github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/google/sql/adapt.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/google/sql/adapt.go (about)

     1  package sql
     2  
     3  import (
     4  	"strconv"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/google/sql"
    11  )
    12  
    13  func Adapt(modules terraform.Modules) sql.SQL {
    14  	return sql.SQL{
    15  		Instances: adaptInstances(modules),
    16  	}
    17  }
    18  
    19  func adaptInstances(modules terraform.Modules) []sql.DatabaseInstance {
    20  	var instances []sql.DatabaseInstance
    21  	for _, module := range modules {
    22  		for _, resource := range module.GetResourcesByType("google_sql_database_instance") {
    23  			instances = append(instances, adaptInstance(resource))
    24  		}
    25  	}
    26  	return instances
    27  }
    28  
    29  func adaptInstance(resource *terraform.Block) sql.DatabaseInstance {
    30  
    31  	instance := sql.DatabaseInstance{
    32  		Metadata:        resource.GetMetadata(),
    33  		DatabaseVersion: resource.GetAttribute("database_version").AsStringValueOrDefault("", resource),
    34  		IsReplica:       defsecTypes.BoolDefault(false, resource.GetMetadata()),
    35  		Settings: sql.Settings{
    36  			Metadata: resource.GetMetadata(),
    37  			Flags: sql.Flags{
    38  				Metadata:                        resource.GetMetadata(),
    39  				LogTempFileSize:                 defsecTypes.IntDefault(-1, resource.GetMetadata()),
    40  				LocalInFile:                     defsecTypes.BoolDefault(false, resource.GetMetadata()),
    41  				ContainedDatabaseAuthentication: defsecTypes.BoolDefault(true, resource.GetMetadata()),
    42  				CrossDBOwnershipChaining:        defsecTypes.BoolDefault(true, resource.GetMetadata()),
    43  				LogCheckpoints:                  defsecTypes.BoolDefault(false, resource.GetMetadata()),
    44  				LogConnections:                  defsecTypes.BoolDefault(false, resource.GetMetadata()),
    45  				LogDisconnections:               defsecTypes.BoolDefault(false, resource.GetMetadata()),
    46  				LogLockWaits:                    defsecTypes.BoolDefault(false, resource.GetMetadata()),
    47  				LogMinMessages:                  defsecTypes.StringDefault("", resource.GetMetadata()),
    48  				LogMinDurationStatement:         defsecTypes.IntDefault(-1, resource.GetMetadata()),
    49  			},
    50  			Backups: sql.Backups{
    51  				Metadata: resource.GetMetadata(),
    52  				Enabled:  defsecTypes.BoolDefault(false, resource.GetMetadata()),
    53  			},
    54  			IPConfiguration: sql.IPConfiguration{
    55  				Metadata:           resource.GetMetadata(),
    56  				RequireTLS:         defsecTypes.BoolDefault(false, resource.GetMetadata()),
    57  				EnableIPv4:         defsecTypes.BoolDefault(true, resource.GetMetadata()),
    58  				AuthorizedNetworks: nil,
    59  			},
    60  		},
    61  	}
    62  
    63  	if attr := resource.GetAttribute("master_instance_name"); attr.IsNotNil() {
    64  		instance.IsReplica = defsecTypes.Bool(true, attr.GetMetadata())
    65  	}
    66  
    67  	if settingsBlock := resource.GetBlock("settings"); settingsBlock.IsNotNil() {
    68  		instance.Settings.Metadata = settingsBlock.GetMetadata()
    69  		if blocks := settingsBlock.GetBlocks("database_flags"); len(blocks) > 0 {
    70  			adaptFlags(blocks, &instance.Settings.Flags)
    71  		}
    72  		if backupBlock := settingsBlock.GetBlock("backup_configuration"); backupBlock.IsNotNil() {
    73  			instance.Settings.Backups.Metadata = backupBlock.GetMetadata()
    74  			backupConfigEnabledAttr := backupBlock.GetAttribute("enabled")
