feat(terraform): fill in the arn attribute for bucket (#62)

* feat(terraform): fill in the arn attribute for bucket * chore(deps): bump defsec
aquasecurity · Jan 17, 2024 · 78e7ebf · 78e7ebf
1 parent d5611c4
commit 78e7ebf
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/BurntSushi/toml v1.3.2
 	github.com/Masterminds/semver v1.5.0
 	github.com/apparentlymart/go-cidr v1.1.0
-	github.com/aquasecurity/defsec v0.93.2-0.20231209043331-6c7b9811ed2a
+	github.com/aquasecurity/defsec v0.93.2-0.20231211235541-4ab1fa82def6
 	github.com/aquasecurity/trivy-policies v0.7.1-0.20231208174659-54235f77763f
 	github.com/aws/smithy-go v1.19.0
 	github.com/bmatcuk/doublestar/v4 v4.6.0

diff --git a/go.sum b/go.sum
@@ -236,8 +236,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
-github.com/aquasecurity/defsec v0.93.2-0.20231209043331-6c7b9811ed2a h1:88tMKS0nhQwhcouVkqDNgOZ40qvPodpWE/uOqgHBOnw=
-github.com/aquasecurity/defsec v0.93.2-0.20231209043331-6c7b9811ed2a/go.mod h1:NBF6hvbQSc4s/WCHdKV5sNNxLl258M2OiIFoUfgEn/k=
+github.com/aquasecurity/defsec v0.93.2-0.20231211235541-4ab1fa82def6 h1:VIPdWgGVJ1A/Kgb7wCCLBWN0JPZ88ht+uen7DIr7IRU=
+github.com/aquasecurity/defsec v0.93.2-0.20231211235541-4ab1fa82def6/go.mod h1:NBF6hvbQSc4s/WCHdKV5sNNxLl258M2OiIFoUfgEn/k=
 github.com/aquasecurity/trivy-policies v0.7.1-0.20231208174659-54235f77763f h1:X6CuzkCZ0pMMQBJnHd7kKOn37Gz7jEy69hXuqFWS8wk=
 github.com/aquasecurity/trivy-policies v0.7.1-0.20231208174659-54235f77763f/go.mod h1:qiERvJlaS1O6aSZ9Z5VqTDFuwAODiP8yoefviP3+Etw=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=

diff --git a/pkg/scanners/terraform/parser/parser_test.go b/pkg/scanners/terraform/parser/parser_test.go
@@ -1025,6 +1025,93 @@ resource "aws_internet_gateway" "example" {
 	assert.Equal(t, expectedVpcIds, vpcIds)
 }
 
+func TestArnAttributeOfBucketIsCorrect(t *testing.T) {
+
+	t.Run("the bucket doesn't have a name", func(t *testing.T) {
+		fs := testutil.CreateFS(t, map[string]string{
+			"main.tf": `resource "aws_s3_bucket" "this" {}`,
+		})
+		parser := New(fs, "", OptionStopOnHCLError(true))
+		require.NoError(t, parser.ParseFS(context.TODO(), "."))
+
+		modules, _, err := parser.EvaluateAll(context.TODO())
+		require.NoError(t, err)
+		require.Len(t, modules, 1)
+
+		blocks := modules.GetResourcesByType("aws_s3_bucket")
+		assert.Len(t, blocks, 1)
+
+		bucket := blocks[0]
+
+		values := bucket.Values()
+		arnVal := values.GetAttr("arn")
+		assert.True(t, arnVal.Type().Equals(cty.String))
+
+		id := values.GetAttr("id").AsString()
+
+		arn := arnVal.AsString()
+		assert.Equal(t, "arn:aws:s3:::"+id, arn)
+	})
+
+	t.Run("the bucket has a name", func(t *testing.T) {
+		fs := testutil.CreateFS(t, map[string]string{
+			"main.tf": `resource "aws_s3_bucket" "this" {
+  bucket = "test"
+}
+
+resource "aws_iam_role" "this" {
+  name = "test_role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "s3.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "this" {
+  name   = "test_policy"
+  role   = aws_iam_role.this.id
+  policy = data.aws_iam_policy_document.this.json
+}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:GetObject"
+    ]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
+  }
+}`,
+		})
+		parser := New(fs, "", OptionStopOnHCLError(true))
+		require.NoError(t, parser.ParseFS(context.TODO(), "."))
+
+		modules, _, err := parser.EvaluateAll(context.TODO())
+		require.NoError(t, err)
+		require.Len(t, modules, 1)
+
+		blocks := modules[0].GetDatasByType("aws_iam_policy_document")
+		assert.Len(t, blocks, 1)
+
+		policyDoc := blocks[0]
+
+		statement := policyDoc.GetBlock("statement")
+		resources := statement.GetAttribute("resources").AsStringValueSliceOrEmpty()
+
+		assert.Len(t, resources, 1)
+		assert.True(t, resources[0].EqualTo("arn:aws:s3:::test/*"))
+	})
+}
+
 func TestForEachWithObjectsOfDifferentTypes(t *testing.T) {
 	fs := testutil.CreateFS(t, map[string]string{
 		"main.tf": `module "backups" {