github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/container/adapt.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/container/adapt.go (about)

     1  package container
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/container"
     5  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func Adapt(modules terraform.Modules) container.Container {
    10  	return container.Container{
    11  		KubernetesClusters: adaptClusters(modules),
    12  	}
    13  }
    14  
    15  func adaptClusters(modules terraform.Modules) []container.KubernetesCluster {
    16  	var clusters []container.KubernetesCluster
    17  
    18  	for _, module := range modules {
    19  		for _, resource := range module.GetResourcesByType("azurerm_kubernetes_cluster") {
    20  			clusters = append(clusters, adaptCluster(resource))
    21  		}
    22  	}
    23  	return clusters
    24  }
    25  
    26  func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
    27  
    28  	cluster := container.KubernetesCluster{
    29  		Metadata: resource.GetMetadata(),
    30  		NetworkProfile: container.NetworkProfile{
    31  			Metadata:      resource.GetMetadata(),
    32  			NetworkPolicy: defsecTypes.StringDefault("", resource.GetMetadata()),
    33  		},
    34  		EnablePrivateCluster:        defsecTypes.BoolDefault(false, resource.GetMetadata()),
    35  		APIServerAuthorizedIPRanges: nil,
    36  		RoleBasedAccessControl: container.RoleBasedAccessControl{
    37  			Metadata: resource.GetMetadata(),
    38  			Enabled:  defsecTypes.BoolDefault(false, resource.GetMetadata()),
    39  		},
    40  		AddonProfile: container.AddonProfile{
    41  			Metadata: resource.GetMetadata(),
    42  			OMSAgent: container.OMSAgent{
    43  				Metadata: resource.GetMetadata(),
    44  				Enabled:  defsecTypes.BoolDefault(false, resource.GetMetadata()),
    45  			},
    46  		},
    47  	}
    48  
    49  	networkProfileBlock := resource.GetBlock("network_profile")
    50  	if networkProfileBlock.IsNotNil() {
    51  		networkPolicyAttr := networkProfileBlock.GetAttribute("network_policy")
    52  		cluster.NetworkProfile.Metadata = networkProfileBlock.GetMetadata()
    53  		cluster.NetworkProfile.NetworkPolicy = networkPolicyAttr.AsStringValueOrDefault("", networkProfileBlock)
    54  	}
    55  
    56  	privateClusterEnabledAttr := resource.GetAttribute("private_cluster_enabled")
    57  	cluster.EnablePrivateCluster = privateClusterEnabledAttr.AsBoolValueOrDefault(false, resource)
    58  
    59  	if apiServerBlock := resource.GetBlock("api_server_access_profile"); apiServerBlock.IsNotNil() {
    60  		authorizedIPRangesAttr := apiServerBlock.GetAttribute("authorized_ip_ranges")
    61  		cluster.APIServerAuthorizedIPRanges = authorizedIPRangesAttr.AsStringValues()
    62  	}
    63  
    64  	addonProfileBlock := resource.GetBlock("addon_profile")
    65  	if addonProfileBlock.IsNotNil() {
    66  		cluster.AddonProfile.Metadata = addonProfileBlock.GetMetadata()
    67  		omsAgentBlock := addonProfileBlock.GetBlock("oms_agent")
    68  		if omsAgentBlock.IsNotNil() {
    69  			cluster.AddonProfile.OMSAgent.Metadata = omsAgentBlock.GetMetadata()
    70  			enabledAttr := omsAgentBlock.GetAttribute("enabled")
    71  			cluster.AddonProfile.OMSAgent.Enabled = enabledAttr.AsBoolValueOrDefault(false, omsAgentBlock)
    72  		}
    73  	}
    74  
    75  	// >= azurerm 2.97.0
    76  	if omsAgentBlock := resource.GetBlock("oms_agent"); omsAgentBlock.IsNotNil() {
    77  		cluster.AddonProfile.OMSAgent.Metadata = omsAgentBlock.GetMetadata()
    78  		cluster.AddonProfile.OMSAgent.Enabled = defsecTypes.Bool(true, omsAgentBlock.GetMetadata())
    79  	}
    80  
    81  	// azurerm < 2.99.0
    82  	if resource.HasChild("role_based_access_control") {
    83  		roleBasedAccessControlBlock := resource.GetBlock("role_based_access_control")
    84  		rbEnabledAttr := roleBasedAccessControlBlock.GetAttribute("enabled")
    85  		cluster.RoleBasedAccessControl.Metadata = roleBasedAccessControlBlock.GetMetadata()
    86  		cluster.RoleBasedAccessControl.Enabled = rbEnabledAttr.AsBoolValueOrDefault(false, roleBasedAccessControlBlock)
    87  	}
    88  	if resource.HasChild("role_based_access_control_enabled") {
    89  		// azurerm >= 2.99.0
    90  		roleBasedAccessControlEnabledAttr := resource.GetAttribute("role_based_access_control_enabled")
    91  		cluster.RoleBasedAccessControl.Metadata = roleBasedAccessControlEnabledAttr.GetMetadata()
    92  		cluster.RoleBasedAccessControl.Enabled = roleBasedAccessControlEnabledAttr.AsBoolValueOrDefault(false, resource)
    93  	}
    94  
    95  	if resource.HasChild("azure_active_directory_role_based_access_control") {
    96  		azureRoleBasedAccessControl := resource.GetBlock("azure_active_directory_role_based_access_control")
    97  		if azureRoleBasedAccessControl.IsNotNil() {
    98  			enabledAttr := azureRoleBasedAccessControl.GetAttribute("azure_rbac_enabled")
    99  			if !cluster.RoleBasedAccessControl.Enabled.IsTrue() {
   100  				cluster.RoleBasedAccessControl.Metadata = azureRoleBasedAccessControl.GetMetadata()
   101  				cluster.RoleBasedAccessControl.Enabled = enabledAttr.AsBoolValueOrDefault(false, azureRoleBasedAccessControl)
   102  			}
   103  		}
   104  	}
   105  	return cluster
   106  }