Skip to content

Commit

Permalink
fix(terraform): сhecking SSE encryption algorithm validity
Browse files Browse the repository at this point in the history
  • Loading branch information
nikpivkin committed Mar 19, 2024
1 parent 8ec3938 commit 5f395cf
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 3 deletions.
28 changes: 27 additions & 1 deletion pkg/iac/adapters/terraform/aws/s3/adapt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ resource "aws_s3_bucket_public_access_block" "example_access_block"{
hasPublicAccess: true,
},
{
desc: "public access block is found when using the bucket name as the lookup",
desc: "public access block is found when using the bucket id as the lookup",
source: `
resource "aws_s3_bucket" "example" {
bucket = "bucketname"
Expand Down Expand Up @@ -254,6 +254,32 @@ func Test_Adapt(t *testing.T) {
},
},
},
{
name: "non-valid SSE algorithm",
terraform: `
resource "aws_s3_bucket" "this" {
bucket = "test"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
bucket = aws_s3_bucket.this.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = ""
}
}
}`,
expected: s3.S3{
Buckets: []s3.Bucket{
{
Name: iacTypes.String("test", iacTypes.NewTestMetadata()),
Encryption: s3.Encryption{
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
},
},
},
},
},
}

for _, test := range tests {
Expand Down
10 changes: 8 additions & 2 deletions pkg/iac/adapters/terraform/aws/s3/bucket.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
package s3

import (
"slices"

s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"

"github.com/aquasecurity/trivy/pkg/iac/providers/aws/s3"
"github.com/aquasecurity/trivy/pkg/iac/terraform"
iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
Expand Down Expand Up @@ -194,11 +198,13 @@ func isEncrypted(sseConfgihuration *terraform.Block) iacTypes.BoolValue {
sseConfgihuration,
"rule.apply_server_side_encryption_by_default.sse_algorithm",
func(attr *terraform.Attribute, parent *terraform.Block) iacTypes.BoolValue {
if attr.IsNil() {
if attr.IsNil() || !attr.IsString() {
return iacTypes.BoolDefault(false, parent.GetMetadata())
}
algoVal := attr.Value().AsString()
isValidAlgo := slices.Contains(s3types.ServerSideEncryption("").Values(), s3types.ServerSideEncryption(algoVal))
return iacTypes.Bool(
true,
isValidAlgo,
attr.GetMetadata(),
)
},
Expand Down

0 comments on commit 5f395cf

Please sign in to comment.