    75  			instance.Settings.Backups.Enabled = backupConfigEnabledAttr.AsBoolValueOrDefault(false, backupBlock)
    76  		}
    77  		if settingsBlock.HasChild("ip_configuration") {
    78  			instance.Settings.IPConfiguration = adaptIPConfig(settingsBlock.GetBlock("ip_configuration"))
    79  		}
    80  	}
    81  	return instance
    82  }
    83  
    84  // nolint
    85  func adaptFlags(resources terraform.Blocks, flags *sql.Flags) {
    86  	for _, resource := range resources {
    87  
    88  		nameAttr := resource.GetAttribute("name")
    89  		valueAttr := resource.GetAttribute("value")
    90  
    91  		if !nameAttr.IsString() || valueAttr.IsNil() {
    92  			continue
    93  		}
    94  
    95  		switch nameAttr.Value().AsString() {
    96  		case "log_temp_files":
    97  			if logTempInt, err := strconv.Atoi(valueAttr.Value().AsString()); err == nil {
    98  				flags.LogTempFileSize = defsecTypes.Int(logTempInt, nameAttr.GetMetadata())
    99  			}
   100  		case "log_min_messages":
   101  			flags.LogMinMessages = valueAttr.AsStringValueOrDefault("", resource)
   102  		case "log_min_duration_statement":
   103  			if logMinDS, err := strconv.Atoi(valueAttr.Value().AsString()); err == nil {
   104  				flags.LogMinDurationStatement = defsecTypes.Int(logMinDS, nameAttr.GetMetadata())
   105  			}
   106  		case "local_infile":
   107  			flags.LocalInFile = defsecTypes.Bool(valueAttr.Equals("on"), valueAttr.GetMetadata())
   108  		case "log_checkpoints":
   109  			flags.LogCheckpoints = defsecTypes.Bool(valueAttr.Equals("on"), valueAttr.GetMetadata())
   110  		case "log_connections":
   111  			flags.LogConnections = defsecTypes.Bool(valueAttr.Equals("on"), valueAttr.GetMetadata())
   112  		case "log_disconnections":
   113  			flags.LogDisconnections = defsecTypes.Bool(valueAttr.Equals("on"), valueAttr.GetMetadata())
   114  		case "log_lock_waits":
   115  			flags.LogLockWaits = defsecTypes.Bool(valueAttr.Equals("on"), valueAttr.GetMetadata())
   116  		case "contained database authentication":
   117  			flags.ContainedDatabaseAuthentication = defsecTypes.Bool(valueAttr.Equals("on"), valueAttr.GetMetadata())
   118  		case "cross db ownership chaining":
   119  			flags.CrossDBOwnershipChaining = defsecTypes.Bool(valueAttr.Equals("on"), valueAttr.GetMetadata())
   120  		}
   121  	}
   122  }
   123  
   124  func adaptIPConfig(resource *terraform.Block) sql.IPConfiguration {
   125  	var authorizedNetworks []struct {
   126  		Name defsecTypes.StringValue
   127  		CIDR defsecTypes.StringValue
   128  	}
   129  
   130  	tlsRequiredAttr := resource.GetAttribute("require_ssl")
   131  	tlsRequiredVal := tlsRequiredAttr.AsBoolValueOrDefault(false, resource)
   132  
   133  	ipv4enabledAttr := resource.GetAttribute("ipv4_enabled")
   134  	ipv4enabledVal := ipv4enabledAttr.AsBoolValueOrDefault(true, resource)
   135  
   136  	authNetworksBlocks := resource.GetBlocks("authorized_networks")
   137  	for _, authBlock := range authNetworksBlocks {
   138  		nameVal := authBlock.GetAttribute("name").AsStringValueOrDefault("", authBlock)
   139  		cidrVal := authBlock.GetAttribute("value").AsStringValueOrDefault("", authBlock)
   140  
   141  		authorizedNetworks = append(authorizedNetworks, struct {
   142  			Name defsecTypes.StringValue
   143  			CIDR defsecTypes.StringValue
   144  		}{
   145  			Name: nameVal,
   146  			CIDR: cidrVal,
   147  		})
   148  	}
   149  
   150  	return sql.IPConfiguration{
   151  		Metadata:           resource.GetMetadata(),
   152  		RequireTLS:         tlsRequiredVal,
   153  		EnableIPv4:         ipv4enabledVal,
   154  		AuthorizedNetworks: authorizedNetworks,
   155  	}
   156  }