def scan_resource_conf(self, conf):
"""
Looks for configuration at security group ingress rules :
https://www.terraform.io/docs/providers/aws/r/security_group.html
:param conf: aws_security_group configuration
:return: <CheckResult>
"""
if 'ingress' in conf:
ingress_conf = conf['ingress']
for ingress_rule in ingress_conf:
ingress_rules = force_list(ingress_rule)
for rule in ingress_rules:
if isinstance(rule, dict):
from_port = force_int(force_list(rule['from_port'])[0])
to_port = force_int(force_list(rule['to_port'])[0])
if from_port <= self.port <= to_port:
# It's not clear whether these can ever be a type other
# than an empty list but just in case…
cidr_blocks = force_list(
rule.get('cidr_blocks', [[]])[0])
security_groups = rule.get('security_groups', [])
if "0.0.0.0/0" in cidr_blocks and not security_groups:
return CheckResult.FAILED
return CheckResult.PASSED
def contains_violation(self, conf):
from_port = force_int(force_list(conf.get('port_range',[{-1}]))[0].split('/')[0])
to_port = force_int(force_list(conf.get('port_range',[{-1}]))[0].split('/')[1])
if from_port <= self.port <= to_port:
conf_cidr_blocks = conf.get('cidr_ip', [[]])
cidr_blocks = force_list(conf_cidr_blocks)
if "0.0.0.0/0" in cidr_blocks or not cidr_blocks[0]:
return True
return False
def scan_resource_conf(self, conf):
if conf['retention_policy'][0]['enabled'][0]:
if 'days' in conf['retention_policy'][0] and force_int(
conf['retention_policy'][0]['days'][0]) >= 365:
return CheckResult.PASSED
elif not conf['retention_policy'][0]['enabled'][0]:
if 'days' in conf['retention_policy'][0]:
if force_int(conf['retention_policy'][0]['days']) == 0:
return CheckResult.PASSED
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
if "properties" in conf:
if "retentionPolicy" in conf["properties"]:
if "enabled" in conf["properties"]["retentionPolicy"]:
if str(conf["properties"]["retentionPolicy"]
["enabled"]).lower() == "true":
if "days" in conf["properties"]["retentionPolicy"]:
if force_int(conf["properties"]["retentionPolicy"]["days"]) >= 365 or \
force_int(conf["properties"]["retentionPolicy"]["days"]) == 0:
return CheckResult.PASSED
return CheckResult.FAILED
def contains_violation(self, conf):
from_port = force_int(force_list(conf.get('from_port', [{-1}]))[0])
to_port = force_int(force_list(conf.get('to_port', [{-1}]))[0])
if from_port is not None and to_port is not None and (
from_port <= self.port <= to_port):
cidr_blocks = force_list(conf.get('cidr_blocks', [[]])[0])
if "0.0.0.0/0" in cidr_blocks:
return True
return False
def scan_resource_conf(self, conf):
"""
validates iam password policy
https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
:param conf: aws_iam_account_password_policy configuration
:return: <CheckResult>
"""
key = 'password_reuse_prevention'
if key in conf.keys():
if not (force_int(conf[key][0]) and force_int(conf[key][0]) < 24):
return CheckResult.PASSED
return CheckResult.FAILED
def contains_violation(self, conf, protocol_key, from_port_key, to_port_key, cidr_key):
protocol = force_list(conf.get(protocol_key, [{-1}]))[0]
from_port = force_int(force_list(conf.get(from_port_key, [{-1}]))[0])
to_port = force_int(force_list(conf.get(to_port_key, [{-1}]))[0])
if protocol == "icmp":
return False
if from_port is not None and to_port is not None and (from_port <= self.port <= to_port):
cidr = conf.get(cidr_key, [])
if len(cidr) > 0 and cidr[0] in ['0.0.0.0/0', '::/0', '0000:0000:0000:0000:0000:0000:0000:0000/0']:
return True
return False
def scan_resource_conf(self, conf):
if not conf.get('retention_policy'):
self.evaluated_keys = ['retention_policy']
return CheckResult.FAILED
self.evaluated_keys = ['retention_policy/[0]/enabled']
if conf['retention_policy'][0]['enabled'][0]:
self.evaluated_keys.append('retention_policy/[0]/days')
if 'days' in conf['retention_policy'][0] and force_int(conf['retention_policy'][0]['days'][0]) >= 365:
return CheckResult.PASSED
else:
if 'days' in conf['retention_policy'][0]:
self.evaluated_keys.append('retention_policy/[0]/days')
