github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecr/no_public_access.tf.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecr/no_public_access.tf.go (about)

     1  package ecr
     2  
     3  var terraformNoPublicAccessGoodExamples = []string{
     4  	`
     5   resource "aws_ecr_repository" "foo" {
     6     name = "bar"
     7   }
     8   
     9   resource "aws_ecr_repository_policy" "foopolicy" {
    10     repository = aws_ecr_repository.foo.name
    11   
    12     policy = <<EOF
    13   {
    14       "Version": "2008-10-17",
    15       "Statement": [
    16           {
    17               "Sid": "new policy",
    18               "Effect": "Allow",
    19               "Principal": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
    20               "Action": [
    21                   "ecr:GetDownloadUrlForLayer",
    22                   "ecr:BatchGetImage",
    23                   "ecr:BatchCheckLayerAvailability",
    24                   "ecr:PutImage",
    25                   "ecr:InitiateLayerUpload",
    26                   "ecr:UploadLayerPart",
    27                   "ecr:CompleteLayerUpload",
    28                   "ecr:DescribeRepositories",
    29                   "ecr:GetRepositoryPolicy",
    30                   "ecr:ListImages",
    31                   "ecr:DeleteRepository",
    32                   "ecr:BatchDeleteImage",
    33                   "ecr:SetRepositoryPolicy",
    34                   "ecr:DeleteRepositoryPolicy"
    35               ]
    36           }
    37       ]
    38   }
    39   EOF
    40   }
    41   `,
    42  }
    43  
    44  var terraformNoPublicAccessBadExamples = []string{
    45  	`
    46   resource "aws_ecr_repository" "foo" {
    47     name = "bar"
    48   }
    49   
    50   resource "aws_ecr_repository_policy" "foopolicy" {
    51     repository = aws_ecr_repository.foo.name
    52   
    53     policy = <<EOF
    54   {
    55       "Version": "2008-10-17",
    56       "Statement": [
    57           {
    58               "Sid": "new policy",
    59               "Effect": "Allow",
    60               "Principal": "*",
    61               "Action": [
    62                   "ecr:GetDownloadUrlForLayer",
    63                   "ecr:BatchGetImage",
    64                   "ecr:BatchCheckLayerAvailability",
    65                   "ecr:PutImage",
    66                   "ecr:InitiateLayerUpload",
    67                   "ecr:UploadLayerPart",
    68                   "ecr:CompleteLayerUpload",
    69                   "ecr:DescribeRepositories",
    70                   "ecr:GetRepositoryPolicy",
    71                   "ecr:ListImages",
    72                   "ecr:DeleteRepository",
    73                   "ecr:BatchDeleteImage",
    74                   "ecr:SetRepositoryPolicy",
    75                   "ecr:DeleteRepositoryPolicy"
    76               ]
    77           }
    78       ]
    79   }
    80   EOF
    81   }
    82   `,
    83  }
    84  
    85  var terraformNoPublicAccessLinks = []string{
    86  	`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy#policy`,
    87  }
    88  
    89  var terraformNoPublicAccessRemediationMarkdown = ``