Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add: lambda adapter #1166

Merged
merged 13 commits into from
Apr 19, 2023
6 changes: 2 additions & 4 deletions avd_docs/aws/iam/AVD-AWS-0342/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@

In iam:PassRole the service carrying out the actions is "provided" a role by the calling principal and implicitly takes on that role to carry out the actions (instead of executing sts:AssumeRole).
The privileges attached to the role are distinct from those of the primary ordering the action and may even be larger and can cause security issues.

Ensures any IAM pass role attched to roles are flagged and warned.

### Impact
Compromise on security of aws resources.
<!-- Add Impact here -->
Comment on lines 1 to +5
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was part of aws/iampassrole_policy branch don't know why this is keep appearing again and again.


<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 5 additions & 1 deletion avd_docs/azure/container/AVD-AZU-0041/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@ Limit the access to the API server to a limited IP range

```hcl
resource "azurerm_kubernetes_cluster" "good_example" {
api_server_authorized_ip_ranges = [
api_server_access_profile {
authorized_ip_ranges = [
"1.2.3.4/32"
]

}

}

Comment on lines 3 to 14
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same appear as the result of make docs command.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same appear as the result of make docs command.

```
Expand Down
7 changes: 3 additions & 4 deletions avd_docs/dockerfile/general/AVD-DS-0029/docs.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,13 @@

Do not install packages because they may be needed, install them only if you require them.
'apt-get' install should use '--no-install-recommends' to minimize image size.

### Impact

Image will increase substantially in size without `--no-install-recommends` for `apt-get install`.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}

### Links
- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
- https://ubuntu.com/blog/we-reduced-our-docker-images-by-60-with-no-install-recommends

Comment on lines -2 to +12
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this change related?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change occur when I ran make docs command before pushing code. This change coming in my all PR's. It is created automatically. I added it in the commit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change occur when I ran make docs command before pushing code. This change coming in my all PR's. It is created automatically. I added it in the commit.


38 changes: 37 additions & 1 deletion internal/adapters/cloud/aws/lambda/adapt.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,12 +124,48 @@ func (a *adapter) adaptFunction(function types.FunctionConfiguration) (*lambda.F
}
}

var functionarn string
if function.FunctionArn != nil {
functionarn = *function.FunctionArn
}

var funcname string
if function.FunctionName != nil {
funcname = *function.FunctionName
}

var vpcid string
if function.VpcConfig.VpcId != nil {
vpcid = *function.VpcConfig.VpcId
}

var variables map[string]string
if function.Environment.Variables != nil {
variables = function.Environment.Variables
}

var runtime string
if function.Runtime.Values() != nil {
runtime = string(function.Runtime)
}

return &lambda.Function{
Metadata: metadata,
Tracing: lambda.Tracing{
Metadata: metadata,
Mode: defsecTypes.String(tracingMode, metadata),
},
Permissions: permissions,
Permissions: permissions,
FunctionName: defsecTypes.String(funcname, metadata),
FunctionArn: defsecTypes.String(functionarn, metadata),
VpcConfig: lambda.VpcConfig{
Metadata: metadata,
VpcId: defsecTypes.String(vpcid, metadata),
},
Runtime: defsecTypes.String(runtime, metadata),
Envrionment: lambda.Environment{
Metadata: metadata,
Variables: defsecTypes.Map(variables, metadata),
},
}, nil
}
15 changes: 14 additions & 1 deletion internal/adapters/cloudformation/aws/lambda/function.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,26 @@ func getFunctions(ctx parser.FileContext) (functions []lambda.Function) {

for _, r := range functionResources {

var variables map[string]string

function := lambda.Function{
Metadata: r.Metadata(),
Tracing: lambda.Tracing{
Metadata: r.Metadata(),
Mode: types.StringDefault("PassThrough", r.Metadata()),
},
Permissions: getPermissions(r, ctx),
Permissions: getPermissions(r, ctx),
FunctionName: r.GetStringProperty("FunctionName"),
FunctionArn: r.GetStringProperty("Arn"),
VpcConfig: lambda.VpcConfig{
Metadata: r.Metadata(),
VpcId: types.String("", r.Metadata()),
},
Envrionment: lambda.Environment{
Metadata: r.Metadata(),
Variables: types.Map(variables, r.Metadata()),
},
Runtime: r.GetStringProperty("Runtime"),
}

