Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AWS CFT as an IaC Provider #815

Merged
merged 10 commits into from
Jun 2, 2021
Merged

Add AWS CFT as an IaC Provider #815

merged 10 commits into from
Jun 2, 2021

Conversation

bagulm123
Copy link
Contributor

The PR adds AWS CFT as an IaC Provider for terrascan. Here is a quick run:

index

➜ terrascan scan -h
...
 -i, --iac-type string           iac type (cft, helm, k8s, kustomize, terraform, tfplan)
     --iac-version string        iac version (cft: v1, helm: v3, k8s: v1, kustomize: v3, terraform: v12, v13, v14, tfplan: v1)
...

This allows terrascan users to validate their CF templates against the existing policies for AWS. For example:

➜ terrascan scan -i cft

Violation Details -
	Description    :	Ensure Neptune Cluster is Encrypted
	File           :	/home/mahendrabagul/DevEnv/Accurics/mapper-test-files/cft/neptune-cluster/deploy.json
	Line           :	1
	Severity       :	MEDIUM
	-----------------------------------------------------------------------
Scan Summary -
	File/Folder         :	/home/mahendrabagul/DevEnv/Accurics/mapper-test-files/cft/neptune-cluster
	IaC Type            :	cft
	Scanned At          :	2021-05-26 06:42:45.454097592 +0000 UTC
	Policies Validated  :	607
	Violated Policies   :	1
	Low                 :	0
	Medium              :	1
	High                :	0

@bagulm123
Copy link
Contributor Author

@amirbenv Kindly have a look at this PR.

@sigmabaryon sigmabaryon force-pushed the iac-provider-cft branch 2 times, most recently from 0c29f46 to 166c63b Compare May 27, 2021 14:49
patilpankaj212
patilpankaj212 reviewed May 28, 2021
View reviewed changes
Copy link
Contributor

@patilpankaj212 patilpankaj212 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mahendrabagul, @sigmabaryon,
Please add headers missing in go files for config mappers.

@codecov
Copy link

codecov bot commented May 28, 2021
edited
Loading

Codecov Report

Merging #815 (2874061) into master (971845a) will increase coverage by 3.27%.
The diff coverage is 91.15%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #815      +/-   ##
==========================================
+ Coverage   74.95%   78.22%   +3.27%     
==========================================
  Files         113      162      +49     
  Lines        3466     4354     +888     
==========================================
+ Hits         2598     3406     +808     
- Misses        676      734      +58     
- Partials      192      214      +22
Impacted Files Coverage Δ
.../mapper/iac-providers/cft/config/iam-access-key.go 0.00% <0.00%> (ø)
pkg/mapper/iac-providers/cft/config/cloudtrail.go 50.00% <50.00%> (ø)
pkg/iac-providers/cft/v1/load-file.go 56.14% <56.14%> (ø)
...ers/cft/config/kinesis-firehose-delivery-stream.go 71.42% <71.42%> (ø)
.../mapper/iac-providers/cft/config/kinesis-stream.go 75.00% <75.00%> (ø)
pkg/mapper/iac-providers/cft/config/mq-broker.go 75.00% <75.00%> (ø)
pkg/mapper/mapper.go 75.00% <75.00%> (ø)
.../mapper/iac-providers/cft/config/ecr-repository.go 78.94% <78.94%> (ø)
...r/iac-providers/cft/config/cloudformation-stack.go 81.81% <81.81%> (ø)
...pper/iac-providers/cft/config/api-gateway-stage.go 84.37% <84.37%> (ø)
... and 91 more

patilpankaj212
patilpankaj212 suggested changes May 29, 2021
View reviewed changes
pkg/iac-providers/cft/v1/load-file.go
case YAMLExtension:
fallthrough
case YAMLExtension2:
iacDocuments, err = utils.LoadYAML(absFilePath)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utils.LoadYAML is not very useful here, because the number of iac documents is always going to be 1.
Also, using this function is adding extra code as it removes the intrinsic tags.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @patilpankaj212. It is not necessary to use utils.LoadYAML(). In this particular case. The file data is being parsed multiple number of times which redundant and unnecessary.

