github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/google/storage/adapt.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/google/storage/adapt.go (about)

     1  package storage
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/google/storage"
     5  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func Adapt(modules terraform.Modules) storage.Storage {
    10  	return storage.Storage{
    11  		Buckets: (&adapter{modules: modules}).adaptBuckets(),
    12  	}
    13  }
    14  
    15  type adapter struct {
    16  	modules    terraform.Modules
    17  	bindings   []parentedBinding
    18  	members    []parentedMember
    19  	bindingMap terraform.ResourceIDResolutions
    20  	memberMap  terraform.ResourceIDResolutions
    21  }
    22  
    23  func (a *adapter) adaptBuckets() []storage.Bucket {
    24  
    25  	a.bindingMap = a.modules.GetChildResourceIDMapByType("google_storage_bucket_iam_binding", "google_storage_bucket_iam_policy")
    26  	a.memberMap = a.modules.GetChildResourceIDMapByType("google_storage_bucket_iam_member")
    27  
    28  	a.adaptMembers()
    29  	a.adaptBindings()
    30  
    31  	var buckets []storage.Bucket
    32  	for _, module := range a.modules {
    33  		for _, resource := range module.GetResourcesByType("google_storage_bucket") {
    34  			buckets = append(buckets, a.adaptBucketResource(resource))
    35  		}
    36  	}
    37  
    38  	orphanage := storage.Bucket{
    39  		Metadata:                       defsecTypes.NewUnmanagedMetadata(),
    40  		Name:                           defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()),
    41  		Location:                       defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()),
    42  		EnableUniformBucketLevelAccess: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
    43  		Members:                        nil,
    44  		Bindings:                       nil,
    45  	}
    46  	for _, orphanedBindingID := range a.bindingMap.Orphans() {
    47  		for _, binding := range a.bindings {
    48  			if binding.blockID == orphanedBindingID {
    49  				orphanage.Bindings = append(orphanage.Bindings, binding.bindings...)
    50  				break
    51  			}
    52  		}
    53  	}
    54  	for _, orphanedMemberID := range a.memberMap.Orphans() {
    55  		for _, member := range a.members {
    56  			if member.blockID == orphanedMemberID {
    57  				orphanage.Members = append(orphanage.Members, member.member)
    58  				break
    59  			}
    60  		}
    61  	}
    62  	if len(orphanage.Bindings) > 0 || len(orphanage.Members) > 0 {
    63  		buckets = append(buckets, orphanage)
    64  	}
    65  
    66  	return buckets
    67  }
    68  
    69  func (a *adapter) adaptBucketResource(resourceBlock *terraform.Block) storage.Bucket {
    70  
    71  	nameAttr := resourceBlock.GetAttribute("name")
    72  	nameValue := nameAttr.AsStringValueOrDefault("", resourceBlock)
    73  
    74  	locationAttr := resourceBlock.GetAttribute("location")
    75  	locationValue := locationAttr.AsStringValueOrDefault("", resourceBlock)
    76  
    77  	// See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#uniform_bucket_level_access
    78  	ublaAttr := resourceBlock.GetAttribute("uniform_bucket_level_access")
    79  	ublaValue := ublaAttr.AsBoolValueOrDefault(false, resourceBlock)
    80  
    81  	bucket := storage.Bucket{
    82  		Metadata:                       resourceBlock.GetMetadata(),
    83  		Name:                           nameValue,
    84  		Location:                       locationValue,
    85  		EnableUniformBucketLevelAccess: ublaValue,
    86  		Members:                        nil,
    87  		Bindings:                       nil,
    88  		Encryption: storage.BucketEncryption{
    89  			Metadata:          resourceBlock.GetMetadata(),
    90  			DefaultKMSKeyName: defsecTypes.StringDefault("", resourceBlock.GetMetadata()),
    91  		},
    92  	}
    93  
    94  	if encBlock := resourceBlock.GetBlock("encryption"); encBlock.IsNotNil() {
    95  		bucket.Encryption.Metadata = encBlock.GetMetadata()
    96  		kmsKeyNameAttr := encBlock.GetAttribute("default_kms_key_name")
    97  		bucket.Encryption.DefaultKMSKeyName = kmsKeyNameAttr.AsStringValueOrDefault("", encBlock)
    98  	}
    99  
   100  	var name string
   101  	if nameAttr.IsString() {
   102  		name = nameAttr.Value().AsString()
   103  	}
   104  
   105  	for _, member := range a.members {
   106  		if member.bucketBlockID == resourceBlock.ID() {
   107  			bucket.Members = append(bucket.Members, member.member)
   108  			a.memberMap.Resolve(member.blockID)
   109  			continue
   110  		}
   111  		if name != "" && name == member.bucketID {
   112  			bucket.Members = append(bucket.Members, member.member)
   113  			a.memberMap.Resolve(member.blockID)
   114  		}
   115  	}
   116  	for _, binding := range a.bindings {
   117  		if binding.bucketBlockID == resourceBlock.ID() {
   118  			bucket.Bindings = append(bucket.Bindings, binding.bindings...)
   119  			a.bindingMap.Resolve(binding.blockID)
   120  			continue
   121  		}
   122  		if name != "" && name == binding.bucketID {
   123  			bucket.Bindings = append(bucket.Bindings, binding.bindings...)
   124  			a.bindingMap.Resolve(binding.blockID)
   125  		}
   126  	}
   127  
   128  	return bucket
   129  }