Add module name in violation summary for terraform scans (#774)

* add module name to resource config * add method to get child configs * fix failing tests
tenable · May 17, 2021 · cb2be19 · cb2be19
1 parent a3f26c1
commit cb2be19
Show file tree

Hide file tree

Showing 40 changed files with 435 additions and 240 deletions.
diff --git a/pkg/iac-providers/output/types.go b/pkg/iac-providers/output/types.go
@@ -24,13 +24,14 @@ import (
 
 // ResourceConfig describes a resource present in IaC
 type ResourceConfig struct {
-	ID       string      `json:"id"`
-	Name     string      `json:"name"`
-	Source   string      `json:"source"`
-	PlanRoot string      `json:"plan_root,omitempty" yaml:"plan_root,omitempty" `
-	Line     int         `json:"line"`
-	Type     string      `json:"type"`
-	Config   interface{} `json:"config"`
+	ID         string      `json:"id"`
+	Name       string      `json:"name"`
+	ModuleName string      `json:"module_name,omitempty" yaml:"module_name,omitempty"`
+	Source     string      `json:"source"`
+	PlanRoot   string      `json:"plan_root,omitempty" yaml:"plan_root,omitempty" `
+	Line       int         `json:"line"`
+	Type       string      `json:"type"`
+	Config     interface{} `json:"config"`
 	// SkipRules will hold the rules to be skipped for the resource.
 	// Each iac provider should append the rules to be skipped for a resource,
 	// while extracting resource from the iac files

diff --git a/pkg/iac-providers/terraform/commons/load-dir.go b/pkg/iac-providers/terraform/commons/load-dir.go
@@ -46,6 +46,7 @@ var (
 type ModuleConfig struct {
 	Config           *hclConfigs.Config
 	ParentModuleCall *hclConfigs.ModuleCall
+	Name             string
 }
 
 // TerraformDirectoryLoader implements terraform directory loading
@@ -136,7 +137,7 @@ func (t TerraformDirectoryLoader) loadDirRecursive(dirList []string) (output.All
 		*/
 
 		// queue of for BFS, add root module config to it
-		root := &ModuleConfig{Config: unified.Root}
+		root := &ModuleConfig{Config: unified.Root, Name: "root"}
 		configsQ := []*ModuleConfig{root}
 
 		// using BFS traverse through all modules in the unified config tree
@@ -160,6 +161,9 @@ func (t TerraformDirectoryLoader) loadDirRecursive(dirList []string) (output.All
 					continue
 				}
 
+				// set module name
+				resourceConfig.ModuleName = current.Name
+
 				// resolve references
 				resourceConfig.Config = r.ResolveRefs(resourceConfig.Config.(jsonObj))
 
@@ -193,13 +197,7 @@ func (t TerraformDirectoryLoader) loadDirRecursive(dirList []string) (output.All
 			}
 
 			// add all current's children to the queue
-			for childName, childModule := range current.Config.Children {
-				childModuleConfig := &ModuleConfig{
-					Config:           childModule,
-					ParentModuleCall: current.Config.Module.ModuleCalls[childName],
-				}
-				configsQ = append(configsQ, childModuleConfig)
-			}
+			configsQ = append(configsQ, current.getChildConfigs()...)
 		}
 	}
 
@@ -253,7 +251,7 @@ func (t TerraformDirectoryLoader) loadDirNonRecursive() (output.AllResourceConfi
 	*/
 
 	// queue of for BFS, add root module config to it
-	root := &ModuleConfig{Config: unified.Root}
+	root := &ModuleConfig{Config: unified.Root, Name: "root"}
 	configsQ := []*ModuleConfig{root}
 
 	// using BFS traverse through all modules in the unified config tree
@@ -276,6 +274,9 @@ func (t TerraformDirectoryLoader) loadDirNonRecursive() (output.AllResourceConfi
 				return allResourcesConfig, multierror.Append(t.errIacLoadDirs, results.DirScanErr{IacType: "terraform", Directory: t.absRootDir, ErrMessage: "failed to create ResourceConfig"})
 			}
 
+			// set module name
+			resourceConfig.ModuleName = current.Name
+
 			// resolve references
 			resourceConfig.Config = r.ResolveRefs(resourceConfig.Config.(jsonObj))
 
@@ -301,13 +302,7 @@ func (t TerraformDirectoryLoader) loadDirNonRecursive() (output.AllResourceConfi
 		}
 
