From bc87c6bf9d20c0f29e9687dbbccc801265d1c716 Mon Sep 17 00:00:00 2001 From: Miguel Silva <100352574+cxMiguelSilva@users.noreply.github.com> Date: Thu, 14 Jul 2022 15:52:43 +0100 Subject: [PATCH] feat(kics_ar): add remediation for terraform alicloud security queries (#5600) * (kics auto remediation): first approach * adding tests * replacement approach change * alicloud * QUERIES THAT VERIFY A FIELD SET TO FALSE * UNRECOMMENDED VALUE * added E2E tests * fixing unit test + improving * fix errors * fix * correcting f.Close * improving * improving * fixing E2E * test * adding more tests * fixing codacy issue * improving tests * testing permissions on Dockerfile.ubi8 * Merge branch 'kics_auto_remediation/terraform_alic * remove changes * delete newline at file end Co-authored-by: rafaela-soares --- .../query.rego | 26 ++++++++++++- .../query.rego | 17 ++++++--- .../test/positive_expected_result.json | 4 +- .../alicloud/alb_listening_on_http/query.rego | 5 +++ .../query.rego | 9 ++++- .../disk_encryption_disabled/query.rego | 11 ++++-- .../high_kms_key_rotation_period/query.rego | 12 ++++++ .../query.rego | 7 ++++ .../query.rego | 7 ++++ .../nas_file_system_not_encrypted/query.rego | 7 ++++ .../nas_file_system_without_kms/query.rego | 7 ++++ .../oss_bucket_lifecycle_disabled/query.rego | 5 +++ .../oss_bucket_logging_disabled/query.rego | 5 +++ .../query.rego | 5 +++ .../query.rego | 7 ++++ .../oss_bucket_versioning_disabled/query.rego | 7 ++++ .../query.rego | 6 ++- .../query.rego | 11 +++++- .../query.rego | 5 +++ .../query.rego | 9 ++++- .../query.rego | 7 +++- .../query.rego | 7 +++- .../query.rego | 7 ++++ .../rds_instance_events_not_logged/query.rego | 7 ++++ .../query.rego | 33 +++++++++++++++- .../test/positive3.tf | 6 +++ .../test/positive_expected_result.json | 10 ++++- .../query.rego | 34 ++++++++++++++++- .../test/positive3.tf | 6 +++ .../test/positive_expected_result.json | 10 ++++- .../query.rego | 38 +++++++++++++++++-- .../test/positive3.tf | 6 +++ .../test/positive_expected_result.json | 8 +++- .../query.rego | 14 +++++++ .../query.rego | 7 ++++ .../query.rego | 14 +++++++ .../ros_stack_retention_disabled/query.rego | 7 ++++ 37 files changed, 360 insertions(+), 33 deletions(-) create mode 100644 assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive3.tf create mode 100644 assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/test/positive3.tf create mode 100644 assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive3.tf diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego index 5578dc82c93..4e2b161aece 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego @@ -6,8 +6,26 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_actiontrail_trail[name] + not common_lib.valid_key(resource, "oss_bucket_name") - possibilities := {"event_rw", "oss_bucket_name", "trail_region"} + + result := { + "documentId": input.document[i].id, + "resourceType": "alicloud_actiontrail_trail", + "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_actiontrail_trail", name), + "searchKey": sprintf("alicloud_actiontrail_trail[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "oss_bucket_name is set.", + "keyActualValue": "oss_bucket_name is not set.", + "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name], []), + } +} + +CxPolicy[result] { + some i + resource := input.document[i].resource.alicloud_actiontrail_trail[name] + + possibilities := {"event_rw", "trail_region"} not common_lib.valid_key(resource, possibilities[p]) @@ -20,6 +38,8 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'%s' is set.",[possibilities[p]]), "keyActualValue": sprintf("'%s' is not set.",[possibilities[p]]), "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name], []), + "remediation": sprintf("%s= \"ALL\"", [p]), + "remediationType": "addition", } } @@ -30,7 +50,7 @@ CxPolicy[result] { p := {"event_rw", "trail_region"} resource[p[f]] != "All" - + remediation := {"before":resource[p[f]] , "after": "All" } result := { "documentId": input.document[i].id, "resourceType": "alicloud_actiontrail_trail", @@ -40,5 +60,7 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'%s' is set to All", [p[f]]), "keyActualValue": sprintf("'%s' is not set to All", [p[f]]), "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name, p[f]], []), + "remediation": json.marshal(remediation), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego index 6aec0f56313..f94123a6551 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego @@ -14,12 +14,17 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "resourceType": "alicloud_actiontrail_trail", - "resourceName": tf_lib.get_specific_resource_name(actiontrail, "alicloud_actiontrail_trail", name), - "searchKey": sprintf("alicloud_actiontrail_trail[%s].oss_bucket_name", [name]), + "resourceType": "alicloud_oss_bucket", + "resourceName": tf_lib.get_specific_resource_name(actiontrail, "alicloud_oss_bucket", name), + "searchKey": sprintf("alicloud_oss_bucket[%s].acl", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'alicloud_actiontrail_trail[%s].oss_bucket_name' is private", [name]), - "keyActualValue": sprintf("'alicloud_actiontrail_trail[%s].oss_bucket_name' is %s", [name, possibilities[p]]), - "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name, "oss_bucket_name"], []), + "keyExpectedValue": sprintf("'alicloud_oss_bucket[%s].oss_bucket_name' is private", [name]), + "keyActualValue": sprintf("'alicloud_oss_bucket[%s].oss_bucket_name' is %s", [name, possibilities[p]]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []), + "remediation": json.marshal({ + "before": p, + "after": "private" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json index cbd24b1d29f..2928f9afc52 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -2,13 +2,13 @@ { "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", - "line": 9, + "line": 3, "fileName": "positive2.tf" }, { "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", - "line": 9, + "line": 3, "fileName": "positive1.tf" } ] diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego b/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego index 2f25d71edd3..e68cad6f295 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego @@ -16,5 +16,10 @@ CxPolicy[result] { "keyExpectedValue": "'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'", "keyActualValue": "'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'", "searchLine": common_lib.build_search_line(["resource", "alicloud_alb_listener", name, "listener_protocol"], []), + "remediation": json.marshal({ + "before": "HTTP", + "after": "HTTPS" + }), + "remediationType": "replacement" } } diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego index bbb0be32e30..47f9e8e8b01 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { auto_repair := resource.management.auto_repair auto_repair == false - + result := { "documentId": input.document[i].id, "resourceType": "alicloud_cs_kubernetes_node_pool", @@ -19,6 +19,11 @@ CxPolicy[result] { "keyExpectedValue": sprintf("For the resource alicloud_cs_kubernetes_node_pool[%s] to have 'auto_repair' set to true.", [name]), "keyActualValue": sprintf("The resource alicloud_cs_kubernetes_node_pool[%s] has 'auto_repair' set to false.", [name]), "searchLine":common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name, "management", "auto_repair"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } @@ -53,5 +58,7 @@ CxPolicy[result] { "keyExpectedValue": sprintf("For the resource alicloud_cs_kubernetes_node_pool[%s] to have a 'management' block containing 'auto_repair' set to true.", [name]), "keyActualValue": sprintf("The resource alicloud_cs_kubernetes_node_pool[%s] has a 'management' block but it doesn't contain 'auto_repair' ", [name]), "searchLine":common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name, "management"], []), + "remediation": "auto_repair = true", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego b/assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego index dc7cbf1594a..e3d81215f83 100644 --- a/assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego +++ b/assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego @@ -6,8 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.alicloud_disk[name] - resource.encrypted == false - + resource.encrypted == false result := { "documentId": input.document[i].id, @@ -18,6 +17,11 @@ CxPolicy[result] { "keyExpectedValue": sprintf("[%s] has encryption set to true", [name]), "keyActualValue": sprintf("[%s] has encryption set to false", [name]), "searchLine":common_lib.build_search_line(["resource", "alicloud_disk", name, "encrypted"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } @@ -26,7 +30,6 @@ CxPolicy[result] { resource := input.document[i].resource.alicloud_disk[name] not common_lib.valid_key(resource, "encrypted") not common_lib.valid_key(resource, "snapshot_id") - result := { "documentId": input.document[i].id, @@ -37,6 +40,8 @@ CxPolicy[result] { "keyExpectedValue": sprintf("[%s] has encryption enabled",[name]), "keyActualValue": sprintf("[%s] does not have encryption enabled",[name]), "searchLine":common_lib.build_search_line(["resource", "alicloud_disk", name], []), + "remediation": "encrypted = true", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego index adb65e2df98..57b339d84c9 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego @@ -18,6 +18,11 @@ CxPolicy[result] { "keyExpectedValue": "'rotation_interval' value should not be higher than a year", "keyActualValue": "'rotation_interval' value is higher than a year", "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name, "rotation_interval"], []), + "remediation": json.marshal({ + "before": resource.rotation_interval, + "after": "365d" + }), + "remediationType": "replacement", } } @@ -35,6 +40,8 @@ CxPolicy[result] { "keyExpectedValue": "'automatic_rotation' should be defined and set to Enabled", "keyActualValue": "'automatic_rotation' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name], []), + "remediation": "automatic_rotation = \"Enabled\"", + "remediationType": "addition", } } @@ -52,6 +59,11 @@ CxPolicy[result] { "keyExpectedValue": "'automatic_rotation' should be set to Enabled", "keyActualValue": "'automatic_rotation' is set to Disabled", "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name, "automatic_rotation"], []), + "remediation": json.marshal({ + "before": "Disabled", + "after": "Enabled" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego index 164e077d514..4ab990f431c 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego @@ -16,6 +16,11 @@ CxPolicy[result] { "keyExpectedValue": sprintf("alicloud_launch_template[%s].encrypted to be true", [name]), "keyActualValue": sprintf("alicloud_launch_template[%s].encrypted is false", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_launch_template", name, "encrypted"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } @@ -32,5 +37,7 @@ CxPolicy[result] { "keyExpectedValue": sprintf("alicloud_launch_template[%s] 'encrypted' should be defined and set to true", [name]), "keyActualValue": sprintf("alicloud_launch_template[%s] 'encrypted' argument is not defined", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_launch_template", name], []), + "remediation": "encrypted = true", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego index 78637f40533..bbdc2893c01 100644 --- a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego +++ b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego @@ -17,6 +17,8 @@ CxPolicy[result] { "keyExpectedValue": "For attribute 'retention_period' to be set and over 90 days.", "keyActualValue": "The attribute 'retention_period' is undefined. The default duration when undefined is 30 days, which is too short.", "searchLine": common_lib.build_search_line(["resource", "alicloud_log_store", name], []), + "remediation": "retention_period = 100", + "remediationType": "addition", } } @@ -35,5 +37,10 @@ CxPolicy[result] { "keyExpectedValue": "For the attribite 'retention_period' to be set to 90+ days", "keyActualValue": "The attribute 'retention_period' is not set to 90+ days", "searchLine": common_lib.build_search_line(["resource", "alicloud_log_store", name, "retention_period"], []), + "remediation": json.marshal({ + "before": sprintf("%d", [rperiod]), + "after": "100" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego index 77bfc7e4488..8dcc8f8339a 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego @@ -16,6 +16,11 @@ CxPolicy[result] { "keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should not be 0", [name]), "keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is 0", [name]), "searchLine":common_lib.build_search_line(["resource", "alicloud_nas_file_system", name, "encrypt_type"], []), + "remediation": json.marshal({ + "before": "0", + "after": "2" + }), + "remediationType": "replacement", } } @@ -32,5 +37,7 @@ CxPolicy[result] { "keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should be defined and the value different from 0 ", [name]), "keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is undefined", [name]), "searchLine":common_lib.build_search_line(["resource", "alicloud_nas_file_system", name], []), + "remediation": "encrypt_type = \"2\"", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego b/assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego index 1cc32cd2bbf..c89aed01f50 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego @@ -16,6 +16,8 @@ CxPolicy[result] { "keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should be defined and set to 2'", [name]), "keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is not defined", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_nas_file_system", name], []), + "remediation": "encrypt_type = \"2\"", + "remediationType": "addition", } } @@ -32,5 +34,10 @@ CxPolicy[result] { "keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should be set to 2'", [name]), "keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is not set to 2 ", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_nas_file_system", name, "encrypt_type"], []), + "remediation": json.marshal({ + "before": resource.encrypt_type, + "after": "2" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego index 4b6e22faaf0..2170aa1a4a9 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego @@ -18,6 +18,11 @@ CxPolicy[result] { "keyExpectedValue": "'lifecycle_rule' is set and enabled", "keyActualValue": "'lifecycle_rule' is set but disabled", "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "lifecycle_rule", "enabled"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego index d2419789a7a..b980753e03f 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego @@ -34,5 +34,10 @@ CxPolicy[result] { "keyExpectedValue": sprintf("%s 'logging_isenable' argument should be set to true",[name]), "keyActualValue": sprintf("%s 'logging_isenable' argument is set to false",[name]), "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "logging_isenable"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego index a960d9afb9c..5a0958c23aa 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego @@ -19,5 +19,10 @@ CxPolicy[result] { "keyExpectedValue": "'acl' is set to private or not set", "keyActualValue": sprintf("'acl' is %s", [possibilities[p]]), "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []), + "remediation": json.marshal({ + "before": p, + "after": "private" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego index 40ca6d46d95..40e8262ea3c 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego @@ -18,6 +18,11 @@ CxPolicy[result] { "keyExpectedValue": "'transfer_acceleration.enabled' is defined and set to true", "keyActualValue": "'transfer_acceleration.enabled' is false", "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "transfer_acceleration", "enabled"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } @@ -36,5 +41,7 @@ CxPolicy[result] { "keyExpectedValue": "'transfer_acceleration.enabled' is defined and set to true", "keyActualValue": "'transfer_acceleration' is missing", "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), + "remediation": "transfer_acceleration{\n\t\tenabled = true\n\t}", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego index 7c26c492f1b..c212f5d1bb8 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego @@ -18,6 +18,11 @@ CxPolicy[result] { "keyExpectedValue": "'versioning.status' is enabled", "keyActualValue": "'versioning.status' is suspended", "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "versioning", "status"], []), + "remediation": json.marshal({ + "before": "Suspended", + "after": "Enabled" + }), + "remediationType": "replacement", } } @@ -36,5 +41,7 @@ CxPolicy[result] { "keyExpectedValue": "'versioning.status' is defined and set to enabled", "keyActualValue": "'versioning' is missing", "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), + "remediation": "versioning {\n\t\tstatus = \"Enabled\"\n\t}", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego index cf83c51d2b0..a0375d585a7 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego @@ -17,6 +17,10 @@ CxPolicy[result] { "keyExpectedValue": "'max_login_attempts' is set to 5 or less", "keyActualValue": "'max_login_attempts' is above than 5", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_login_attempts"], []), - + "remediation": json.marshal({ + "before": sprintf("%d", [resource.max_login_attempts]), + "after": "5" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego index 25db9fc697f..662a3b36721 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego @@ -36,6 +36,11 @@ CxPolicy[result] { "keyExpectedValue": "'max_password_age' should be higher than 0 and lower than 91", "keyActualValue": "'max_password_age' is higher than 90", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_password_age"], []), + "remediation": json.marshal({ + "before": sprintf("%d", [resource.max_password_age]), + "after": "12" + }), + "remediationType": "replacement", } } @@ -54,6 +59,10 @@ CxPolicy[result] { "keyExpectedValue": "'max_password_age' should be higher than 0 and lower than 91", "keyActualValue": "'max_password_age' is equal to 0", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_password_age"], []), - + "remediation": json.marshal({ + "before": sprintf("%d", [resource.max_password_age]), + "after": "12" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/query.rego index 85e32916612..1c663788690 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/query.rego @@ -17,5 +17,10 @@ CxPolicy[result] { "keyExpectedValue": "'require_numbers' is defined and set to true", "keyActualValue": "'require_numbers' is false", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "require_numbers"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/query.rego index dbdaa8d7f72..8700c85f888 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/query.rego @@ -17,7 +17,8 @@ CxPolicy[result] { "keyExpectedValue": "'password_reuse_prevention' is defined and equal or lower than 24", "keyActualValue": "'password_reuse_prevention' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name], []), - + "remediation": "password_reuse_prevention = 24", + "remediationType": "addition", } } @@ -35,6 +36,10 @@ CxPolicy[result] { "keyExpectedValue": "'password_reuse_prevention' should be equal or less 24", "keyActualValue": "'password_reuse_prevention' is higher than 24", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "password_reuse_prevention"], []), - + "remediation": json.marshal({ + "before": sprintf("%d", [resource.password_reuse_prevention]), + "after": "24" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/query.rego b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/query.rego index 72d2733336c..9f6e401d351 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/query.rego +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/query.rego @@ -16,6 +16,11 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'require_lowercase_characters' is defined and set to true", "keyActualValue": "'require_lowercase_characters' is false", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "require_lowercase_characters"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "require_lowercase_characters"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement" } } diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/query.rego b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/query.rego index c90f9db9ebd..e022f365a2c 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/query.rego +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/query.rego @@ -16,6 +16,11 