Metadata: resource.GetMetadata(), 162 ManagedEncryption: managedEncryption.AsBoolValueOrDefault(false, resource), 163 KMSKeyID: kmsKeyIdVal, 164 }, 165 Policies: policies, 166 } 167 }