 		// add all current's children to the queue
-		for childName, childModule := range current.Config.Children {
-			childModuleConfig := &ModuleConfig{
-				Config:           childModule,
-				ParentModuleCall: current.Config.Module.ModuleCalls[childName],
-			}
-			configsQ = append(configsQ, childModuleConfig)
-		}
+		configsQ = append(configsQ, current.getChildConfigs()...)
 	}
 
 	// successful
@@ -389,3 +384,17 @@ func (t TerraformDirectoryLoader) processTerraformRegistrySource(req *hclConfigs
 
 	return pathToModule, nil
 }
+
+// getChildConfigs will get all child configs in a ModuleConfig
+func (m *ModuleConfig) getChildConfigs() []*ModuleConfig {
+	allConfigs := make([]*ModuleConfig, 0)
+	for childName, childModule := range m.Config.Children {
+		childModuleConfig := &ModuleConfig{
+			Config:           childModule,
+			ParentModuleCall: m.Config.Module.ModuleCalls[childName],
+			Name:             childName,
+		}
+		allConfigs = append(allConfigs, childModuleConfig)
+	}
+	return allConfigs
+}
diff --git a/pkg/iac-providers/terraform/commons/load-file.go b/pkg/iac-providers/terraform/commons/load-file.go
@@ -58,6 +58,10 @@ func LoadIacFile(absFilePath string) (allResourcesConfig output.AllResourceConfi
 			return allResourcesConfig, fmt.Errorf("failed to create ResourceConfig")
 		}
 
+		// set module name
+		// module name for the file scan will always be root
+		resourceConfig.ModuleName = "root"
+
 		// extract file name from path
 		resourceConfig.Source = getFileName(resourceConfig.Source)
 

diff --git a/pkg/iac-providers/terraform/v12/testdata/tfjson/config1.json b/pkg/iac-providers/terraform/v12/testdata/tfjson/config1.json
@@ -3,6 +3,7 @@
     {
       "id": "aws_instance.instance_playground",
       "name": "instance_playground",
+      "module_name": "root",
       "source": "config1.tf",
       "line": 77,
       "type": "aws_instance",
@@ -46,6 +47,7 @@
     {
       "id": "aws_internet_gateway.igw_playground",
       "name": "igw_playground",
+      "module_name": "root",
       "source": "config1.tf",
       "line": 14,
       "type": "aws_internet_gateway",
@@ -62,6 +64,7 @@
     {
       "id": "aws_key_pair.ec2key_playground",
       "name": "ec2key_playground",
+      "module_name": "root",
       "source": "config1.tf",
       "line": 72,
       "type": "aws_key_pair",
@@ -76,6 +79,7 @@
     {
       "id": "aws_route_table.rtb_public_playground",
       "name": "rtb_public_playground",
+      "module_name": "root",
       "source": "config1.tf",
       "line": 30,
       "type": "aws_route_table",
@@ -98,6 +102,7 @@
     {
       "id": "aws_route_table_association.rta_subnet_public_playground",
       "name": "rta_subnet_public_playground",
+      "module_name": "root",
       "source": "config1.tf",
       "line": 41,
       "type": "aws_route_table_association",
@@ -112,6 +117,7 @@
     {
       "id": "aws_security_group.sg_playground",
       "name": "sg_playground",
+      "module_name": "root",
       "source": "config1.tf",
       "line": 46,
       "type": "aws_security_group",
@@ -157,6 +163,7 @@
     {
       "id": "aws_subnet.subnet_public_playground",
       "name": "subnet_public_playground",
+      "module_name": "root",
       "source": "config1.tf",
       "line": 21,
       "type": "aws_subnet",
@@ -175,6 +182,7 @@
     {
       "id": "aws_vpc.vpc_playground",
       "name": "vpc_playground",
+      "module_name": "root",
       "source": "config1.tf",
       "line": 5,
       "type": "aws_vpc",
@@ -189,4 +197,4 @@
       "skip_rules": null
     }
   ]
-}
+}
diff --git a/pkg/iac-providers/terraform/v12/testdata/tfjson/deep-modules-recursive.json b/pkg/iac-providers/terraform/v12/testdata/tfjson/deep-modules-recursive.json
@@ -3,6 +3,7 @@
     {
       "id": "aws_s3_bucket.bucket",
       "name": "bucket",
+      "module_name": "m1",
       "source": "modules/m1/main.tf",
       "plan_root": "./",
       "line": 20,
@@ -16,6 +17,7 @@
     {
       "id": "aws_s3_bucket.bucket",
       "name": "bucket",
+      "module_name": "m4",
       "source": "modules/m4/main.tf",
       "plan_root": "./",
       "line": 11,
@@ -29,6 +31,7 @@
     {
       "id": "aws_s3_bucket.bucket4a",
       "name": "bucket4a",
+      "module_name": "m4a",
       "source": "modules/m4/modules/m4a/main.tf",
       "plan_root": "./",
       "line": 20,
@@ -42,6 +45,7 @@
     {
       "id": "aws_s3_bucket.bucket",
       "name": "bucket",
+      "module_name": "root",
       "source": "modules/m4/main.tf",
       "plan_root": "modules/m4",
       "line": 11,

