feat(knative&crossplane): add support to knative and crossplane (#5634)

* stage * add constants and change tests * crossplane aws queries * add crossplane azure queries * crossplane gcp queires * update * build(deps): bump github.com/BurntSushi/toml from 1.1.0 to 1.2.0 (#5627) Bumps [github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/BurntSushi/toml/releases) - [Commits](BurntSushi/toml@v1.1.0...v1.2.0) --- updated-dependencies: - dependency-name: github.com/BurntSushi/toml dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.58 to 1.44.59 (#5628) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.58 to 1.44.59. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](aws/aws-sdk-go@v1.44.58...v1.44.59) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5629) * fix(detector): fixed memory leak (#5626) Co-authored-by: João Reigota <joao.reigota@checkmarx.com> Co-authored-by: Rafaela Soares <rafaelamsoaressilva@gmail.com> * add check for apiVersion * fix type bug * delete crossplane demo file * update github actions * delete knative folder and change regex expressions * update regex * update parser supported types * push changes * update metrics and main_test.go * change queries to use rego walk function * RDS Instance * update changes * add changes * change package-lock * package lock changes * package lock * add getPath to crossplane lib * correct typos and metadata info * correction Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kicsbot <76819998+kicsbot@users.noreply.github.com> Co-authored-by: Rafaela Soares <rafaela.soares@checkmarx.com> Co-authored-by: João Reigota <joao.reigota@checkmarx.com> Co-authored-by: Rafaela Soares <rafaelamsoaressilva@gmail.com>
Checkmarx · Jul 28, 2022 · fbfa9e5 · fbfa9e5
1 parent 04c442b
commit fbfa9e5
Show file tree

Hide file tree

Showing 141 changed files with 3,048 additions and 97 deletions.
diff --git a/.github/scripts/metrics/get_metrics.py b/.github/scripts/metrics/get_metrics.py
@@ -11,7 +11,9 @@
     'azureresourcemanager': os.path.join(queries_basepath, 'azureResourceManager', '*'),
     'cloudformation': os.path.join(queries_basepath, 'cloudFormation', '**', '*'),
     'openapi': os.path.join(queries_basepath, 'openAPI', '**', '*'),
+    'crossplane': os.path.join(queries_basepath, 'crossplane', '*'),
     'k8s': os.path.join(queries_basepath, 'k8s', '*'),
+    #'knative': os.path.join(queries_basepath, 'knative', '*'),
     'common': os.path.join(queries_basepath, 'common', '*'),
     'dockerfile': os.path.join(queries_basepath, 'dockerfile', '*'),
     'terraform': os.path.join(queries_basepath, 'terraform', '**', '*'),
@@ -22,8 +24,10 @@
 samples_ext = {
     'azureresourcemanager': ['json'],
     'cloudformation': ['yaml', 'json'],
+    'crossplane': ['yaml'],
     'openapi': ['yaml', 'json'],
     'ansible': ['yaml'],
+    'knative': ['yaml'],
     'k8s': ['yaml'],
     'common': ['yaml', 'json', 'dockerfile', 'tf'],
     'dockerfile': ['dockerfile'],

diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json
@@ -86,11 +86,13 @@
                 "AzureResourceManager",
                 "Buildah",
                 "CloudFormation",
+                "Crossplane",
                 "Common",
                 "Dockerfile",
                 "DockerCompose",
                 "GRPC",
                 "GoogleDeploymentManager",
+                "Knative",
                 "Kubernetes",
                 "OpenAPI",
                 "Terraform"

diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego
diff --git a/assets/libraries/crossplane.rego b/assets/libraries/crossplane.rego
@@ -0,0 +1,13 @@
+package generic.crossplane
+
+import data.generic.common as common_lib
+
+getPath(path) = result {
+	count(path) > 0
+	path_string := common_lib.concat_path(path)
+	out := array.concat([path_string], ["."])
+	result := concat("", out)
+} else = result {
+	count(path) == 0
+	result := ""
+}
diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json
@@ -1,9 +1,9 @@
 {
   "id": "d31cb911-bf5b-4eb6-9fc3-16780c77c7bd",
-  "queryName": "Cloudfront Logging Disabled",
+  "queryName": "CloudFront Logging Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
-  "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true",
+  "descriptionText": "AWS CloudFront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html",
   "platform": "Ansible",
   "descriptionID": "1bfc2dfd",

diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json
@@ -1,11 +1,11 @@
 [
   {
-    "queryName": "Cloudfront Logging Disabled",
+    "queryName": "CloudFront Logging Disabled",
     "severity": "MEDIUM",
     "line": 2
   },
   {
-    "queryName": "Cloudfront Logging Disabled",
+    "queryName": "CloudFront Logging Disabled",
     "severity": "MEDIUM",
     "line": 62
   }

diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json
@@ -1,6 +1,6 @@
 {
   "id": "22c80725-e390-4055-8d14-a872230f6607",
-  "queryName": "Cloudfront Without WAF",
+  "queryName": "CloudFront Without WAF",
   "severity": "LOW",
   "category": "Networking and Firewall",
   "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service",

diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json
@@ -1,6 +1,6 @@
 [
 	{
-		"queryName": "Cloudfront Without WAF",
+		"queryName": "CloudFront Without WAF",
 		"severity": "LOW",
 		"line": 2
 	}

diff --git a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "DB Instance Storage Not Encrypted",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').",
+  "descriptionText": "AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html",
   "platform": "Ansible",
   "descriptionID": "575cc1f4",

diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/query.rego b/assets/queries/ansible/aws/elb_using_weak_ciphers/query.rego
diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "SQS with SSE disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",
+  "descriptionText": "Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module",
   "platform": "Ansible",
   "descriptionID": "7825cf30",

diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Redis Cache Allows Non SSL Connections",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "Check if any Redis Cache resource allows non-SSL connections.",
+  "descriptionText": "Redis Cache resource should not allow non-SSL connections.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html",
   "platform": "Ansible",
   "descriptionID": "31e56819",

diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Cloud Storage Bucket Logging Not Enabled",
   "severity": "HIGH",
   "category": "Observability",
-  "descriptionText": "Cloud storage bucket with logging not enabled",
+  "descriptionText": "Cloud storage bucket should have logging enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-logging",
   "platform": "Ansible",
   "descriptionID": "ba5af65f",

diff --git a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Google Container Node Pool Auto Repair Disabled",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "Verifies if Google Container Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.",
+  "descriptionText": "Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html",
   "platform": "Ansible",
   "descriptionID": "14cf26ed",

diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "CloudFront Logging Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
-  "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'DistributionConfig.Logging' must be defined",
+  "descriptionText": "AWS CloudFront distributions must have logging enabled, which means the attribute 'DistributionConfig.Logging' must be defined",
   "descriptionUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging-and-monitoring.html",
   "platform": "CloudFormation",
   "descriptionID": "3254d6d0",

diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/query.rego
@@ -1,13 +1,14 @@
 package Cx
 
-import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
 	resource := input.document[i].Resources[name]
 	resource.Type == "AWS::CloudFront::Distribution"
 
 	distributionConfig := resource.Properties.DistributionConfig
+	not cf_lib.isCloudFormationFalse(distributionConfig.Enabled)
 	not common_lib.valid_key(distributionConfig, "Logging")
 
 	result := {
@@ -26,6 +27,7 @@ CxPolicy[result] {
 	resource.Type == "AWS::CloudFront::Distribution"
 
 	distributionConfig := resource.Properties.DistributionConfig
+	not cf_lib.isCloudFormationFalse(distributionConfig.Enabled)
 
 	bucketCorrect := resource.Properties.DistributionConfig.Logging.Bucket
 	endswith(bucketCorrect, ".s3.amazonaws.com") == false

diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego
@@ -7,6 +7,7 @@ CxPolicy[result] {
 	resource := input.document[i].Resources[name]
 	resource.Type == "AWS::CloudFront::Distribution"
 	properties := resource.Properties
+	not cf_lib.isCloudFormationFalse(properties.DistributionConfig.Enabled)
 	not common_lib.valid_key(properties.DistributionConfig, "ViewerCertificate")
 
 	result := {
@@ -26,6 +27,7 @@ CxPolicy[result] {
 	resource.Type == "AWS::CloudFront::Distribution"
 	properties := resource.Properties
 	protocolVer := properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion
+	not cf_lib.isCloudFormationFalse(properties.DistributionConfig.Enabled)
 	not common_lib.is_recommended_tls(protocolVer)
 
 	result := {

diff --git a/...ueries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive1.yaml b/...ueries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive1.yaml
@@ -4,6 +4,7 @@ Resources:
     Type: AWS::CloudFront::Distribution
     Properties:
       DistributionConfig:
+        Enabled: true
         CacheBehaviors:
           - LambdaFunctionAssociations:
               - EventType: string-value
@@ -30,6 +31,7 @@ Resources:
     Type: AWS::CloudFront::Distribution
     Properties:
       DistributionConfig:
+        Enabled: true
         CacheBehaviors:
           - LambdaFunctionAssociations:
               - EventType: string-value

diff --git a/...ueries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.json b/...ueries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive2.json
@@ -5,6 +5,7 @@
       "Type": "AWS::CloudFront::Distribution",
       "Properties": {
         "DistributionConfig": {
+          "Enabled": true,
           "ViewerCertificate": {
             "IamCertificateId": "String",
             "MinimumProtocolVersion": "TLSv1.1_2016",
@@ -52,6 +53,7 @@
       "Type": "AWS::CloudFront::Distribution",
       "Properties": {
         "DistributionConfig": {
+          "Enabled": true,
           "Origins": [
             {
               "CustomOriginConfig": {

diff --git a/...mation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/...mation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json
@@ -2,22 +2,22 @@
   {
     "queryName": "CloudFront Without Minimum Protocol TLS 1.2",
     "severity": "HIGH",
-    "line": 24
+    "line": 25
   },
   {
     "queryName": "CloudFront Without Minimum Protocol TLS 1.2",
     "severity": "HIGH",
-    "line": 32
+    "line": 33
   },
   {
-    "line": 54,
+    "line": 55,
     "fileName": "positive2.json",
     "queryName": "CloudFront Without Minimum Protocol TLS 1.2",
     "severity": "HIGH"
   },
   {
     "severity": "HIGH",
-    "line": 10,
+    "line": 11,
     "fileName": "positive2.json",
     "queryName": "CloudFront Without Minimum Protocol TLS 1.2"
   }

diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego b/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego
@@ -8,6 +8,7 @@ CxPolicy[result] {
 	resource.Type == "AWS::CloudFront::Distribution"
 	distributionConfig := resource.Properties.DistributionConfig
 
