github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/keyvault/adapt.go (about) 1 package keyvault 2 3 import ( 4 "time" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/terraform" 9 10 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/keyvault" 11 ) 12 13 func Adapt(modules terraform.Modules) keyvault.KeyVault { 14 adapter := adapter{ 15 vaultSecretIDs: modules.GetChildResourceIDMapByType("azurerm_key_vault_secret"), 16 vaultKeyIDs: modules.GetChildResourceIDMapByType("azurerm_key_vault_key"), 17 } 18 19 return keyvault.KeyVault{ 20 Vaults: adapter.adaptVaults(modules), 21 } 22 } 23 24 type adapter struct { 25 vaultSecretIDs terraform.ResourceIDResolutions 26 vaultKeyIDs terraform.ResourceIDResolutions 27 } 28 29 func (a *adapter) adaptVaults(modules terraform.Modules) []keyvault.Vault { 30 31 var vaults []keyvault.Vault 32 for _, module := range modules { 33 for _, resource := range module.GetResourcesByType("azurerm_key_vault") { 34 vaults = append(vaults, a.adaptVault(resource, module)) 35 36 } 37 } 38 39 orphanResources := modules.GetResourceByIDs(a.vaultSecretIDs.Orphans()...) 40 41 if len(orphanResources) > 0 { 42 orphanage := keyvault.Vault{ 43 Metadata: defsecTypes.NewUnmanagedMetadata(), 44 Secrets: nil, 45 Keys: nil, 46 EnablePurgeProtection: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 47 SoftDeleteRetentionDays: defsecTypes.IntDefault(0, defsecTypes.NewUnmanagedMetadata()), 48 NetworkACLs: keyvault.NetworkACLs{ 49 Metadata: defsecTypes.NewUnmanagedMetadata(), 50 DefaultAction: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()), 51 }, 52 } 53 for _, secretResource := range orphanResources { 54 orphanage.Secrets = append(orphanage.Secrets, adaptSecret(secretResource)) 55 } 56 vaults = append(vaults, orphanage) 57 } 58 59 orphanResources = modules.GetResourceByIDs(a.vaultKeyIDs.Orphans()...) 60 61 if len(orphanResources) > 0 { 62 orphanage := keyvault.Vault{ 63 Metadata: defsecTypes.NewUnmanagedMetadata(), 64 Secrets: nil, 65 Keys: nil, 66 EnablePurgeProtection: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), 67 SoftDeleteRetentionDays: defsecTypes.IntDefault(0, defsecTypes.NewUnmanagedMetadata()), 68 NetworkACLs: keyvault.NetworkACLs{ 69 Metadata: defsecTypes.NewUnmanagedMetadata(), 70 DefaultAction: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()), 71 }, 72 } 73 for _, secretResource := range orphanResources { 74 orphanage.Keys = append(orphanage.Keys, adaptKey(secretResource)) 75 } 76 vaults = append(vaults, orphanage) 77 } 78 79 return vaults 80 } 81 82 func (a *adapter) adaptVault(resource *terraform.Block, module *terraform.Module) keyvault.Vault { 83 var keys []keyvault.Key 84 var secrets []keyvault.Secret 85 86 defaultActionVal := defsecTypes.StringDefault("", resource.GetMetadata()) 87 88 secretBlocks := module.GetReferencingResources(resource, "azurerm_key_vault_secret", "key_vault_id") 89 for _, secretBlock := range secretBlocks { 90 a.vaultSecretIDs.Resolve(secretBlock.ID()) 91 secrets = append(secrets, adaptSecret(secretBlock)) 92 } 93 94 keyBlocks := module.GetReferencingResources(resource, "azurerm_key_vault_key", "key_vault_id") 95 for _, keyBlock := range keyBlocks { 96 a.vaultKeyIDs.Resolve(keyBlock.ID()) 97 keys = append(keys, adaptKey(keyBlock)) 98 } 99 100 purgeProtectionAttr := resource.GetAttribute("purge_protection_enabled") 101 purgeProtectionVal := purgeProtectionAttr.AsBoolValueOrDefault(false, resource) 102 103 softDeleteRetentionDaysAttr := resource.GetAttribute("soft_delete_retention_days") 104 softDeleteRetentionDaysVal := softDeleteRetentionDaysAttr.AsIntValueOrDefault(0, resource) 105 106 aclMetadata := defsecTypes.NewUnmanagedMetadata() 107 if aclBlock := resource.GetBlock("network_acls"); aclBlock.IsNotNil() { 108 aclMetadata = aclBlock.GetMetadata() 109 defaultActionAttr := aclBlock.GetAttribute("default_action") 110 defaultActionVal = defaultActionAttr.AsStringValueOrDefault("", resource.GetBlock("network_acls")) 111 } 112 113 return keyvault.Vault{ 114 Metadata: resource.GetMetadata(), 115 Secrets: secrets, 116 Keys: keys, 117 EnablePurgeProtection: purgeProtectionVal, 118 SoftDeleteRetentionDays: softDeleteRetentionDaysVal, 119 NetworkACLs: keyvault.NetworkACLs{ 120 Metadata: aclMetadata, 121 DefaultAction: defaultActionVal, 122 }, 123 } 124 } 125 126 func adaptSecret(resource *terraform.Block) keyvault.Secret { 127 contentTypeAttr := resource.GetAttribute("content_type") 128 contentTypeVal := contentTypeAttr.AsStringValueOrDefault("", resource) 129 130 return keyvault.Secret{ 131 Metadata: resource.GetMetadata(), 132 ContentType: contentTypeVal, 133 ExpiryDate: resolveExpiryDate(resource), 134 } 135 } 136 137 func adaptKey(resource *terraform.Block) keyvault.Key { 138 139 return keyvault.Key{ 140 Metadata: resource.GetMetadata(), 141 ExpiryDate: resolveExpiryDate(resource), 142 } 143 } 144 145 func resolveExpiryDate(resource *terraform.Block) defsecTypes.TimeValue { 146 expiryDateAttr := resource.GetAttribute("expiration_date") 147 expiryDateVal := defsecTypes.TimeDefault(time.Time{}, resource.GetMetadata()) 148 149 if expiryDateAttr.IsString() { 150 expiryDateString := expiryDateAttr.Value().AsString() 151 if expiryDate, err := time.Parse(time.RFC3339, expiryDateString); err == nil { 152 expiryDateVal = defsecTypes.Time(expiryDate, expiryDateAttr.GetMetadata()) 153 } 154 } else if expiryDateAttr.IsNotNil() { 155 expiryDateVal = defsecTypes.TimeUnresolvable(expiryDateAttr.GetMetadata()) 156 } 157 158 return expiryDateVal 159 }