diff --git a/pkg/iac-providers/terraform/v12/testdata/tfjson/deep-modules.json b/pkg/iac-providers/terraform/v12/testdata/tfjson/deep-modules.json
@@ -1,40 +1,46 @@
 {
-    "aws_s3_bucket": [
-      {
-        "id": "aws_s3_bucket.bucket",
-        "name": "bucket",
-        "source": "modules/m1/main.tf",
-        "plan_root": "./",
-        "line": 20,
-        "type": "aws_s3_bucket",
-        "config": {
-          "bucket": "${module.m3.fullbucketname}",
-          "policy": "${module.m2.fullbucketpolicy}"
-        }
+  "aws_s3_bucket": [
+    {
+      "id": "aws_s3_bucket.bucket",
+      "name": "bucket",
+      "module_name": "m1",
+      "source": "modules/m1/main.tf",
+      "plan_root": "./",
+      "line": 20,
+      "type": "aws_s3_bucket",
+      "config": {
+        "bucket": "${module.m3.fullbucketname}",
+        "policy": "${module.m2.fullbucketpolicy}"
       },
-      {
-        "id": "aws_s3_bucket.bucket",
-        "name": "bucket",
-        "source": "modules/m4/main.tf",
-        "plan_root": "./",
-        "line": 11,
-        "type": "aws_s3_bucket",
-        "config": {
-          "bucket": "tf-test-project-2",
-          "policy": "${module.m4a.fullbucketpolicy}"
-        }
+      "skip_rules": null
+    },
+    {
+      "id": "aws_s3_bucket.bucket",
+      "name": "bucket",
+      "module_name": "m4",
+      "source": "modules/m4/main.tf",
+      "plan_root": "./",
+      "line": 11,
+      "type": "aws_s3_bucket",
+      "config": {
+        "bucket": "tf-test-project-2",
+        "policy": "${module.m4a.fullbucketpolicy}"
       },
-      {
-        "id": "aws_s3_bucket.bucket4a",
-        "name": "bucket4a",
-        "source": "modules/m4/modules/m4a/main.tf",
-        "plan_root": "./",
-        "line": 20,
-        "type": "aws_s3_bucket",
-        "config": {
-          "bucket": "${module.m4c.fullbucketname}",
-          "policy": "${module.m4b.fullbucketpolicy}"
-        }
-      }
-    ]
-  }
+      "skip_rules": null
+    },
+    {
+      "id": "aws_s3_bucket.bucket4a",
+      "name": "bucket4a",
+      "module_name": "m4a",
+      "source": "modules/m4/modules/m4a/main.tf",
+      "plan_root": "./",
+      "line": 20,
+      "type": "aws_s3_bucket",
+      "config": {
+        "bucket": "${module.m4c.fullbucketname}",
+        "policy": "${module.m4b.fullbucketpolicy}"
+      },
+      "skip_rules": null
+    }
+  ]
+}
diff --git a/pkg/iac-providers/terraform/v12/testdata/tfjson/dummyconfig.json b/pkg/iac-providers/terraform/v12/testdata/tfjson/dummyconfig.json
@@ -3,6 +3,7 @@
     {
       "id": "terraform_remote_state.remote",
       "name": "remote",
+      "module_name": "root",
       "source": "dummyconfig.tf",
       "line": 41,
       "type": "terraform_remote_state",
@@ -22,6 +23,7 @@
     {
       "id": "type1.resource1",
       "name": "resource1",
+      "module_name": "root",
       "source": "dummyconfig.tf",
       "line": 1,
       "type": "type1",
@@ -48,6 +50,7 @@
     {
       "id": "type2.resource2",
       "name": "resource2",
+      "module_name": "root",
       "source": "dummyconfig.tf",
       "line": 13,
       "type": "type2",
@@ -70,6 +73,7 @@
     {
       "id": "type3.resource3",
       "name": "resource3",
+      "module_name": "root",
       "source": "dummyconfig.tf",
       "line": 26,
       "type": "type3",