-
Notifications
You must be signed in to change notification settings - Fork 7
/
adapt.go
97 lines (89 loc) · 3.85 KB
/
adapt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package msk
import (
"github.com/aquasecurity/defsec/pkg/providers/aws/msk"
"github.com/aquasecurity/defsec/pkg/terraform"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
)
func Adapt(modules terraform.Modules) msk.MSK {
return msk.MSK{
Clusters: adaptClusters(modules),
}
}
func adaptClusters(modules terraform.Modules) []msk.Cluster {
var clusters []msk.Cluster
for _, module := range modules {
for _, resource := range module.GetResourcesByType("aws_msk_cluster") {
clusters = append(clusters, adaptCluster(resource))
}
}
return clusters
}
func adaptCluster(resource *terraform.Block) msk.Cluster {
cluster := msk.Cluster{
Metadata: resource.GetMetadata(),
EncryptionInTransit: msk.EncryptionInTransit{
Metadata: resource.GetMetadata(),
ClientBroker: defsecTypes.StringDefault("TLS_PLAINTEXT", resource.GetMetadata()),
},
EncryptionAtRest: msk.EncryptionAtRest{
Metadata: resource.GetMetadata(),
KMSKeyARN: defsecTypes.StringDefault("", resource.GetMetadata()),
Enabled: defsecTypes.BoolDefault(false, resource.GetMetadata()),
},
Logging: msk.Logging{
Metadata: resource.GetMetadata(),
Broker: msk.BrokerLogging{
Metadata: resource.GetMetadata(),
S3: msk.S3Logging{
Metadata: resource.GetMetadata(),
Enabled: defsecTypes.BoolDefault(false, resource.GetMetadata()),
},
Cloudwatch: msk.CloudwatchLogging{
Metadata: resource.GetMetadata(),
Enabled: defsecTypes.BoolDefault(false, resource.GetMetadata()),
},
Firehose: msk.FirehoseLogging{
Metadata: resource.GetMetadata(),
Enabled: defsecTypes.BoolDefault(false, resource.GetMetadata()),
},
},
},
}
if encryptBlock := resource.GetBlock("encryption_info"); encryptBlock.IsNotNil() {
if encryptionInTransitBlock := encryptBlock.GetBlock("encryption_in_transit"); encryptionInTransitBlock.IsNotNil() {
cluster.EncryptionInTransit.Metadata = encryptionInTransitBlock.GetMetadata()
if clientBrokerAttr := encryptionInTransitBlock.GetAttribute("client_broker"); clientBrokerAttr.IsNotNil() {
cluster.EncryptionInTransit.ClientBroker = clientBrokerAttr.AsStringValueOrDefault("TLS", encryptionInTransitBlock)
}
}
if encryptionAtRestAttr := encryptBlock.GetAttribute("encryption_at_rest_kms_key_arn"); encryptionAtRestAttr.IsNotNil() {
cluster.EncryptionAtRest.Metadata = encryptionAtRestAttr.GetMetadata()
cluster.EncryptionAtRest.KMSKeyARN = encryptionAtRestAttr.AsStringValueOrDefault("", encryptBlock)
cluster.EncryptionAtRest.Enabled = defsecTypes.Bool(true, encryptionAtRestAttr.GetMetadata())
}
}
if logBlock := resource.GetBlock("logging_info"); logBlock.IsNotNil() {
cluster.Logging.Metadata = logBlock.GetMetadata()
if brokerLogsBlock := logBlock.GetBlock("broker_logs"); brokerLogsBlock.IsNotNil() {
cluster.Logging.Broker.Metadata = brokerLogsBlock.GetMetadata()
if brokerLogsBlock.HasChild("s3") {
if s3Block := brokerLogsBlock.GetBlock("s3"); s3Block.IsNotNil() {
s3enabledAttr := s3Block.GetAttribute("enabled")
cluster.Logging.Broker.S3.Metadata = s3Block.GetMetadata()
cluster.Logging.Broker.S3.Enabled = s3enabledAttr.AsBoolValueOrDefault(false, s3Block)
}
}
if cloudwatchBlock := brokerLogsBlock.GetBlock("cloudwatch_logs"); cloudwatchBlock.IsNotNil() {
cwEnabledAttr := cloudwatchBlock.GetAttribute("enabled")
cluster.Logging.Broker.Cloudwatch.Metadata = cloudwatchBlock.GetMetadata()
cluster.Logging.Broker.Cloudwatch.Enabled = cwEnabledAttr.AsBoolValueOrDefault(false, cloudwatchBlock)
}
if firehoseBlock := brokerLogsBlock.GetBlock("firehose"); firehoseBlock.IsNotNil() {
firehoseEnabledAttr := firehoseBlock.GetAttribute("enabled")
cluster.Logging.Broker.Firehose.Metadata = firehoseBlock.GetMetadata()
cluster.Logging.Broker.Firehose.Enabled = firehoseEnabledAttr.AsBoolValueOrDefault(false, firehoseBlock)
}
}
}
return cluster
}