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'require_uppercase_characters' is defined and set to true", "keyActualValue": "'require_uppercase_characters' is false", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "require_uppercase_characters"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "require_uppercase_characters"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/query.rego b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/query.rego index b13e861b264..e0976c4c4db 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/query.rego +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/query.rego @@ -44,6 +44,8 @@ CxPolicy[result] { "keyExpectedValue": "'enforce_mfa_for_login' should be defined and set to true", "keyActualValue": "'enforce_mfa_for_login' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_security_preference", name], []), + "remediation": "enforce_mfa_for_login = true", + "remediationType": "addition", } } @@ -61,5 +63,10 @@ CxPolicy[result] { "keyExpectedValue": "'enforce_mfa_for_login' should be set to true", "keyActualValue": "'enforce_mfa_for_login' is set to 'false'", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_security_preference", name, "enforce_mfa_for_login" ], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/query.rego b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/query.rego index 73af7aa204d..527b327272f 100644 --- a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/query.rego @@ -22,6 +22,8 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'%s' parameter value should be 'true'", [log]), "keyActualValue": sprintf("'%s' parameter is not defined", [log]), "searchLine": common_lib.build_search_line(["resource", "alicloud_log_audit", name, "variable_map"], []), + "remediation": sprintf("%s = true",[log]), + "remediationType": "addition", } } @@ -40,6 +42,11 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'%s' parameter value should be 'true'", [log]), "keyActualValue": sprintf("'%s' parameter value is 'false'", [log]), "searchLine": common_lib.build_search_line(["resource", "alicloud_log_audit", name, "variable_map", log], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/query.rego index 4f9aee356a2..221a9fe1522 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/query.rego @@ -18,23 +18,34 @@ CxPolicy[result] { "keyExpectedValue": "'log_connections' parameter value should be 'ON'", "keyActualValue": "'log_connections' parameter value is 'OFF'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "parameters", parameter, "value"], []), + "remediation": json.marshal({ + "before": "OFF", + "after": "ON" + }), + "remediationType": "replacement", } } CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name] + common_lib.valid_key(resource, "parameters") not has_log_conn(resource) result := { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "searchKey": sprintf("alicloud_db_instance[%s].parameters", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'log_connections' parameter is defined value should be 'ON'", "keyActualValue": "'log_connections' parameter is not defined", - "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], ["parameters"]), + "remediation": json.marshal({ + "before": "[", + "after": "[{\n\t\tname = \"log_connections\"\n\t\tvalue = \"ON\"\n\t}," + }), + "remediationType": "replacement", } } @@ -43,3 +54,21 @@ has_log_conn(resource){ parameter.name == "log_connections" } +CxPolicy[result] { + some i + resource := input.document[i].resource.alicloud_db_instance[name] + not common_lib.valid_key(resource, "parameters") + + result := { + "documentId": input.document[i].id, + "resourceType": "alicloud_db_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("alicloud_db_instance[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'log_connections' parameter is defined value should be 'ON' in parameters array", + "keyActualValue": "'log_connections' parameter is not defined in parameters array", + "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "remediation": "parameters = [{\n\t\tname = \"log_connections\"\n\t\tvalue = \"ON\"\n\t}]", + "remediationType": "addition", + } +} diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive3.tf b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive3.tf new file mode 100644 index 00000000000..99fd38c3118 --- /dev/null +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive3.tf @@ -0,0 +1,6 @@ +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" +} diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json index 396c8d3265b..5646d5b8736 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json @@ -2,7 +2,7 @@ { "queryName": "RDS Instance Log Connections Disabled", "severity": "LOW", - "line": 1, + "line": 6, "fileName": "positive1.tf" }, { @@ -10,5 +10,11 @@ "severity": "LOW", "line": 14, "fileName": "positive2.tf" - } + }, + { + "queryName": "RDS Instance Log Connections Disabled", + "severity": "LOW", + "line": 1, + "fileName": "positive3.tf" + } ] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/query.rego index 95743bbb4f1..ef78ec76c82 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/query.rego @@ -18,23 +18,34 @@ CxPolicy[result] { "keyExpectedValue": "'log_disconnections' parameter value should be 'ON'", "keyActualValue": "'log_disconnections' parameter value is 'OFF'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "parameters", parameter, "value"], []), + "remediation": json.marshal({ + "before": "OFF", + "after": "ON" + }), + "remediationType": "replacement", } } CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name] + common_lib.valid_key(resource, "parameters") not has_log_disconn(resource) result := { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "searchKey": sprintf("alicloud_db_instance[%s].parameters", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'log_disconnections' parameter is defined and value should be 'ON'", "keyActualValue": "'log_disconnections' parameter is not defined", - "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], ["parameters"]), + "remediation": json.marshal({ + "before": "[", + "after": "[{\n\t\tname = \"log_disconnections\"\n\t\tvalue = \"ON\"\n\t}," + }), + "remediationType": "replacement", } } @@ -42,3 +53,22 @@ has_log_disconn(resource){ parameter := resource.parameters[j] parameter.name == "log_disconnections" } + +CxPolicy[result] { + some i + resource := input.document[i].resource.alicloud_db_instance[name] + not common_lib.valid_key(resource, "parameters") + + result := { + "documentId": input.document[i].id, + "resourceType": "alicloud_db_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'log_disconnections' parameter is defined and value should be 'ON' in parametes array", + "keyActualValue": "'log_disconnections' parameter is not defined in parametes array", + "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "remediation": "parameters = [{\n\t\tname = \"log_disconnections\"\n\t\tvalue = \"ON\"\n\t}]", + "remediationType": "addition", + } +} diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/test/positive3.tf b/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/test/positive3.tf new file mode 100644 index 00000000000..99fd38c3118 --- /dev/null +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/test/positive3.tf @@ -0,0 +1,6 @@ +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" +} diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/test/positive_expected_result.json index 71250c921be..61953fd824d 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconenctions_disabled/test/positive_expected_result.json @@ -8,7 +8,13 @@ { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "LOW", - "line": 1, + "line": 6, "fileName": "positive2.tf" - } + }, + { + "queryName": "RDS Instance Log Disconnections Disabled", + "severity": "LOW", + "line": 1, + "fileName": "positive3.tf" + } ] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego index 5df1ab5080f..553e3c0dbac 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego @@ -18,27 +18,57 @@ CxPolicy[result] { "keyExpectedValue": "'log_duration' parameter value should be 'ON'", "keyActualValue": "'log_duration' parameter value is 'OFF'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "parameters", parameter, "value"], []), + "remediation": json.marshal({ + "before": "OFF", + "after": "ON" + }), + "remediationType": "replacement", } } CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name] - not has_log_disconn(resource) + common_lib.valid_key(resource, "parameters") + not has_log_duration(resource) result := { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "searchKey": sprintf("alicloud_db_instance[%s].parameters", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'log_duration' parameter is defined and value should be 'ON'", "keyActualValue": "'log_duration' parameter is not defined", - "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], ["parameters"]), + "remediation": json.marshal({ + "before": "[", + "after": "[{\n\t\tname = \"log_duration\"\n\t\tvalue = \"ON\"\n\t}," + }), + "remediationType": "replacement", } } -has_log_disconn(resource){ +has_log_duration(resource){ parameter := resource.parameters[j] parameter.name == "log_duration" } + +CxPolicy[result] { + some i + resource := input.document[i].resource.alicloud_db_instance[name] + not common_lib.valid_key(resource, "parameters") + + result := { + "documentId": input.document[i].id, + "resourceType": "alicloud_db_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'log_duration' parameter is defined and value should be 'ON' in parameters array", + "keyActualValue": "'log_duration' parameter is not defined in parameters array", + "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "remediation": "parameters = [{\n\t\tname = \"log_duration\"\n\t\tvalue = \"ON\"\n\t}]", + "remediationType": "addition", + } +} diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive3.tf b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive3.tf new file mode 100644 index 00000000000..99fd38c3118 --- /dev/null +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive3.tf @@ -0,0 +1,6 @@ +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" +} diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json index 80846a644ad..3773fc7ad7e 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json @@ -8,7 +8,13 @@ { "queryName": "RDS Instance Log Duration Disabled", "severity": "LOW", - "line": 1, + "line": 6, "fileName": "positive2.tf" + }, + { + "queryName": "RDS Instance Log Duration Disabled", + "severity": "LOW", + "line": 1, + "fileName": "positive3.tf" } ] diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/query.rego b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/query.rego index 862f8b1bb8c..a29b514837f 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/query.rego @@ -16,6 +16,8 @@ CxPolicy[result] { "keyExpectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", "keyActualValue": "'sql_collector_status' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "remediation": "sql_collector_status = \"Enabled\"", + "remediationType": "addition", } } @@ -32,6 +34,11 @@ CxPolicy[result] { "keyExpectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", "keyActualValue": "'sql_collector_status' is set to 'Disabled'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name,"sql_collector_status" ], []), + "remediation": json.marshal({ + "before": "Disabled", + "after": "Enabled" + }), + "remediationType": "replacement", } } @@ -49,6 +56,8 @@ CxPolicy[result] { "keyExpectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", "keyActualValue": "'sql_collector_config_value' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "remediation": "sql_collector_config_value = 180", + "remediationType": "addition", } } @@ -65,5 +74,10 @@ CxPolicy[result] { "keyExpectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", "keyActualValue": "'sql_collector_config_value' is set to 30", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name,"sql_collector_config_value" ], []), + "remediation": json.marshal({ + "before": "30", + "after": "180" + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego index 3d01dee3102..c6f94eb1c0c 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego @@ -18,6 +18,11 @@ CxPolicy[result] { "keyExpectedValue": "'ssl_action' value should be 'Open'", "keyActualValue": "'ssl_action' value is 'Close'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "ssl_action"], []), + "remediation": json.marshal({ + "before": "Close", + "after": "Open" + }), + "remediationType": "replacement", } } @@ -35,5 +40,7 @@ CxPolicy[result] { "keyExpectedValue": "'ssl_action' value should be 'Open'", "keyActualValue": "'ssl_action' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "remediation": "ssl_action = \"Open\"", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disable/query.rego b/assets/queries/terraform/alicloud/rds_instance_tde_status_disable/query.rego index 13a91157ecc..f41d9f6ab82 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disable/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disable/query.rego @@ -22,6 +22,11 @@ CxPolicy[result] { "keyExpectedValue": "'tde_status' value should be 'Enabled'", "keyActualValue": "'tde_status' value is set to 'Disabled'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "tde_status"], []), + "remediation": json.marshal({ + "before": "Disabled", + "after": "Enabled" + }), + "remediationType": "replacement", } } @@ -41,6 +46,8 @@ CxPolicy[result] { "keyExpectedValue": "'tde_status' value should be 'Enabled'", "keyActualValue": "'tde_status' is not declared", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "remediation": "tde_status = \"Enabled\"", + "remediationType": "addition", } } @@ -60,6 +67,11 @@ CxPolicy[result] { "keyExpectedValue": "'tde_status' value should be 'Enabled'", "keyActualValue": "'tde_status' value is set to 'Disabled'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "tde_status"], []), + "remediation": json.marshal({ + "before": "Disabled", + "after": "Enabled" + }), + "remediationType": "replacement", } } @@ -79,6 +91,8 @@ CxPolicy[result] { "keyExpectedValue": "'tde_status' value should be 'Enabled'", "keyActualValue": "'tde_status' is not declared", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), + "remediation": "tde_status = \"Enabled\"", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/query.rego b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/query.rego index cc76b1b072c..7e8a1913ffd 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/query.rego +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/query.rego @@ -17,6 +17,8 @@ CxPolicy[result] { "keyExpectedValue": sprintf("alicloud_ros_stack_instance[%s].retain_stacks should be defined and not null", [name]), "keyActualValue": sprintf("alicloud_ros_stack_instance[%s].retain_stacks is undefined", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_ros_stack_instance", name], []), + "remediation": "retain_stacks = true", + "remediationType": "addition", } } @@ -34,5 +36,10 @@ CxPolicy[result] { "keyExpectedValue": sprintf("alicloud_ros_stack_instance[%s].retain_stacks should be true ", [name]), "keyActualValue": sprintf("alicloud_ros_stack_instance[%s].retain_stacks is false", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_ros_stack_instance", name, "retain_stacks"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true" + }), + "remediationType": "replacement", } }