forked from aquasecurity/tfsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
migration.go
130 lines (112 loc) · 4.67 KB
/
migration.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package ignores
import (
"fmt"
"github.com/mightymarty/tfsec/internal/pkg/legacy"
"io/fs"
"io/ioutil"
"os"
"path/filepath"
"regexp"
"strings"
)
type migrationStatistic struct {
Filename string
FromCode string
ToCode string
}
type MigrationStatistics []*migrationStatistic
var renamedMap = map[string]string{
"aws-elastic-search-encrypt-replication-group": "aws-elasticache-enable-at-rest-encryption",
"aws-elastic-service-enable-domain-encryption": "aws-elastic-search-enable-domain-encryption",
"aws-elbv2-alb-not-public": "aws-elb-alb-not-public",
"aws-elbv2-http-not-used": "aws-elb-http-not-used",
"aws-rds-backup-retention-specified": "aws-rds-specify-backup-retention",
"aws-redshift-non-default-vpc-deployment": "aws-redshift-use-vpc",
"aws-workspace-enable-disk-encryption": "aws-workspaces-enable-disk-encryption",
"azure-appservice-enable-https-only": "azure-appservice-enforce-https",
"azure-database-postgres-configuration-log-connection-throttling": "azure-database-postgres-configuration-connection-throttling",
"azure-mssql-all-threat-alerts-enabled": "azure-database-all-threat-alerts-enabled",
"azure-mssql-threat-alert-email-set": "azure-database-threat-alert-email-set",
"azure-mssql-threat-alert-email-to-owner": "azure-database-threat-alert-email-to-owner",
"digitalocean-droplet-use-ssh-keys": "digitalocean-compute-use-ssh-keys",
"digitalocean-loadbalancing-enforce-https": "digitalocean-compute-enforce-https",
"general-secrets-sensitive-in-attribute": "general-secrets-no-plaintext-exposure",
"general-secrets-sensitive-in-attribute-value": "general-secrets-no-plaintext-exposure",
"general-secrets-sensitive-in-local": "general-secrets-no-plaintext-exposure",
"general-secrets-sensitive-in-variable": "general-secrets-no-plaintext-exposure",
"google-compute-enable-shielded-vm": "google-compute-enable-shielded-vm-im",
"google-compute-no-plaintext-disk-keys": "google-compute-disk-encryption-no-plaintext-key",
"google-compute-no-plaintext-vm-disk-keys": "google-compute-disk-encryption-no-plaintext-key",
"google-gke-no-legacy-auth": "google-gke-no-legacy-authentication",
"google-project-no-default-network": "google-iam-no-default-network",
"openstack-fw-no-public-access": "openstack-compute-no-public-access",
}
func RunMigration(dir string) (MigrationStatistics, error) {
legacyMappings := renamedMap
for from, to := range legacy.IDs {
legacyMappings[from] = to
}
file, err := os.Stat(dir)
if err != nil {
return nil, err
}
var stats MigrationStatistics
if file.IsDir() {
if err := filepath.Walk(dir, func(path string, fsInfo fs.FileInfo, err error) error {
if err != nil {
return err
}
if fsInfo.IsDir() {
return nil
}
fileStats, err := migrateFile(path, legacyMappings)
if err != nil {
return err
}
stats = append(stats, fileStats...)
return nil
}); err != nil {
return nil, err
}
} else {
fileStats, err := migrateFile(dir, legacyMappings)
if err != nil {
return nil, err
}
stats = append(stats, fileStats...)
}
return stats, nil
}
func migrateFile(file string, legacyMapping map[string]string) (MigrationStatistics, error) {
fmt.Printf("Asked to migrate %s\n", file)
if filepath.Ext(file) != ".tf" {
return nil, nil
}
legacyIgnoreRegex := regexp.MustCompile(`tfsec:ignore:([A-Z]{3}\d{3})`)
fmt.Printf("Running migrations for file: %s\n", file)
content, err := ioutil.ReadFile(file)
if err != nil {
return nil, err
}
contentString := string(content)
var stats MigrationStatistics
matches := legacyIgnoreRegex.FindAllStringSubmatch(contentString, -1)
for _, match := range matches {
legacyCode := match[1]
newCode, ok := legacyMapping[legacyCode]
if !ok {
continue
}
fmt.Printf("Found %s, migrating to %s\n", legacyCode, newCode)
contentString = strings.ReplaceAll(contentString, legacyCode, newCode)
stats = append(stats, &migrationStatistic{
Filename: file,
FromCode: legacyCode,
ToCode: newCode,
})
}
if err := ioutil.WriteFile(file, []byte(contentString), fs.ModeAppend); err != nil {
return nil, err
}
return stats, nil
}