github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/compute/adapt.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/compute/adapt.go (about)

     1  package compute
     2  
     3  import (
     4  	"encoding/base64"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/compute"
    11  )
    12  
    13  func Adapt(modules terraform.Modules) compute.Compute {
    14  	return adaptCompute(modules)
    15  }
    16  
    17  func adaptCompute(modules terraform.Modules) compute.Compute {
    18  
    19  	var managedDisks []compute.ManagedDisk
    20  	var linuxVirtualMachines []compute.LinuxVirtualMachine
    21  	var windowsVirtualMachines []compute.WindowsVirtualMachine
    22  
    23  	for _, module := range modules {
    24  
    25  		for _, resource := range module.GetResourcesByType("azurerm_linux_virtual_machine") {
    26  			linuxVirtualMachines = append(linuxVirtualMachines, adaptLinuxVM(resource))
    27  		}
    28  		for _, resource := range module.GetResourcesByType("azurerm_windows_virtual_machine") {
    29  			windowsVirtualMachines = append(windowsVirtualMachines, adaptWindowsVM(resource))
    30  		}
    31  		for _, resource := range module.GetResourcesByType("azurerm_virtual_machine") {
    32  			if resource.HasChild("os_profile_linux_config") {
    33  				linuxVirtualMachines = append(linuxVirtualMachines, adaptLinuxVM(resource))
    34  			} else if resource.HasChild("os_profile_windows_config") {
    35  				windowsVirtualMachines = append(windowsVirtualMachines, adaptWindowsVM(resource))
    36  			}
    37  		}
    38  		for _, resource := range module.GetResourcesByType("azurerm_managed_disk") {
    39  			managedDisks = append(managedDisks, adaptManagedDisk(resource))
    40  		}
    41  	}
    42  
    43  	return compute.Compute{
    44  		LinuxVirtualMachines:   linuxVirtualMachines,
    45  		WindowsVirtualMachines: windowsVirtualMachines,
    46  		ManagedDisks:           managedDisks,
    47  	}
    48  }
    49  
    50  func adaptManagedDisk(resource *terraform.Block) compute.ManagedDisk {
    51  
    52  	disk := compute.ManagedDisk{
    53  		Metadata: resource.GetMetadata(),
    54  		Encryption: compute.Encryption{
    55  			Metadata: resource.GetMetadata(),
    56  			// encryption is enabled by default - https://github.com/hashicorp/terraform-provider-azurerm/blob/baf55926fe813011003ee4fb0e8e6134fcfcca87/internal/services/compute/managed_disk_resource.go#L288
    57  			Enabled: defsecTypes.BoolDefault(true, resource.GetMetadata()),
    58  		},
    59  	}
    60  
    61  	encryptionBlock := resource.GetBlock("encryption_settings")
    62  	if encryptionBlock.IsNotNil() {
    63  		disk.Encryption.Metadata = encryptionBlock.GetMetadata()
    64  		enabledAttr := encryptionBlock.GetAttribute("enabled")
    65  		disk.Encryption.Enabled = enabledAttr.AsBoolValueOrDefault(true, encryptionBlock)
    66  	}
    67  
    68  	return disk
    69  }
    70  
    71  func adaptLinuxVM(resource *terraform.Block) compute.LinuxVirtualMachine {
    72  	workingBlock := resource
    73  
    74  	if resource.TypeLabel() == "azurerm_virtual_machine" {
    75  		if b := resource.GetBlock("os_profile"); b.IsNotNil() {
    76  			workingBlock = b
    77  		}
    78  	}
    79  	customDataAttr := workingBlock.GetAttribute("custom_data")
    80  	customDataVal := defsecTypes.StringDefault("", workingBlock.GetMetadata())
    81  	if customDataAttr.IsResolvable() && customDataAttr.IsString() {
    82  		encoded, err := base64.StdEncoding.DecodeString(customDataAttr.Value().AsString())
    83  		if err != nil {
    84  			encoded = []byte(customDataAttr.Value().AsString())
    85  		}
    86  		customDataVal = defsecTypes.String(string(encoded), customDataAttr.GetMetadata())
    87  	}
    88  
    89  	if resource.TypeLabel() == "azurerm_virtual_machine" {
    90  		workingBlock = resource.GetBlock("os_profile_linux_config")
    91  	}
    92  	disablePasswordAuthAttr := workingBlock.GetAttribute("disable_password_authentication")
    93  	disablePasswordAuthVal := disablePasswordAuthAttr.AsBoolValueOrDefault(true, workingBlock)
    94  
    95  	return compute.LinuxVirtualMachine{
    96  		Metadata: resource.GetMetadata(),
    97  		VirtualMachine: compute.VirtualMachine{
    98  			Metadata:   resource.GetMetadata(),
    99  			CustomData: customDataVal,
   100  		},
   101  		OSProfileLinuxConfig: compute.OSProfileLinuxConfig{
   102  			Metadata:                      resource.GetMetadata(),
   103  			DisablePasswordAuthentication: disablePasswordAuthVal,
   104  		},
   105  	}
   106  }
   107  
   108  func adaptWindowsVM(resource *terraform.Block) compute.WindowsVirtualMachine {
   109  	workingBlock := resource
   110  
   111  	if resource.TypeLabel() == "azurerm_virtual_machine" {
   112  		if b := resource.GetBlock("os_profile"); b.IsNotNil() {
   113  			workingBlock = b
   114  		}
   115  	}
   116  
   117  	customDataAttr := workingBlock.GetAttribute("custom_data")
   118  	customDataVal := defsecTypes.StringDefault("", workingBlock.GetMetadata())
   119  
   120  	if customDataAttr.IsResolvable() && customDataAttr.IsString() {
   121  		encoded, err := base64.StdEncoding.DecodeString(customDataAttr.Value().AsString())
   122  		if err != nil {
   123  			encoded = []byte(customDataAttr.Value().AsString())
   124  		}
   125  		customDataVal = defsecTypes.String(string(encoded), customDataAttr.GetMetadata())
   126  	}
   127  
   128  	return compute.WindowsVirtualMachine{
   129  		Metadata: resource.GetMetadata(),
   130  		VirtualMachine: compute.VirtualMachine{
   131  			Metadata:   resource.GetMetadata(),
   132  			CustomData: customDataVal,
   133  		},
   134  	}
   135  }