From 1467171f61bd2864f351bec28099faf8e2bb8217 Mon Sep 17 00:00:00 2001 From: Keith Monihen Date: Fri, 10 Apr 2020 09:39:59 -0400 Subject: [PATCH 01/13] add wildcard principal --- .../elasticsearch_domain_policy/wildcard_principal/rule.yml | 2 +- go.mod | 2 +- go.sum | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/rule.yml b/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/rule.yml index 0149ee2..476a4c1 100644 --- a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/rule.yml +++ b/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/rule.yml @@ -13,7 +13,7 @@ rules: severity: FAILURE assertions: - none: - key: access_policies.Statement[] + key: access_policies.Statement expressions: - key: Effect op: eq diff --git a/go.mod b/go.mod index 0c9e01c..d593bea 100644 --- a/go.mod +++ b/go.mod @@ -23,5 +23,5 @@ require ( golang.org/x/crypto v0.0.0-20200214034016-1d94cc7ab1c6 // indirect golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect golang.org/x/sys v0.0.0-20200217220822-9197077df867 // indirect - golang.org/x/tools v0.0.0-20200408132156-9ee5ef7a2c0d // indirect + golang.org/x/tools v0.0.0-20200410040751-3bd20875a2eb // indirect ) diff --git a/go.sum b/go.sum index ccc0781..6485a46 100644 --- a/go.sum +++ b/go.sum @@ -622,6 +622,10 @@ golang.org/x/tools v0.0.0-20200406213809-066fd1390ee0 h1:PaUgOASiqoF4KlotK7/3XKY golang.org/x/tools v0.0.0-20200406213809-066fd1390ee0/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200408132156-9ee5ef7a2c0d h1:2DXIdtvIYvvWOcAOsX81FwOUBoQoMZhosWn7KjXEl94= golang.org/x/tools v0.0.0-20200408132156-9ee5ef7a2c0d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200409170454-77362c5149f0 h1:Vj4uPv+FWfJqeeBexROGL+6fhy0yL5JgwKU5B54Cu7Y= +golang.org/x/tools v0.0.0-20200409170454-77362c5149f0/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200410040751-3bd20875a2eb h1:RyH5RJIzat0mPE3Bxyfk0H7h8QTOUPO9gelM+5LI/RQ= +golang.org/x/tools v0.0.0-20200410040751-3bd20875a2eb/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 18f18805fe9698b819d3b9c296ba16cfddbbd16e Mon Sep 17 00:00:00 2001 From: Keith Monihen Date: Thu, 16 Apr 2020 18:07:55 -0400 Subject: [PATCH 02/13] some debugging --- .../tests/terraform12/wildcard_principal.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf b/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf index 6131894..07494be 100644 --- a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf +++ b/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf @@ -15,7 +15,7 @@ resource "aws_elasticsearch_domain" "example" { resource "aws_elasticsearch_domain_policy" "policy_allow_principal_no_wildcard" { domain_name = "${aws_elasticsearch_domain.example.domain_name}" - access_policies = < Date: Mon, 20 Apr 2020 10:28:43 -0400 Subject: [PATCH 03/13] added policy rule --- .../tests/terraform12/wildcard_principal.tf | 13 +++++++------ .../wildcard_principal/tests/test.yml | 14 ++++++++++++++ 2 files changed, 21 insertions(+), 6 deletions(-) create mode 100644 cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/test.yml diff --git a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf b/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf index 07494be..d266272 100644 --- a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf +++ b/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf @@ -1,6 +1,7 @@ # Test that an elasticsearch domain policy is not using a wildcard principal # https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain_policy.html + provider "aws" { region = "us-east-1" } @@ -27,7 +28,7 @@ resource "aws_elasticsearch_domain_policy" "policy_allow_principal_no_wildcard" ] }, "Effect": "Allow", - "Resource": "${aws_elasticsearch_domain.example.arn}/*" + "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" } ] } @@ -50,7 +51,7 @@ resource "aws_elasticsearch_domain_policy" "policy_allow_principal_no_wildcard" ] }, "Effect": "Deny", - "Resource": "${aws_elasticsearch_domain.example.arn}/*" + "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" } ] } @@ -72,8 +73,8 @@ resource "aws_elasticsearch_domain_policy" "policy_deny_principal_contains_wildc "arn:aws:iam::1234567890:user/foo*" ] }, - "Effect": "Allow", - "Resource": "${aws_elasticsearch_domain.example.arn}/*" + "Effect": "Deny", + "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" } ] } @@ -96,7 +97,7 @@ resource "aws_elasticsearch_domain_policy" "policy_allow_principal_contains_wild ] }, "Effect": "Allow", - "Resource": "${aws_elasticsearch_domain.example.arn}/*" + "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" } ] } @@ -115,7 +116,7 @@ resource "aws_elasticsearch_domain_policy" "policy_allow_principal_is_wildcard" "Action": "es:ListDomainNames", "Principal": "*", "Effect": "Allow", - "Resource": "${aws_elasticsearch_domain.example.arn}/*" + "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" } ] } diff --git a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/test.yml b/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/test.yml new file mode 100644 index 0000000..d91f8cf --- /dev/null +++ b/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/test.yml @@ -0,0 +1,14 @@ +--- +version: 1 +description: Terraform 11 and 12 tests +type: Terraform +files: + - "*.tf" + - "*.tfvars" +tests: + - + ruleId: ELASTICSEARCH_POLICY_WILDCARD_PRINCIPAL + warnings: 0 + failures: 2 + tags: + - "terraform12" \ No newline at end of file From 3e3da2701dca06160ad1302ad4fd525a46ab5bce Mon Sep 17 00:00:00 2001 From: Keith Monihen Date: Mon, 20 Apr 2020 11:08:04 -0400 Subject: [PATCH 04/13] adding kms and elasticsearch policy rules --- .../wildcard_principal/rule.yml | 4 +- ...earch_domain_policy_wildcard_principal.tf} | 17 +-- ...elasticsearch_domain_wildcard_principal.tf | 117 ++++++++++++++++++ .../wildcard_principal/tests/test.yml | 2 +- .../aws/kms/kms_key/wildcard_policy/rule.yml | 26 ++++ .../tests/terraform12/wildcard_policy.tf | 112 +++++++++++++++++ .../kms_key/wildcard_policy/tests/test.yml | 14 +++ 7 files changed, 279 insertions(+), 13 deletions(-) rename cli/assets/terraform/aws/elasticsearch/{elasticsearch_domain_policy => shared}/wildcard_principal/rule.yml (86%) rename cli/assets/terraform/aws/elasticsearch/{elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf => shared/wildcard_principal/tests/terraform12/elasticsearch_domain_policy_wildcard_principal.tf} (85%) create mode 100644 cli/assets/terraform/aws/elasticsearch/shared/wildcard_principal/tests/terraform12/elasticsearch_domain_wildcard_principal.tf rename cli/assets/terraform/aws/elasticsearch/{elasticsearch_domain_policy => shared}/wildcard_principal/tests/test.yml (93%) create mode 100644 cli/assets/terraform/aws/kms/kms_key/wildcard_policy/rule.yml create mode 100644 cli/assets/terraform/aws/kms/kms_key/wildcard_policy/tests/terraform12/wildcard_policy.tf create mode 100644 cli/assets/terraform/aws/kms/kms_key/wildcard_policy/tests/test.yml diff --git a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/rule.yml b/cli/assets/terraform/aws/elasticsearch/shared/wildcard_principal/rule.yml similarity index 86% rename from cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/rule.yml rename to cli/assets/terraform/aws/elasticsearch/shared/wildcard_principal/rule.yml index 476a4c1..44e582d 100644 --- a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/rule.yml +++ b/cli/assets/terraform/aws/elasticsearch/shared/wildcard_principal/rule.yml @@ -9,7 +9,9 @@ rules: - id: ELASTICSEARCH_POLICY_WILDCARD_PRINCIPAL message: Elasticsearch allow policy should not use a wildcard princpal - resource: aws_elasticsearch_domain_policy + resources: + - aws_elasticsearch_domain_policy + - aws_elasticsearch_domain severity: FAILURE assertions: - none: diff --git a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf b/cli/assets/terraform/aws/elasticsearch/shared/wildcard_principal/tests/terraform12/elasticsearch_domain_policy_wildcard_principal.tf similarity index 85% rename from cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf rename to cli/assets/terraform/aws/elasticsearch/shared/wildcard_principal/tests/terraform12/elasticsearch_domain_policy_wildcard_principal.tf index d266272..28ec585 100644 --- a/cli/assets/terraform/aws/elasticsearch/elasticsearch_domain_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf +++ b/cli/assets/terraform/aws/elasticsearch/shared/wildcard_principal/tests/terraform12/elasticsearch_domain_policy_wildcard_principal.tf @@ -1,11 +1,6 @@ # Test that an elasticsearch domain policy is not using a wildcard principal # https://www.terraform.io/docs/providers/aws/r/elasticsearch_domain_policy.html - -provider "aws" { - region = "us-east-1" -} - # Helper resource "aws_elasticsearch_domain" "example" { domain_name = "tf-test" @@ -14,7 +9,7 @@ resource "aws_elasticsearch_domain" "example" { # PASS: Allow principal does not contain a wildcard resource "aws_elasticsearch_domain_policy" "policy_allow_principal_no_wildcard" { - domain_name = "${aws_elasticsearch_domain.example.domain_name}" + domain_name = aws_elasticsearch_domain.example.domain_name access_policies = < Date: Mon, 20 Apr 2020 12:37:24 -0400 Subject: [PATCH 05/13] Adding mediastore wildcard principal rule --- .../wildcard_principal/rule.yml | 26 ++++ .../tests/terraform12/wildcard_principal.tf | 121 ++++++++++++++++++ .../wildcard_principal/tests/test.yml | 14 ++ 3 files changed, 161 insertions(+) create mode 100644 cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/rule.yml create mode 100644 cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/test.yml diff --git a/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/rule.yml b/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/rule.yml new file mode 100644 index 0000000..97478e3 --- /dev/null +++ b/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/rule.yml @@ -0,0 +1,26 @@ +--- +version: 1 +description: Terraform rules +type: Terraform +files: + - "*.tf" + - "*.tfvars" +rules: + + - id: MEDIASTORE_CONTAINER_WILDCARD_PRINCIPAL + message: MediaStore container allow policy should not use a wildcard princpal + resource: aws_media_store_container_policy + severity: FAILURE + assertions: + - none: + key: policy.Statement + expressions: + - key: Effect + op: eq + value: Allow + - key: Principal + op: contains + value: "*" + tags: + - mediastore + - policy \ No newline at end of file diff --git a/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf b/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf new file mode 100644 index 0000000..2e207d2 --- /dev/null +++ b/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf @@ -0,0 +1,121 @@ +# +# https://www.terraform.io/docs/providers/aws/r/media_store_container_policy.html#policy + +provider "aws" { + region = "us-east-1" +} + +# PASS: Allow policy with no wildcard principal +resource "aws_media_store_container_policy" "msc_allow_no_wildcard" { + container_name = "example" + + policy = < Date: Mon, 20 Apr 2020 12:40:18 -0400 Subject: [PATCH 06/13] adding comment for test --- .../wildcard_principal/tests/terraform12/wildcard_principal.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf b/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf index 2e207d2..c1dc2a0 100644 --- a/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf +++ b/cli/assets/terraform/aws/mediastore/media_store_container_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf @@ -1,4 +1,4 @@ -# +# Test that a MediaStore container policy does not use a wildcard in the principal when allow actions # https://www.terraform.io/docs/providers/aws/r/media_store_container_policy.html#policy provider "aws" { From 63d5a2ae95189abefba31e287408be21d663c4d9 Mon Sep 17 00:00:00 2001 From: Keith Monihen Date: Mon, 20 Apr 2020 12:53:51 -0400 Subject: [PATCH 07/13] Adding SES identity policy wildcard principal rule --- .../wildcard_principal/rule.yml | 26 ++++ .../tests/terraform12/wildcard_principal.tf | 121 ++++++++++++++++++ .../wildcard_principal/tests/test.yml | 14 ++ 3 files changed, 161 insertions(+) create mode 100644 cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/rule.yml create mode 100644 cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/tests/test.yml diff --git a/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/rule.yml