From 86714bf6bf40ea3e3c0cbc6d1c9d0a11bb5834bf Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Wed, 3 Apr 2024 01:41:30 +0300 Subject: [PATCH] feat(cloudformation): add support for logging and endpoint access for EKS (#6440) --- .../cloudformation/aws/eks/cluster.go | 98 +++++++++++++------ .../cloudformation/aws/eks/eks_test.go | 38 ++++++- 2 files changed, 103 insertions(+), 33 deletions(-) diff --git a/pkg/iac/adapters/cloudformation/aws/eks/cluster.go b/pkg/iac/adapters/cloudformation/aws/eks/cluster.go index d4c80e72dbd..c960924e33d 100644 --- a/pkg/iac/adapters/cloudformation/aws/eks/cluster.go +++ b/pkg/iac/adapters/cloudformation/aws/eks/cluster.go @@ -12,22 +12,11 @@ func getClusters(ctx parser.FileContext) (clusters []eks.Cluster) { for _, r := range clusterResources { cluster := eks.Cluster{ - Metadata: r.Metadata(), - // Logging not supported for cloudformation https://github.com/aws/containers-roadmap/issues/242 - // TODO: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-logging - Logging: eks.Logging{ - Metadata: r.Metadata(), - API: iacTypes.BoolUnresolvable(r.Metadata()), - Audit: iacTypes.BoolUnresolvable(r.Metadata()), - Authenticator: iacTypes.BoolUnresolvable(r.Metadata()), - ControllerManager: iacTypes.BoolUnresolvable(r.Metadata()), - Scheduler: iacTypes.BoolUnresolvable(r.Metadata()), - }, - Encryption: getEncryptionConfig(r), - // endpoint protection not supported - https://github.com/aws/containers-roadmap/issues/242 - // TODO: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-resourcesvpcconfig - PublicAccessEnabled: iacTypes.BoolUnresolvable(r.Metadata()), - PublicAccessCIDRs: nil, + Metadata: r.Metadata(), + Logging: getLogging(r), + Encryption: getEncryptionConfig(r), + PublicAccessEnabled: r.GetBoolProperty("ResourcesVpcConfig.EndpointPublicAccess"), + PublicAccessCIDRs: getPublicCIDRs(r), } clusters = append(clusters, cluster) @@ -35,26 +24,71 @@ func getClusters(ctx parser.FileContext) (clusters []eks.Cluster) { return clusters } +func getPublicCIDRs(r *parser.Resource) []iacTypes.StringValue { + publicAccessCidrs := r.GetProperty("ResourcesVpcConfig.PublicAccessCidrs") + if publicAccessCidrs.IsNotList() { + return nil + } + + var cidrs []iacTypes.StringValue + for _, el := range publicAccessCidrs.AsList() { + cidrs = append(cidrs, el.AsStringValue()) + } + + return cidrs +} + func getEncryptionConfig(r *parser.Resource) eks.Encryption { - encryption := eks.Encryption{ + encryptionConfigs := r.GetProperty("EncryptionConfig") + if encryptionConfigs.IsNotList() { + return eks.Encryption{ + Metadata: r.Metadata(), + } + } + + for _, encryptionConfig := range encryptionConfigs.AsList() { + resources := encryptionConfig.GetProperty("Resources") + hasSecrets := resources.IsList() && resources.Contains("secrets") + return eks.Encryption{ + Metadata: encryptionConfig.Metadata(), + KMSKeyID: encryptionConfig.GetStringProperty("Provider.KeyArn"), + Secrets: iacTypes.Bool(hasSecrets, resources.Metadata()), + } + } + + return eks.Encryption{ Metadata: r.Metadata(), - Secrets: iacTypes.BoolDefault(false, r.Metadata()), - KMSKeyID: iacTypes.StringDefault("", r.Metadata()), - } - - // TODO: EncryptionConfig is a list - // https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-encryptionconfig - if encProp := r.GetProperty("EncryptionConfig"); encProp.IsNotNil() { - encryption.Metadata = encProp.Metadata() - encryption.KMSKeyID = encProp.GetStringProperty("Provider.KeyArn") - resourcesProp := encProp.GetProperty("Resources") - if resourcesProp.IsList() { - if resourcesProp.Contains("secrets") { - encryption.Secrets = iacTypes.Bool(true, resourcesProp.Metadata()) - } + } +} + +func getLogging(r *parser.Resource) eks.Logging { + enabledTypes := r.GetProperty("Logging.ClusterLogging.EnabledTypes") + if enabledTypes.IsNotList() { + return eks.Logging{ + Metadata: r.Metadata(), } } - return encryption + logging := eks.Logging{ + Metadata: enabledTypes.Metadata(), + } + + for _, typeConf := range enabledTypes.AsList() { + switch typ := typeConf.GetProperty("Type"); typ.AsString() { + case "api": + logging.API = iacTypes.Bool(true, typ.Metadata()) + case "audit": + logging.Audit = iacTypes.Bool(true, typ.Metadata()) + case "authenticator": + logging.Authenticator = iacTypes.Bool(true, typ.Metadata()) + case "controllerManager": + logging.ControllerManager = iacTypes.Bool(true, typ.Metadata()) + case "scheduler": + logging.Scheduler = iacTypes.Bool(true, typ.Metadata()) + } + + } + + return logging } diff --git a/pkg/iac/adapters/cloudformation/aws/eks/eks_test.go b/pkg/iac/adapters/cloudformation/aws/eks/eks_test.go index 84095c3b659..36981f6bf54 100644 --- a/pkg/iac/adapters/cloudformation/aws/eks/eks_test.go +++ b/pkg/iac/adapters/cloudformation/aws/eks/eks_test.go @@ -5,6 +5,7 @@ import ( "github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/testutil" "github.com/aquasecurity/trivy/pkg/iac/providers/aws/eks" + "github.com/aquasecurity/trivy/pkg/iac/types" ) func TestAdapt(t *testing.T) { @@ -19,9 +20,44 @@ func TestAdapt(t *testing.T) { Resources: EKSCluster: Type: AWS::EKS::Cluster + Properties: + Logging: + ClusterLogging: + EnabledTypes: + - Type: api + - Type: audit + - Type: authenticator + - Type: controllerManager + - Type: scheduler + EncryptionConfig: + - Provider: + KeyArn: alias/mykey + Resources: [secrets] + ResourcesVpcConfig: + EndpointPublicAccess: True + PublicAccessCidrs: + - 0.0.0.0/0 `, expected: eks.EKS{ - Clusters: []eks.Cluster{{}}, + Clusters: []eks.Cluster{ + { + Logging: eks.Logging{ + API: types.BoolTest(true), + Audit: types.BoolTest(true), + Authenticator: types.BoolTest(true), + ControllerManager: types.BoolTest(true), + Scheduler: types.BoolTest(true), + }, + Encryption: eks.Encryption{ + KMSKeyID: types.StringTest("alias/mykey"), + Secrets: types.BoolTest(true), + }, + PublicAccessEnabled: types.BoolTest(true), + PublicAccessCIDRs: []types.StringValue{ + types.StringTest("0.0.0.0/0"), + }, + }, + }, }, }, {