We can implement our own loader and optimize.

pkg/iac-providers/cft/v1/load-file.go
// intrinsic tags for cloudformation templates
// (!Ref, !Fn::<> etc are removed and resolved to a string
// which disables parameter resolution by goformation)
if fileExt != JSONExtension {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should be able to avoid this step by using a different yaml loader.

pkg/iac-providers/cft/v1/load-file.go Outdated Show resolved Hide resolved
pkg/iac-providers/cft/v1/load-file_test.go
typeOnly bool
want output.AllResourceConfigs
wantErr error
}{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add unit tests.

pkg/mapper/mapper_test.go Outdated Show resolved Hide resolved
pkg/iac-providers/cft/v1/load-file.go Show resolved Hide resolved
patilpankaj212
patilpankaj212 reviewed May 31, 2021
View reviewed changes
pkg/mapper/iac-providers/cft/mapper.go
// Map transforms the provider specific template to terrascan native format.
func (m cftMapper) Map(doc *utils.IacDocument, params ...map[string]interface{}) (output.AllResourceConfigs, error) {
allRC := make(map[string][]output.ResourceConfig)
t, err := extractTemplate(doc)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any unmarshalling errors by the goformation library are also logged to console. eg:
ERROR: json: cannot unmarshal string into Go struct field SecurityGroup_Ingress.Properties.SecurityGroupIngress.FromPort of type int
we should see how these logs can be suppressed.

@patilpankaj212
Copy link
Contributor

CFT supports modules https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/modules.html
Is it possible to support modules?

patilpankaj212
patilpankaj212 reviewed Jun 1, 2021
View reviewed changes
pkg/mapper/iac-providers/cft/config/iam-role.go

// aws_iam_role_policy as a SubResource
// multiple Policies can be defined for a resource in cft
if r.Policies != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it required to create a separate resource for policies when the policy could be part of iam role properties?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is required because Policy is just a property in CloudFormation but a resource in terraform. There are many other resources where this is the case.

Copy link
Contributor

@patilpankaj212 patilpankaj212 Jun 1, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sigmabaryon. In that case should it also be part of the respective cft resource properties? What is your opinion on this @kanchwala-yusuf ?

bagulm123 and others added 3 commits June 2, 2021 15:50
patilpankaj212
patilpankaj212 suggested changes Jun 2, 2021
View reviewed changes
pkg/iac-providers/cft/v1/load-dir.go Outdated Show resolved Hide resolved
pkg/iac-providers/cft/v1/load-dir.go Outdated Show resolved Hide resolved
pkg/iac-providers/cft/v1/load-dir_test.go
for i := 1; i < len(dirList); i++ {
dir := dirList[i]
t.Run(dir, func(t *testing.T) {
_, gotErr := cftv1.LoadIacDir(dir, false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should be verifying the output of LoadDir to an expected output.

pkg/iac-providers/cft/v1/load-dir_test.go
dir := dirList[i]
t.Run(dir, func(t *testing.T) {
_, gotErr := cftv1.LoadIacDir(dir, false)
_, ok := gotErr.(*multierror.Error)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this assertion doesn't seem to be correct, we are just expecting the type of error to be multi-error. we should be asserting on expected errors (if any)

pkg/iac-providers/cft/v1/load-dir_test.go
}
}

func TestCFTMapper(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the right place for mapper tests is in mapper package.

@bagulm123 bagulm123 force-pushed the iac-provider-cft branch 2 times, most recently from 5efeac3 to 84f2681 Compare June 2, 2021 13:14
@sonarcloud
Copy link

sonarcloud bot commented Jun 2, 2021

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 4 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@patilpankaj212 patilpankaj212 merged commit 95aba12 into tenable:master Jun 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sigmabaryon sigmabaryon sigmabaryon left review comments

@kanchwala-yusuf kanchwala-yusuf kanchwala-yusuf approved these changes

@patilpankaj212 patilpankaj212 patilpankaj212 approved these changes

Assignees

@patilpankaj212 patilpankaj212

@kanchwala-yusuf kanchwala-yusuf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bagulm123 @patilpankaj212 @sigmabaryon @kanchwala-yusuf