fix: Allow ignores of implied IAM resources (#849)

aquasecurity · Aug 15, 2022 · 4d89a77 · 4d89a77
1 parent c5b4fd0
commit 4d89a77
Show file tree

Hide file tree

Showing 5 changed files with 99 additions and 5 deletions.
diff --git a/internal/adapters/terraform/aws/iam/groups.go b/internal/adapters/terraform/aws/iam/groups.go
@@ -25,7 +25,15 @@ func adaptGroups(modules terraform.Modules) []iam.Group {
 		if err != nil {
 			continue
 		}
-		group := groupMap[groupBlock.ID()]
+		group, ok := groupMap[groupBlock.ID()]
+		if !ok {
+			group = iam.Group{
+				Metadata: groupBlock.GetMetadata(),
+				Name:     groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock),
+				Users:    nil,
+				Policies: nil,
+			}
+		}
 		group.Policies = append(group.Policies, policy)
 		groupMap[groupBlock.ID()] = group
 	}
@@ -54,7 +62,15 @@ func adaptGroups(modules terraform.Modules) []iam.Group {
 		if err != nil {
 			continue
 		}
-		group := groupMap[groupBlock.ID()]
+		group, ok := groupMap[groupBlock.ID()]
+		if !ok {
+			group = iam.Group{
+				Metadata: groupBlock.GetMetadata(),
+				Name:     groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock),
+				Users:    nil,
+				Policies: nil,
+			}
+		}
 		group.Policies = append(group.Policies, policy)
 		groupMap[groupBlock.ID()] = group
 	}

diff --git a/internal/adapters/terraform/aws/iam/roles.go b/internal/adapters/terraform/aws/iam/roles.go
@@ -27,7 +27,14 @@ func adaptRoles(modules terraform.Modules) []iam.Role {
 		if err != nil {
 			continue
 		}
-		role := roleMap[roleBlock.ID()]
+		role, ok := roleMap[roleBlock.ID()]
+		if !ok {
+			role = iam.Role{
+				Metadata: roleBlock.GetMetadata(),
+				Name:     roleBlock.GetAttribute("name").AsStringValueOrDefault("", roleBlock),
+				Policies: nil,
+			}
+		}
 		role.Policies = append(role.Policies, policy)
 		roleMap[roleBlock.ID()] = role
 	}

diff --git a/internal/adapters/terraform/aws/iam/users.go b/internal/adapters/terraform/aws/iam/users.go
@@ -25,7 +25,18 @@ func adaptUsers(modules terraform.Modules) []iam.User {
 		if err != nil {
 			continue
 		}
-		user := userMap[userBlock.ID()]
+		user, ok := userMap[userBlock.ID()]
+		if !ok {
+			user = iam.User{
+				Metadata:   userBlock.GetMetadata(),
+				Name:       userBlock.GetAttribute("name").AsStringValueOrDefault("", userBlock),
+				Groups:     nil,
+				Policies:   nil,
+				AccessKeys: nil,
+				MFADevices: nil,
+				LastAccess: defsecTypes.TimeUnresolvable(userBlock.GetMetadata()),
+			}
+		}
 		user.Policies = append(user.Policies, policy)
 		userMap[userBlock.ID()] = user
 	}

diff --git a/internal/adapters/terraform/google/iam/org_iam.go b/internal/adapters/terraform/google/iam/org_iam.go
@@ -24,7 +24,16 @@ func (a *adapter) adaptOrganizationMembers() {
 		if refBlock, err := a.modules.GetReferencedBlock(organizationAttr, iamBlock); err == nil {
 			if refBlock.TypeLabel() == "google_organization" {
 				a.addOrg(refBlock.ID())
-				org := a.orgs[refBlock.ID()]
+				org, ok := a.orgs[refBlock.ID()]
+				if !ok {
+					org = iam.Organization{
+						Metadata: refBlock.GetMetadata(),
+						Folders:  nil,
+						Projects: nil,
+						Members:  []iam.Member{member},
+						Bindings: nil,
+					}
+				}
 				org.Members = append(org.Members, member)
 				a.orgs[refBlock.ID()] = org
 				continue

diff --git a/test/ignore_test.go b/test/ignore_test.go
@@ -340,3 +340,54 @@ resource "bad" "my-rule" {
 `, "testworkspace")
 	assert.Len(t, results.GetFailed(), 0)
 }
+
+func Test_IgnoreForImpliedIAMResource(t *testing.T) {
+	reg := rules.Register(exampleRule, nil)
+	defer rules.Deregister(reg)
+
+	results := scanHCL(t, `
+terraform {
+required_version = "~> 1.1.6"
+
+required_providers {
+aws = {
+source  = "hashicorp/aws"
+version = "~> 3.48"
+}
+}
+}
+
+# Retrieve an IAM group defined outside of this Terraform config.
+
+# tfsec:ignore:aws-iam-enforce-mfa
+data "aws_iam_group" "externally_defined_group" {
+group_name = "group-name" # tfsec:ignore:aws-iam-enforce-mfa
+}
+
+# Create an IAM policy and attach it to the group.
+
+# tfsec:ignore:aws-iam-enforce-mfa
+resource "aws_iam_policy" "test_policy" {
+name   = "test-policy" # tfsec:ignore:aws-iam-enforce-mfa
+policy = data.aws_iam_policy_document.test_policy.json # tfsec:ignore:aws-iam-enforce-mfa
+}
+
+# tfsec:ignore:aws-iam-enforce-mfa
+resource "aws_iam_group_policy_attachment" "test_policy_attachment" {
+group      = data.aws_iam_group.externally_defined_group.group_name # tfsec:ignore:aws-iam-enforce-mfa
+policy_arn = aws_iam_policy.test_policy.arn # tfsec:ignore:aws-iam-enforce-mfa
+}
+
+# tfsec:ignore:aws-iam-enforce-mfa
+data "aws_iam_policy_document" "test_policy" {
+statement {
+sid = "PublishToCloudWatch" # tfsec:ignore:aws-iam-enforce-mfa
+actions = [
+"cloudwatch:PutMetricData", # tfsec:ignore:aws-iam-enforce-mfa
+]
+resources = ["*"] # tfsec:ignore:aws-iam-enforce-mfa
+}
+}
+`)
+	assert.Len(t, results.GetFailed(), 0)
+}