From eb205a0003212bfb8540252753a42524736a0a6b Mon Sep 17 00:00:00 2001 From: int-tt Date: Fri, 11 Aug 2023 18:08:13 +0900 Subject: [PATCH 1/3] feat(cloud): add availability zone for rds cluster --- internal/adapters/cloud/aws/rds/rds.go | 6 ++++++ internal/adapters/cloudformation/aws/rds/cluster.go | 1 + internal/adapters/terraform/aws/rds/adapt.go | 2 ++ internal/adapters/terraform/aws/rds/adapt_test.go | 6 ++++++ pkg/providers/aws/rds/rds.go | 1 + pkg/rego/schemas/cloud.json | 7 +++++++ 6 files changed, 23 insertions(+) diff --git a/internal/adapters/cloud/aws/rds/rds.go b/internal/adapters/cloud/aws/rds/rds.go index 1339caa8e..24266c4ff 100644 --- a/internal/adapters/cloud/aws/rds/rds.go +++ b/internal/adapters/cloud/aws/rds/rds.go @@ -248,6 +248,11 @@ func (a *adapter) adaptCluster(dbCluster types.DBCluster) (*rds.Cluster, error) engine = *dbCluster.Engine } + var availabilityZones []defsecTypes.StringValue + for _, az := range dbCluster.AvailabilityZones { + availabilityZones = append(availabilityZones, defsecTypes.String(az, dbClusterMetadata)) + } + cluster := &rds.Cluster{ Metadata: dbClusterMetadata, BackupRetentionPeriodDays: defsecTypes.IntFromInt32(aws.ToInt32(dbCluster.BackupRetentionPeriod), dbClusterMetadata), @@ -261,6 +266,7 @@ func (a *adapter) adaptCluster(dbCluster types.DBCluster) (*rds.Cluster, error) PublicAccess: defsecTypes.Bool(aws.ToBool(dbCluster.PubliclyAccessible), dbClusterMetadata), Engine: defsecTypes.String(engine, dbClusterMetadata), LatestRestorableTime: defsecTypes.TimeUnresolvable(dbClusterMetadata), + AvailabilityZones: availabilityZones, } return cluster, nil diff --git a/internal/adapters/cloudformation/aws/rds/cluster.go b/internal/adapters/cloudformation/aws/rds/cluster.go index 86f6158d8..779fe5c40 100644 --- a/internal/adapters/cloudformation/aws/rds/cluster.go +++ b/internal/adapters/cloudformation/aws/rds/cluster.go @@ -27,6 +27,7 @@ func getClusters(ctx parser.FileContext) (clusters map[string]rds.Cluster) { PublicAccess: defsecTypes.BoolDefault(false, clusterResource.Metadata()), Engine: defsecTypes.StringDefault(rds.EngineAurora, clusterResource.Metadata()), LatestRestorableTime: defsecTypes.TimeUnresolvable(clusterResource.Metadata()), + AvailabilityZones: nil, } if engineProp := clusterResource.GetProperty("Engine"); engineProp.IsString() { diff --git a/internal/adapters/terraform/aws/rds/adapt.go b/internal/adapters/terraform/aws/rds/adapt.go index 357a30f4f..62779a018 100644 --- a/internal/adapters/terraform/aws/rds/adapt.go +++ b/internal/adapters/terraform/aws/rds/adapt.go @@ -72,6 +72,7 @@ func getClusters(modules terraform.Modules) (clusters []rds.Cluster) { PublicAccess: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), Engine: defsecTypes.StringUnresolvable(defsecTypes.NewUnmanagedMetadata()), LatestRestorableTime: defsecTypes.TimeUnresolvable(defsecTypes.NewUnmanagedMetadata()), + AvailabilityZones: nil, } for _, orphan := range orphanResources { orphanage.Instances = append(orphanage.Instances, adaptClusterInstance(orphan, modules)) @@ -223,6 +224,7 @@ func adaptCluster(resource *terraform.Block, modules terraform.Modules) (rds.Clu PublicAccess: defsecTypes.Bool(public, resource.GetMetadata()), Engine: resource.GetAttribute("engine").AsStringValueOrDefault(rds.EngineAurora, resource), LatestRestorableTime: defsecTypes.TimeUnresolvable(resource.GetMetadata()), + AvailabilityZones: resource.GetAttribute("availability_zones").AsStringValueSliceOrEmpty(resource), }, ids } diff --git a/internal/adapters/terraform/aws/rds/adapt_test.go b/internal/adapters/terraform/aws/rds/adapt_test.go index c890b9814..7187744f6 100644 --- a/internal/adapters/terraform/aws/rds/adapt_test.go +++ b/internal/adapters/terraform/aws/rds/adapt_test.go @@ -25,6 +25,7 @@ func Test_Adapt(t *testing.T) { resource "aws_rds_cluster" "example" { engine = "aurora-mysql" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] backup_retention_period = 7 kms_key_id = "kms_key_1" storage_encrypted = true @@ -115,6 +116,11 @@ func Test_Adapt(t *testing.T) { }, PublicAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), Engine: defsecTypes.String(rds.EngineAuroraMysql, defsecTypes.NewTestMetadata()), + AvailabilityZones: defsecTypes.StringValueList{ + defsecTypes.String("us-west-2a", defsecTypes.NewTestMetadata()), + defsecTypes.String("us-west-2b", defsecTypes.NewTestMetadata()), + defsecTypes.String("us-west-2c", defsecTypes.NewTestMetadata()), + }, }, }, Classic: rds.Classic{ diff --git a/pkg/providers/aws/rds/rds.go b/pkg/providers/aws/rds/rds.go index 4b2db06e5..d5f8c8b6f 100755 --- a/pkg/providers/aws/rds/rds.go +++ b/pkg/providers/aws/rds/rds.go @@ -46,6 +46,7 @@ type Cluster struct { PublicAccess defsecTypes.BoolValue Engine defsecTypes.StringValue LatestRestorableTime defsecTypes.TimeValue + AvailabilityZones []defsecTypes.StringValue } type Snapshots struct { diff --git a/pkg/rego/schemas/cloud.json b/pkg/rego/schemas/cloud.json index 57cfbad04..0d2cb5dea 100644 --- a/pkg/rego/schemas/cloud.json +++ b/pkg/rego/schemas/cloud.json @@ -2379,6 +2379,13 @@ "github.aaakk.us.kg.aquasecurity.defsec.pkg.providers.aws.rds.Cluster": { "type": "object", "properties": { + "availabilityzones": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.StringValue" + } + }, "backupretentionperioddays": { "type": "object", "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.defsec.pkg.types.IntValue" From 7324e2cac3bb6a279a8fbeb7919cc1de42f7c556 Mon Sep 17 00:00:00 2001 From: Katsuya Miyachi Date: Thu, 17 Aug 2023 14:58:35 +0900 Subject: [PATCH 2/3] fix(cloud): delete field Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> --- internal/adapters/cloudformation/aws/rds/cluster.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/adapters/cloudformation/aws/rds/cluster.go b/internal/adapters/cloudformation/aws/rds/cluster.go index 779fe5c40..86f6158d8 100644 --- a/internal/adapters/cloudformation/aws/rds/cluster.go +++ b/internal/adapters/cloudformation/aws/rds/cluster.go @@ -27,7 +27,6 @@ func getClusters(ctx parser.FileContext) (clusters map[string]rds.Cluster) { PublicAccess: defsecTypes.BoolDefault(false, clusterResource.Metadata()), Engine: defsecTypes.StringDefault(rds.EngineAurora, clusterResource.Metadata()), LatestRestorableTime: defsecTypes.TimeUnresolvable(clusterResource.Metadata()), - AvailabilityZones: nil, } if engineProp := clusterResource.GetProperty("Engine"); engineProp.IsString() { From a51ab0b90c9fc77475ca4a23132daa1cee9831dd Mon Sep 17 00:00:00 2001 From: Katsuya Miyachi Date: Thu, 17 Aug 2023 14:58:42 +0900 Subject: [PATCH 3/3] fix(cloud): delete field Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> --- internal/adapters/terraform/aws/rds/adapt.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/adapters/terraform/aws/rds/adapt.go b/internal/adapters/terraform/aws/rds/adapt.go index 62779a018..29cce438d 100644 --- a/internal/adapters/terraform/aws/rds/adapt.go +++ b/internal/adapters/terraform/aws/rds/adapt.go @@ -72,7 +72,6 @@ func getClusters(modules terraform.Modules) (clusters []rds.Cluster) { PublicAccess: defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()), Engine: defsecTypes.StringUnresolvable(defsecTypes.NewUnmanagedMetadata()), LatestRestorableTime: defsecTypes.TimeUnresolvable(defsecTypes.NewUnmanagedMetadata()), - AvailabilityZones: nil, } for _, orphan := range orphanResources { orphanage.Instances = append(orphanage.Instances, adaptClusterInstance(orphan, modules))