diff --git a/assets/queries/terraform/aws/rds_deletion_protection_disabled/metadata.json b/assets/queries/terraform/aws/rds_deletion_protection_disabled/metadata.json new file mode 100644 index 00000000000..a5fca54095f --- /dev/null +++ b/assets/queries/terraform/aws/rds_deletion_protection_disabled/metadata.json @@ -0,0 +1,13 @@ +{ + "id": "26d982ac-b86d-4915-9372-e723b1c0b886", + "queryName": "RDS Deletion Protection Disabled", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Amazon RDS instances and Aurora clusters should have deletion protection enabled to prevent accidental or malicious deletion of the database", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#deletion_protection", + "platform": "Terraform", + "descriptionID": "41f3fc5b", + "cloudProvider": "aws", + "cwe": "693", + "riskScore": "3" +} diff --git a/assets/queries/terraform/aws/rds_deletion_protection_disabled/query.rego b/assets/queries/terraform/aws/rds_deletion_protection_disabled/query.rego new file mode 100644 index 00000000000..5dc18b49a7d --- /dev/null +++ b/assets/queries/terraform/aws/rds_deletion_protection_disabled/query.rego @@ -0,0 +1,49 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +rdsResources := {"aws_db_instance", "aws_rds_cluster"} + +CxPolicy[result] { + resourceType := rdsResources[_] + resource := input.document[i].resource[resourceType][name] + + not common_lib.valid_key(resource, "deletion_protection") + + result := { + "documentId": input.document[i].id, + "resourceType": resourceType, + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("%s[%s]", [resourceType, name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'%s[%s].deletion_protection' should be defined and set to true", [resourceType, name]), + "keyActualValue": sprintf("'%s[%s].deletion_protection' is undefined or null", [resourceType, name]), + "searchLine": common_lib.build_search_line(["resource", resourceType, name], []), + "remediation": "deletion_protection = true", + "remediationType": "addition", + } +} + +CxPolicy[result] { + resourceType := rdsResources[_] + resource := input.document[i].resource[resourceType][name] + + resource.deletion_protection == false + + result := { + "documentId": input.document[i].id, + "resourceType": resourceType, + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("%s[%s].deletion_protection", [resourceType, name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'%s[%s].deletion_protection' should be set to true", [resourceType, name]), + "keyActualValue": sprintf("'%s[%s].deletion_protection' is set to false", [resourceType, name]), + "searchLine": common_lib.build_search_line(["resource", resourceType, name, "deletion_protection"], []), + "remediation": json.marshal({ + "before": "false", + "after": "true", + }), + "remediationType": "replacement", + } +} diff --git a/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/negative.tf b/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/negative.tf new file mode 100644 index 00000000000..e19af524e50 --- /dev/null +++ b/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/negative.tf @@ -0,0 +1,14 @@ +resource "aws_db_instance" "negative1" { + allocated_storage = 10 + engine = "mysql" + instance_class = "db.t3.micro" + deletion_protection = true +} + +resource "aws_rds_cluster" "negative2" { + cluster_identifier = "aurora-cluster-negative2" + engine = "aurora-mysql" + master_username = "foo" + master_password = "barbarbar" + deletion_protection = true +} diff --git a/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/positive.tf b/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/positive.tf new file mode 100644 index 00000000000..8eab040cd31 --- /dev/null +++ b/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/positive.tf @@ -0,0 +1,27 @@ +resource "aws_db_instance" "positive1" { + allocated_storage = 10 + engine = "mysql" + instance_class = "db.t3.micro" + deletion_protection = false +} + +resource "aws_db_instance" "positive2" { + allocated_storage = 10 + engine = "mysql" + instance_class = "db.t3.micro" +} + +resource "aws_rds_cluster" "positive3" { + cluster_identifier = "aurora-cluster-positive3" + engine = "aurora-mysql" + master_username = "foo" + master_password = "barbarbar" + deletion_protection = false +} + +resource "aws_rds_cluster" "positive4" { + cluster_identifier = "aurora-cluster-positive4" + engine = "aurora-mysql" + master_username = "foo" + master_password = "barbarbar" +} diff --git a/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..38a3a3d1200 --- /dev/null +++ b/assets/queries/terraform/aws/rds_deletion_protection_disabled/test/positive_expected_result.json @@ -0,0 +1,26 @@ +[ + { + "queryName": "RDS Deletion Protection Disabled", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive.tf" + }, + { + "queryName": "RDS Deletion Protection Disabled", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.tf" + }, + { + "queryName": "RDS Deletion Protection Disabled", + "severity": "MEDIUM", + "line": 19, + "fileName": "positive.tf" + }, + { + "queryName": "RDS Deletion Protection Disabled", + "severity": "MEDIUM", + "line": 22, + "fileName": "positive.tf" + } +]