Merge branch 'master' into google-user-iam-grants

README.md

@@ -157,6 +157,12 @@ there are also checks which are provider agnostic.
 | AWS023  | aws      | ECR repository has image scans disabled
 | AWS024  | aws      | Kinesis stream is unencrypted
 | AWS025  | aws      | API Gateway domain name uses outdated SSL/TLS protocols.
+| AWS031  | aws      | Elasticsearch domain isn't encrypted at rest.
+| AWS032  | aws      | Elasticsearch domain uses plaintext traffic for node to node communication.
+| AWS033  | aws      | Elasticsearch doesn't enforce HTTPS traffic.
+| AWS034  | aws      | Elasticsearch domain endpoint is using outdated TLS policy.
+| AWS035  | aws      | Unencrypted Elasticache Replication Group.
+| AWS036  | aws      | Elasticache Replication Group uses unencrypted traffic.
 | AZU001  | azurerm  | An inbound network security rule allows traffic from `/0`.
 | AZU002  | azurerm  | An outbound network security rule allows traffic to `/0`.
 | AZU003  | azurerm  | Unencrypted managed disk.

cmd/tfsec/main.go

@@ -148,6 +148,8 @@ func getFormatter() (formatters.Formatter, error) {
 		return formatters.FormatCheckStyle, nil
 	case "junit":
 		return formatters.FormatJUnit, nil
+	case "text":
+		return formatters.FormatText, nil
 	default:
 		return nil, fmt.Errorf("invalid format specified: '%s'", format)
 	}

internal/app/tfsec/aws_cloudfront_outdated_protocol_test.go

@@ -32,12 +32,12 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
 			mustIncludeResultCode: checks.AWSCloudFrontOutdatedProtocol,
 		},
 		{
-			name: "check TLSv1.2_2018 not used",
+			name: "check TLSv1.2_2019 not used",
 			source: `
 resource "aws_cloudfront_distribution" "s3_distribution" {
   viewer_certificate {
     cloudfront_default_certificate = true
-	minimum_protocol_version = "TLSv1.1_2016"
+	minimum_protocol_version = "TLSv1.2_2018"
   }
 }`,
 			mustIncludeResultCode: checks.AWSCloudFrontOutdatedProtocol,

internal/app/tfsec/aws_outdated_tls_policy_elasticsearch_domain_endpoint_test.go

@@ -0,0 +1,74 @@
+package tfsec
+
+import (
+	"testing"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/scanner"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/checks"
+)
+
+func Test_AWSOutdatedTLSPolicyElasticsearchDomainEndpoint(t *testing.T) {
+
+	var tests = []struct {
+		name                  string
+		source                string
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
+	}{
+		{
+			name: "check no domain_endpoint_options aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+	
+}`,
+			mustExcludeResultCode: checks.AWSOutdatedTLSPolicyElasticsearchDomainEndpoint,
+		},
+		{
+			name: "check tls_security_policy for aws_elasticsearch_domain isn't the default",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  domain_endpoint_options {
+    enforce_https = true
+  }
+}`,
+			mustIncludeResultCode: checks.AWSOutdatedTLSPolicyElasticsearchDomainEndpoint,
+		},
+		{
+			name: "check tls_security_policy isn't set to TLsv1.0 for aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  domain_endpoint_options {
+    enforce_https = true
+    tls_security_policy = "Policy-Min-TLS-1-0-2019-07"
+  }
+}`,
+			mustIncludeResultCode: checks.AWSOutdatedTLSPolicyElasticsearchDomainEndpoint,
+		},
+		{
+			name: "check tls_security_policy is set to TLSv1.2 for aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  domain_endpoint_options {
+    enforce_https = true
+    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
+  }
+}`,
+			mustExcludeResultCode: checks.AWSOutdatedTLSPolicyElasticsearchDomainEndpoint,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			results := scanSource(test.source)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
+		})
+	}
+
+}

internal/app/tfsec/aws_plaintext_node_to_node_elasticsearch_traffic_test.go

@@ -0,0 +1,60 @@
+package tfsec
+
+import (
+	"testing"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/scanner"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/checks"
+)
+
+func Test_AWSPlaintextNodeToNodeElasticsearchTraffic(t *testing.T) {
+
+	var tests = []struct {
+		name                  string
+		source                string
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
+	}{
+		{
+			name: "check no node_to_node_encryption block aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+	
+}`,
+			mustIncludeResultCode: checks.AWSPlaintextNodeToNodeElasticsearchTraffic,
+		},
+		{
+			name: "check false enabled attr aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  node_to_node_encryption {
+    enabled = false
+  }
+}`,
+			mustIncludeResultCode: checks.AWSPlaintextNodeToNodeElasticsearchTraffic,
+		},
+		{
+			name: "check true enabled attr aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  node_to_node_encryption {
+    enabled = true
+  }
+}`,
+			mustExcludeResultCode: checks.AWSPlaintextNodeToNodeElasticsearchTraffic,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			results := scanSource(test.source)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
+		})
+	}
+
+}