if force_int(conf['retention_policy'][0]['days']) == 0:
return CheckResult.PASSED
return CheckResult.PASSED
return CheckResult.FAILED
def contains_violation(self, conf):
from_port = force_int(force_list(conf.get('from_port', [{-1}]))[0])
to_port = force_int(force_list(conf.get('to_port', [{-1}]))[0])
if from_port is not None and to_port is not None and (
from_port <= self.port <= to_port):
cidr_blocks = force_list(conf.get('cidr_blocks', [[]])[0])
if "0.0.0.0/0" in cidr_blocks:
return True
ipv6_cidr_blocks = conf.get('ipv6_cidr_blocks', [])
if len(ipv6_cidr_blocks) > 0 and any(
ip in
['::/0', '0000:0000:0000:0000:0000:0000:0000:0000/0']
for ip in ipv6_cidr_blocks[0]):
return True
return False
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
self.evaluated_keys = ["rotation_period"]
rotation = conf.get("rotation_period")
if rotation and rotation[0]:
time = force_int(rotation[0][:-1])
if time and ONE_DAY <= time <= NINETY_DAYS:
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
if 'enabled' in conf and conf['enabled'][0]:
retention_block = conf['retention_policy'][0]
if retention_block['enabled'][0]:
retention_in_days = force_int(retention_block['days'][0])
if retention_in_days and retention_in_days >= 90:
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
key = "backup_retention_period"
if key in conf.keys():
period = force_int(conf[key][0])
if period and 0 < period <= 35:
return CheckResult.PASSED
return CheckResult.FAILED
#Default value is 1 which passes ^^^
return CheckResult.PASSED
def scan_resource_conf(self, conf):
if 'retention_in_days' in conf:
retention = force_int(conf['retention_in_days'][0])
if retention:
if retention < 90:
return CheckResult.FAILED
else:
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
key = "backup_retention_period"
if key in conf.keys():
period = force_int(conf[key][0])
if period and 0 < period <= 35:
return CheckResult.PASSED
return CheckResult.FAILED
else:
return CheckResult.FAILED
def scan_resource_conf(self, conf):
if 'extended_auditing_policy' in conf:
policy = conf['extended_auditing_policy'][0]
if not isinstance(policy, dict):
return CheckResult.UNKNOWN
retention = force_int(
conf['extended_auditing_policy'][0]['retention_in_days'][0])
if retention and retention >= 90:
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
key = "backup_retention_period"
if key in conf.keys():
period = conf[key][0]
if self._is_variable_dependant(period):
return CheckResult.UNKNOWN
period = force_int(period)
if period and 0 < period <= 35:
return CheckResult.PASSED
return CheckResult.FAILED
# Default value is 1 which passes ^^^
return CheckResult.PASSED
def scan_resource_conf(self, conf):
"""
validates iam password policy
https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
:param conf: aws_iam_account_password_policy configuration
:return: <CheckResult>
"""
key = 'max_password_age'
if key in conf.keys():
max_age = force_int(conf[key][0])
if max_age and max_age <= 90:
return CheckResult.PASSED
return CheckResult.FAILED
def _is_port_in_range(self, ports_list):
for port_range in ports_list[0]:
port = force_int(port_range)
if port and self.port == port:
return True
if port is None and '-' in port_range:
try:
[from_port, to_port] = port_range.split('-')
if int(from_port) <= self.port <= int(to_port):
return True
except Exception:
return CheckResult.UNKNOWN
return False
def scan_resource_conf(self, conf):
self.evaluated_keys = ['enabled']
if 'enabled' in conf and conf['enabled'][0]:
retention_block = conf['retention_policy'][0]
if retention_block['enabled'][0]:
retention_in_days = force_int(retention_block['days'][0])
self.evaluated_keys = [
'retention_policy/[0]/enabled', 'retention_policy/[0]/days'
]
if retention_in_days is not None and (retention_in_days == 0 or
retention_in_days >= 90):
return CheckResult.PASSED
else:
self.evaluated_keys = ['retention_policy/[0]/enabled']
return CheckResult.FAILED
def scan_resource_conf(self, conf):
"""
validates iam password policy