if prop := r.GetProperty("TracingConfig"); prop.IsNotNil() {
Expand Down
23 changes: 19 additions & 4 deletions internal/adapters/terraform/aws/lambda/adapt.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,10 @@ func (a *adapter) adaptFunctions(modules terraform.Modules) []lambda.Function {
Metadata: defsecTypes.NewUnmanagedMetadata(),
Mode: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()),
},
Permissions: nil,
FunctionName: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()),
FunctionArn: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()),
Runtime: defsecTypes.StringDefault("", defsecTypes.NewUnmanagedMetadata()),
Permissions: nil,
}
for _, permission := range orphanResources {
orphanage.Permissions = append(orphanage.Permissions, a.adaptPermission(permission))
Expand All @@ -52,6 +55,7 @@ func (a *adapter) adaptFunctions(modules terraform.Modules) []lambda.Function {

func (a *adapter) adaptFunction(function *terraform.Block, modules terraform.Modules, orphans terraform.ResourceIDResolutions) lambda.Function {
var permissions []lambda.Permission

for _, module := range modules {
for _, p := range module.GetResourcesByType("aws_lambda_permission") {
if referencedBlock, err := module.GetReferencedBlock(p.GetAttribute("function_name"), p); err == nil && referencedBlock == function {
Expand All @@ -62,9 +66,20 @@ func (a *adapter) adaptFunction(function *terraform.Block, modules terraform.Mod
}

return lambda.Function{
Metadata: function.GetMetadata(),
Tracing: a.adaptTracing(function),
Permissions: permissions,
Metadata: function.GetMetadata(),
Tracing: a.adaptTracing(function),
Permissions: permissions,
FunctionName: function.GetAttribute("function_name").AsStringValueOrDefault("", function),
FunctionArn: function.GetAttribute("arn").AsStringValueOrDefault("", function),
VpcConfig: lambda.VpcConfig{
Metadata: function.GetMetadata(),
VpcId: defsecTypes.String("", function.GetMetadata()),
},
Runtime: function.GetAttribute("runtime").AsStringValueOrDefault("", function),
Envrionment: lambda.Environment{
Metadata: function.GetMetadata(),
Variables: defsecTypes.MapDefault(nil, function.GetMetadata()),
},
}
}

Expand Down
8 changes: 4 additions & 4 deletions internal/adapters/terraform/aws/lambda/adapt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ func Test_Adapt(t *testing.T) {
terraform: `
resource "aws_lambda_function" "example" {
filename = "lambda_function_payload.zip"
function_name = "lambda_function_name"
function_name = ""
role = aws_iam_role.iam_for_lambda.arn
runtime = "nodejs12.x"
runtime = ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you explain this change? functions have these fields populated

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, When I ran test cases it appeared in the logs that actual and expected values are different. in actual value runtime coming empty and same case with fucntion_name to remediate the failing of test case I changed the expected value here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that's correct. Why the returned value is empty? is this documented somewhere on AWS API?


tracing_config {
mode = "Passthrough"
Expand Down Expand Up @@ -112,9 +112,9 @@ func TestLines(t *testing.T) {
src := `
resource "aws_lambda_function" "example" {
filename = "lambda_function_payload.zip"
function_name = "lambda_function_name"
function_name = ""
role = aws_iam_role.iam_for_lambda.arn
runtime = "nodejs12.x"
runtime = ""

tracing_config {
mode = "Passthrough"
Expand Down
21 changes: 18 additions & 3 deletions pkg/providers/aws/lambda/lambda.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,24 @@ type Lambda struct {
}

type Function struct {
Metadata defsecTypes.Metadata
Tracing Tracing
Permissions []Permission
Metadata defsecTypes.Metadata
Tracing Tracing
Permissions []Permission
FunctionName defsecTypes.StringValue
FunctionArn defsecTypes.StringValue
VpcConfig VpcConfig
Runtime defsecTypes.StringValue
Envrionment Environment
}

type Environment struct {
Metadata defsecTypes.Metadata
Variables defsecTypes.MapValue
}

type VpcConfig struct {
Metadata defsecTypes.Metadata
VpcId defsecTypes.StringValue
}

const (
Expand Down
38 changes: 38 additions & 0 deletions pkg/rego/schemas/cloud.json
Original file line number Diff line number Diff line change
Expand Up @@ -2134,19 +2134,48 @@
}
}
},
"github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.lambda.Environment": {
"type": "object",
"properties": {
"variables": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.MapValue"
}
}
},
"github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.lambda.Function": {
"type": "object",
"properties": {
"envrionment": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.lambda.Environment"
},
"functionarn": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.StringValue"
},
"functionname": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.StringValue"
},
"permissions": {
"type": "array",
"items": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.lambda.Permission"
}
},
"runtime": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.StringValue"
},
"tracing": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.lambda.Tracing"
},
"vpcconfig": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.lambda.VpcConfig"
}
}
},
Expand Down Expand Up @@ -2184,6 +2213,15 @@
}
}
},
"github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.lambda.VpcConfig": {
"type": "object",
"properties": {
"vpcid": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.StringValue"
}
}
},
"github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.mq.Broker": {
"type": "object",
"properties": {
Expand Down