internal/app/tfsec/aws_unencrypted_at_rest_elasticache_replication_group_test.go

@@ -0,0 +1,47 @@
+package tfsec
+
+import (
+	"testing"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/scanner"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/checks"
+)
+
+func Test_AWSUnencryptedAtRestElasticacheReplicationGroup(t *testing.T) {
+	var tests = []struct {
+		name                  string
+		source                string
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
+	}{
+		{
+			name: "check aws_elasticache_replication_group missing at_rest_encryption_enabled",
+			source: `
+resource "aws_elasticache_replication_group" "my-resource" {
+        replication_group_id = "foo"
+        replication_group_description = "my foo cluster"
+}`,
+			mustIncludeResultCode: checks.AWSUnencryptedAtRestElasticacheReplicationGroup,
+		},
+		{
+			name: "check aws_elasticache_replication_group with at_rest_encryption_enabled",
+			source: `
+resource "aws_elasticache_replication_group" "my-resource" {
+        replication_group_id = "foo"
+        replication_group_description = "my foo cluster"
+
+        at_rest_encryption_enabled = true
+}`,
+			mustExcludeResultCode: checks.AWSUnencryptedAtRestElasticacheReplicationGroup,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			results := scanSource(test.source)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
+		})
+	}
+
+}

internal/app/tfsec/aws_unencrypted_elasticearch_domain_test.go

@@ -0,0 +1,58 @@
+package tfsec
+
+import (
+	"testing"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/scanner"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/checks"
+)
+
+func TestAWSUnencryptedElasticsearchDomain(t *testing.T) {
+
+	var tests = []struct {
+		name                  string
+		source                string
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
+	}{
+		{
+			name: "check no encrypt_at_rest block aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+	
+}`,
+			mustIncludeResultCode: checks.AWSUnencryptedElasticsearchDomain,
+		},
+		{
+			name: "check false enabled attr aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  encrypt_at_rest { }
+}`,
+			mustIncludeResultCode: checks.AWSUnencryptedElasticsearchDomain,
+		},
+		{
+			name: "check true enabled attr aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  encrypt_at_rest {
+    enabled = true
+  }
+}`,
+			mustExcludeResultCode: checks.AWSUnencryptedElasticsearchDomain,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			results := scanSource(test.source)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
+		})
+	}
+
+}

internal/app/tfsec/aws_unencrypted_in_transit_elasticache_replication_group_test.go

@@ -0,0 +1,47 @@
+package tfsec
+
+import (
+	"testing"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/scanner"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/checks"
+)
+
+func Test_AWSUnencryptedInTransitElasticacheReplicationGroup(t *testing.T) {
+	var tests = []struct {
+		name                  string
+		source                string
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
+	}{
+		{
+			name: "check aws_elasticache_replication_group missing transit_encryption_enabled",
+			source: `
+resource "aws_elasticache_replication_group" "my-resource" {
+        replication_group_id = "foo"
+        replication_group_description = "my foo cluster"
+}`,
+			mustIncludeResultCode: checks.AWSUnencryptedInTransitElasticacheReplicationGroup,
+		},
+		{
+			name: "check aws_elasticache_replication_group with transit_encryption_enabled",
+			source: `
+resource "aws_elasticache_replication_group" "my-resource" {
+        replication_group_id = "foo"
+        replication_group_description = "my foo cluster"
+
+        transit_encryption_enabled = true
+}`,
+			mustExcludeResultCode: checks.AWSUnencryptedInTransitElasticacheReplicationGroup,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			results := scanSource(test.source)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
+		})
+	}
+
+}

internal/app/tfsec/aws_unenforced_https_elasticsearch_domain_endpoint_test.go

@@ -0,0 +1,60 @@
+package tfsec
+
+import (
+	"testing"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/scanner"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/checks"
+)
+
+func Test_AWSUnenforcedHTTPSElasticsearchDomainEndpoint(t *testing.T) {
+
+	var tests = []struct {
+		name                  string
+		source                string
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
+	}{
+		{
+			name: "check no  domain_endpoint_options aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+	
+}`,
+			mustIncludeResultCode: checks.AWSUnenforcedHTTPSElasticsearchDomainEndpoint,
+		},
+		{
+			name: "check false enforce_https attr aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  domain_endpoint_options {
+    enforce_https = false
+  }
+}`,
+			mustIncludeResultCode: checks.AWSUnenforcedHTTPSElasticsearchDomainEndpoint,
+		},
+		{
+			name: "check true enforce_https aws_elasticsearch_domain",
+			source: `
+resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
+  domain_name = "domain-foo"
+
+  domain_endpoint_options {
+    enforce_https = true
+  }
+}`,
+			mustExcludeResultCode: checks.AWSUnenforcedHTTPSElasticsearchDomainEndpoint,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			results := scanSource(test.source)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
+		})
+	}
+
+}