+	not cf_lib.isCloudFormationFalse(distributionConfig.Enabled)
 	not common_lib.valid_key(distributionConfig, "WebACLId")
 
 	result := {

diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative1.yaml b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative1.yaml
@@ -4,6 +4,7 @@ Resources:
     Type: AWS::CloudFront::Distribution
     Properties:
       DistributionConfig:
+        Enabled: true
         CacheBehaviors:
           - LambdaFunctionAssociations:
               - EventType: string-value
@@ -20,4 +21,4 @@ Resources:
         WebACLId: string-value
       Tags:
         - Key: string-value
-          Value: string-value
+          Value: string-value
diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative2.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/negative2.json
@@ -5,6 +5,7 @@
       "Type": "AWS::CloudFront::Distribution",
       "Properties": {
         "DistributionConfig": {
+          "Enabled": true,
           "CacheBehaviors": [
             {
               "LambdaFunctionAssociations": [

diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive1.yaml b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive1.yaml
@@ -4,6 +4,7 @@ Resources:
     Type: AWS::CloudFront::Distribution
     Properties:
       DistributionConfig:
+        Enabled: true
         CacheBehaviors:
           - LambdaFunctionAssociations:
               - EventType: string-value
@@ -19,4 +20,4 @@ Resources:
               OriginReadTimeout: integer-value
       Tags:
         - Key: string-value
-          Value: string-value
+          Value: string-value
diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive2.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive2.json
@@ -11,6 +11,7 @@
           }
         ],
         "DistributionConfig": {
+          "Enabled": true,
           "CacheBehaviors": [
             {
               "LambdaFunctionAssociations": [

diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "SQS with SSE disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",
+  "descriptionText": "Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid",
   "platform": "CloudFormation",
   "descriptionID": "7c3c1b44",

diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/metadata.json
@@ -0,0 +1,11 @@
+{
+  "id": "7b590235-1ff4-421b-b9ff-5227134be9bb",
+  "queryName": "CloudFront Logging Disabled",
+  "severity": "MEDIUM",
+  "category": "Observability",
+  "descriptionText": "AWS CloudFront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true",
+  "descriptionUrl": "https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging",
+  "platform": "Crossplane",
+  "descriptionID": "48cd0b5a",
+  "cloudProvider": "aws"
+}
diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego b/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego
@@ -0,0 +1,70 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.crossplane as cp_lib
+
+CxPolicy[result] {
+	docs := input.document[i]
+	[path, resource] := walk(docs)
+	startswith(resource.apiVersion, "cloudfront.aws.crossplane.io")
+	resource.kind == "Distribution"
+	destribution_config := resource.spec.forProvider.distributionConfig
+	destribution_config.enabled == true
+
+	destribution_config.logging.enabled == false
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.kind,
+		"resourceName": resource.metadata.name,
+		"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig.logging.enabled", [cp_lib.getPath(path), resource.metadata.name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "CloudFront logging enabled attribute should be set to true",
+		"keyActualValue": "CloudFront logging enabled attribute is set to false",
+		"searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig", "logging", "enabled"]),
+	}
+}
+
+CxPolicy[result] {
+	docs := input.document[i]
+	[path, resource] := walk(docs)
+	startswith(resource.apiVersion, "cloudfront.aws.crossplane.io")
+	resource.kind == "Distribution"
+	destribution_config := resource.spec.forProvider.distributionConfig
+	destribution_config.enabled == true
+
+	not common_lib.valid_key(destribution_config.logging, "enabled")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.kind,
+		"resourceName": resource.metadata.name,
+		"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig.logging", [cp_lib.getPath(path), resource.metadata.name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "CloudFront logging enabled attribute should be defined and set to true",
+		"keyActualValue": "CloudFront enable is not defined",
+		"searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig", "logging"]),
+	}
+}
+
+CxPolicy[result] {
+	docs := input.document[i]
+	[path, resource] := walk(docs)
+	startswith(resource.apiVersion, "cloudfront.aws.crossplane.io")
+	resource.kind == "Distribution"
+	destribution_config := resource.spec.forProvider.distributionConfig
+	destribution_config.enabled == true
+
+	not common_lib.valid_key(destribution_config, "logging")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.kind,
+		"resourceName": resource.metadata.name,
+		"searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig", [cp_lib.getPath(path),resource.metadata.name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "CloudFront logging enabled attribute should be defined and set to true",
+		"keyActualValue": "CloudFront logging is not defined",
+		"searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "distributionConfig"]),
+	}
+}