b/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/rule.yml new file mode 100644 index 0000000..6a17839 --- /dev/null +++ b/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/rule.yml @@ -0,0 +1,26 @@ +--- +version: 1 +description: Terraform rules +type: Terraform +files: + - "*.tf" + - "*.tfvars" +rules: + + - id: SES_IDENTITY_WILDCARD_PRINCIPAL + message: SES identity allow policy should not use a wildcard princpal + resource: aws_ses_identity_policy + severity: FAILURE + assertions: + - none: + key: policy.Statement + expressions: + - key: Effect + op: eq + value: Allow + - key: Principal + op: contains + value: "*" + tags: + - elasticsearch + - policy \ No newline at end of file diff --git a/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf b/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf new file mode 100644 index 0000000..f371b0c --- /dev/null +++ b/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf @@ -0,0 +1,121 @@ +# Test that SES identity policy is not using a wildcard principal for allow statements +# https://www.terraform.io/docs/providers/aws/r/ses_identity_policy.html#policy + +provider "aws" { + region = "us-east-1" +} + +# PASS: SES identity allow without using a wildcard principal +resource "aws_ses_identity_policy" "ses_allow_without_wildcard" { + identity = "arn:aws:ses:us-west-2:123456789012:identity/example.com" + name = "example" + policy = < Date: Mon, 20 Apr 2020 13:12:09 -0400 Subject: [PATCH 08/13] Adding SNS policy wildcard principal rule --- .../sns/shared/wildcard_principal/rule.yml | 28 +++++ .../sns_topic_policy_wildcard_principal.tf | 116 ++++++++++++++++++ .../sns_topic_wildcard_principal.tf | 112 +++++++++++++++++ .../shared/wildcard_principal/tests/test.yml | 14 +++ 4 files changed, 270 insertions(+) create mode 100644 cli/assets/terraform/aws/sns/shared/wildcard_principal/rule.yml create mode 100644 cli/assets/terraform/aws/sns/shared/wildcard_principal/tests/terraform12/sns_topic_policy_wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/sns/shared/wildcard_principal/tests/terraform12/sns_topic_wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/sns/shared/wildcard_principal/tests/test.yml diff --git a/cli/assets/terraform/aws/sns/shared/wildcard_principal/rule.yml b/cli/assets/terraform/aws/sns/shared/wildcard_principal/rule.yml new file mode 100644 index 0000000..df7f2da --- /dev/null +++ b/cli/assets/terraform/aws/sns/shared/wildcard_principal/rule.yml @@ -0,0 +1,28 @@ +--- +version: 1 +description: Terraform rules +type: Terraform +files: + - "*.tf" + - "*.tfvars" +rules: + + - id: SNS_POLICY_WILDCARD_PRINCIPAL + message: SNS topic allow policy should not use a wildcard princpal + resources: + - aws_sns_topic + - aws_sns_topic_policy + severity: FAILURE + assertions: + - none: + key: policy.Statement + expressions: + - key: Effect + op: eq + value: Allow + - key: Principal + op: contains + value: "*" + tags: + - sns + - policy \ No newline at end of file diff --git a/cli/assets/terraform/aws/sns/shared/wildcard_principal/tests/terraform12/sns_topic_policy_wildcard_principal.tf b/cli/assets/terraform/aws/sns/shared/wildcard_principal/tests/terraform12/sns_topic_policy_wildcard_principal.tf new file mode 100644 index 0000000..5720ded --- /dev/null +++ b/cli/assets/terraform/aws/sns/shared/wildcard_principal/tests/terraform12/sns_topic_policy_wildcard_principal.tf @@ -0,0 +1,116 @@ +# Test that SNS topic policy does not use a wildcard principal for allow statements +# https://www.terraform.io/docs/providers/aws/r/sns_topic_policy.html#policy + +provider "aws" { + region = "us-east-1" +} + +# PASS: SNS topic allow policy does not use a wildcard principal +resource "aws_sns_topic_policy" "sns_policy_allow_no_wildcard" { + arn = "arn:aws:sns:us-east-1:123456789012:test-topic" + policy = < Date: Mon, 20 Apr 2020 13:27:27 -0400 Subject: [PATCH 09/13] Adding SQS queue wildcard principal rule --- .../sqs/shared/wildcard_principal/rule.yml | 28 +++++ .../sqs_queue_policy_wildcard_principal.tf | 116 ++++++++++++++++++ .../sqs_queue_wildcard_principal.tf | 112 +++++++++++++++++ .../shared/wildcard_principal/tests/test.yml | 14 +++ 4 files changed, 270 insertions(+) create mode 100644 cli/assets/terraform/aws/sqs/shared/wildcard_principal/rule.yml create mode 100644 cli/assets/terraform/aws/sqs/shared/wildcard_principal/tests/terraform12/sqs_queue_policy_wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/sqs/shared/wildcard_principal/tests/terraform12/sqs_queue_wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/sqs/shared/wildcard_principal/tests/test.yml diff --git a/cli/assets/terraform/aws/sqs/shared/wildcard_principal/rule.yml b/cli/assets/terraform/aws/sqs/shared/wildcard_principal/rule.yml new file mode 100644 index 0000000..b3dd193 --- /dev/null +++ b/cli/assets/terraform/aws/sqs/shared/wildcard_principal/rule.yml @@ -0,0 +1,28 @@ +--- +version: 1 +description: Terraform rules +type: Terraform +files: + - "*.tf" + - "*.tfvars" +rules: + + - id: SQS_POLICY_WILDCARD_PRINCIPAL + message: SQS queue allow policy should not use a wildcard princpal + resources: + - aws_sqs_queue + - aws_sqs_queue_policy + severity: FAILURE + assertions: + - none: + key: policy.Statement + expressions: + - key: Effect + op: eq + value: Allow + - key: Principal + op: contains + value: "*" + tags: + - sqs + - policy \ No newline at end of file diff --git a/cli/assets/terraform/aws/sqs/shared/wildcard_principal/tests/terraform12/sqs_queue_policy_wildcard_principal.tf b/cli/assets/terraform/aws/sqs/shared/wildcard_principal/tests/terraform12/sqs_queue_policy_wildcard_principal.tf new file mode 100644 index 0000000..d98cf6d --- /dev/null +++ b/cli/assets/terraform/aws/sqs/shared/wildcard_principal/tests/terraform12/sqs_queue_policy_wildcard_principal.tf @@ -0,0 +1,116 @@ +# Test that SQS queue policy does not use a wildcard principal for allow statements +# https://www.terraform.io/docs/providers/aws/r/sqs_queue_policy.html#policy + +provider "aws" { + region = "us-east-1" +} + +# PASS: SQS queue allow policy does not use a wildcard principal +resource "aws_sqs_queue_policy" "sqs_policy_allow_no_wildcard" { + queue_url = "https://queue.amazonaws.com/0123456789012/myqueue" + policy = < Date: Mon, 20 Apr 2020 14:05:49 -0400 Subject: [PATCH 10/13] Fixed bug where access_policy JSON was not handled --- linter/terraform.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linter/terraform.go b/linter/terraform.go index 461df2f..34af371 100644 --- a/linter/terraform.go +++ b/linter/terraform.go @@ -323,7 +323,7 @@ func replaceVariablesInList(list []interface{}, variables []Variable) []interfac func parseJSONDocuments(resource interface{}) (interface{}, error) { properties := resource.(map[string]interface{}) - for _, attribute := range []string{"assume_role_policy", "policy", "container_definitions", "access_policies", "container_properties"} { + for _, attribute := range []string{"assume_role_policy", "policy", "container_definitions", "access_policies", "access_policy", "container_properties"} { if policyAttribute, hasPolicyString := properties[attribute]; hasPolicyString { if policyString, isString := policyAttribute.(string); isString { var policy interface{} From c43ebb6caff9c5ac1eb2846d658082a499d0bf37 Mon Sep 17 00:00:00 2001 From: Keith Monihen Date: Mon, 20 Apr 2020 14:06:40 -0400 Subject: [PATCH 11/13] Adding cloudwatch destination policy wildcard rule --- .../wildcard_principal/rule.yml | 26 ++++ .../tests/terraform12/wildcard_principal.tf | 116 ++++++++++++++++++ .../wildcard_principal/tests/test.yml | 14 +++ 3 files changed, 156 insertions(+) create mode 100644 cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/rule.yml create mode 100644 cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/tests/test.yml diff --git a/cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/rule.yml b/cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/rule.yml new file mode 100644 index 0000000..d584f0d --- /dev/null +++ b/cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/rule.yml @@ -0,0 +1,26 @@ +--- +version: 1 +description: Terraform rules +type: Terraform +files: + - "*.tf" + - "*.tfvars" +rules: + + - id: CLOUDWATCH_WILDCARD_PRINCIPAL + message: Cloudwatch destination policy allow policy should not use a wildcard princpal + resource: aws_cloudwatch_log_destination_policy + severity: FAILURE + assertions: + - none: + key: access_policy.Statement + expressions: + - key: Effect + op: eq + value: Allow + - key: Principal + op: contains + value: "*" + tags: + - cloudwatch + - policy \ No newline at end of file diff --git a/cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf b/cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf new file mode 100644 index 0000000..9b52949 --- /dev/null +++ b/cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf @@ -0,0 +1,116 @@ +# Test that CloudWatch log destination policy is not using a wildcard principal +# https://www.terraform.io/docs/providers/aws/r/cloudwatch_log_destination_policy.html#access_policy + +provider "aws" { + region = "us-east-1" +} + +# PASS: Allow statement does not use a wildcard principal +resource "aws_cloudwatch_log_destination_policy" "cw_destination_no_wildcard" { + destination_name = "cloudwatch_destination" + access_policy = < Date: Mon, 20 Apr 2020 14:07:07 -0400 Subject: [PATCH 12/13] fixed rule tag --- .../aws/ses/ses_identity_policy/wildcard_principal/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/rule.yml b/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/rule.yml index 6a17839..330b8ca 100644 --- a/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/rule.yml +++ b/cli/assets/terraform/aws/ses/ses_identity_policy/wildcard_principal/rule.yml @@ -22,5 +22,5 @@ rules: op: contains value: "*" tags: - - elasticsearch + - ses - policy \ No newline at end of file From e280e576c19b781160fff58efc0ed08bbbe0c974 Mon Sep 17 00:00:00 2001 From: Keith Monihen Date: Mon, 20 Apr 2020 15:29:00 -0400 Subject: [PATCH 13/13] Adding ECR and IOT allow policy wildcard principal rules --- .../wildcard_principal/rule.yml | 26 ++++ .../tests/terraform12/wildcard_principal.tf | 91 ++++++++++++++ .../wildcard_principal/tests/test.yml | 14 +++ .../iot_policy/wildcard_principal/rule.yml | 26 ++++ .../tests/terraform12/wildcard_principal.tf | 111 ++++++++++++++++++ .../wildcard_principal/tests/test.yml | 14 +++ 6 files changed, 282 insertions(+) create mode 100644 cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/rule.yml create mode 100644 cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/test.yml create mode 100644 cli/assets/terraform/aws/iot/iot_policy/wildcard_principal/rule.yml create mode 100644 cli/assets/terraform/aws/iot/iot_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf create mode 100644 cli/assets/terraform/aws/iot/iot_policy/wildcard_principal/tests/test.yml diff --git a/cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/rule.yml b/cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/rule.yml new file mode 100644 index 0000000..bff3f46 --- /dev/null +++ b/cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/rule.yml @@ -0,0 +1,26 @@ +--- +version: 1 +description: Terraform rules +type: Terraform +files: + - "*.tf" + - "*.tfvars" +rules: + + - id: ECR_WILDCARD_PRINCIPAL + message: ECR allow policy should not use a wildcard princpal + resource: aws_ecr_repository_policy + severity: FAILURE + assertions: + - none: + key: policy.Statement + expressions: + - key: Effect + op: eq + value: Allow + - key: Principal + op: contains + value: "*" + tags: + - ecr + - policy \ No newline at end of file diff --git a/cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf b/cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf new file mode 100644 index 0000000..854a5e8 --- /dev/null +++ b/cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf @@ -0,0 +1,91 @@ +# Test that ECR allow policy is not using a wildcard principal +# https://www.terraform.io/docs/providers/aws/r/ecr_repository_policy.html#policy + +provider "aws" { + region = "us-east-1" +} + +# PASS: Allow policy not using wildcard principal +resource "aws_ecr_repository_policy" "ecr_allow_no_wildcard" { + repository = "ecr-repo" + + policy = <