https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
:param conf: aws_iam_account_password_policy configuration
:return: <CheckResult>
"""
key = 'password_reuse_prevention'
if key in conf.keys():
reuse = conf[key][0]
if self._is_variable_dependant(reuse):
return CheckResult.UNKNOWN
reuse = force_int(reuse)
if not (reuse and reuse < 24):
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
"""
validates iam password policy
https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
:param conf: aws_iam_account_password_policy configuration
:return: <CheckResult>
"""
key = 'minimum_password_length'
if key in conf.keys():
length = conf[key][0]
if self._is_variable_dependant(length):
return CheckResult.UNKNOWN
length = force_int(length)
if not (length and length < 14):
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
if "apiVersion" in conf:
# Fail if apiVersion < 2017 as you could not set networkAcls
year = force_int(conf["apiVersion"][0:4])
if year is None:
return CheckResult.UNKNOWN
elif year < 2017:
return CheckResult.FAILED
if "properties" in conf:
if "networkAcls" in conf["properties"]:
if "defaultAction" in conf["properties"]["networkAcls"]:
if conf["properties"]["networkAcls"]["defaultAction"] == "Deny":
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
if "apiVersion" in conf:
# Fail if apiVersion < 2017 as you could not set networkAcls
year = force_int(conf["apiVersion"][0:4])
if year is None:
return CheckResult.UNKNOWN # Should be handled by variable rendering
if year < 2017:
return CheckResult.FAILED
if "properties" in conf:
if "networkAcls" in conf["properties"]:
if "defaultAction" in conf["properties"]["networkAcls"]:
if conf["properties"]["networkAcls"][
"defaultAction"] == "Allow":
return CheckResult.PASSED
elif "bypass" in conf["properties"]["networkAcls"] and \
conf["properties"]["networkAcls"]["bypass"] == "AzureServices":
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
if "properties" in conf:
if "supportsHttpsTrafficOnly" in conf["properties"]:
if str(conf["properties"]
["supportsHttpsTrafficOnly"]).lower() == "true":
return CheckResult.PASSED
else:
return CheckResult.FAILED
# Use default if supportsHttpsTrafficOnly is not set
if "apiVersion" in conf:
# Default for apiVersion 2019 and newer is supportsHttpsTrafficOnly = True
year = force_int(conf["apiVersion"][0:4])
if year is None:
return CheckResult.UNKNOWN
elif year < 2019:
return CheckResult.FAILED
else:
return CheckResult.PASSED
return CheckResult.FAILED
import logging
import os
import re
from typing import Tuple
from typing import Union, List, Any, Dict, Optional, Callable
from checkov.common.util.type_forcers import force_int
from checkov.common.graph.graph_builder.graph_components.attribute_names import CustomAttributes
from checkov.terraform.graph_builder.graph_components.block_types import BlockType
from checkov.terraform.graph_builder.variable_rendering.vertex_reference import TerraformVertexReference
MODULE_DEPENDENCY_PATTERN_IN_PATH = re.compile(r"\[.+\#.+\]")
CHECKOV_RENDER_MAX_LEN = force_int(os.getenv("CHECKOV_RENDER_MAX_LEN",
"10000"))
def is_local_path(root_dir: str, source: str) -> bool:
# https://www.terraform.io/docs/modules/sources.html#local-paths
return (source.startswith("./") or source.startswith("/./")
or source.startswith("../") or source in os.listdir(root_dir))
def remove_module_dependency_in_path(path: str) -> Tuple[str, str, str]:
"""
:param path: path that looks like "dir/main.tf[other_dir/x.tf#0]
:return: separated path from module dependency: dir/main.tf, other_dir/x.tf
"""
module_dependency = re.findall(MODULE_DEPENDENCY_PATTERN_IN_PATH, path)
if re.findall(MODULE_DEPENDENCY_PATTERN_IN_PATH, path):
path = re.sub(MODULE_DEPENDENCY_PATTERN_IN_PATH, "", path)
module_and_num = extract_module_dependency_path(module_dependency)
def scan_resource_conf(self, conf):
if 'rotation_period' in conf.keys():
time = force_int(conf['rotation_period'][0][:-1])
if time and ONE_DAY <= time <= NINETY_DAYS:
return CheckResult.PASSED
return CheckResult.FAILED
