terraform equivilant query rename + extra case for cloudformation

Author: cx-andre-pereira

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/query.rego

@@ -28,7 +28,7 @@ CxPolicy[result] {
 	elem := resource[key]
 	elem.Type == "AWS::ECS::TaskDefinition"
     efs := elem.Properties.Volumes[index].EFSVolumeConfiguration
-    not efs.TransitEncryption 
+	not common_lib.valid_key(efs, "TransitEncryption")
 
     result := {
 		"documentId": input.document[i].id,
@@ -40,4 +40,23 @@ CxPolicy[result] {
 		"keyActualValue": sprintf("'Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption' is not set", [key, index]),
 		"searchLine": common_lib.build_search_line(["Resources",key,"Properties","Volumes", index,"EFSVolumeConfiguration"], []),
 	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].Resources
+	elem := resource[key]
+	elem.Type == "AWS::ECS::TaskDefinition"
+    efs := elem.Properties.Volumes[index]
+	not common_lib.valid_key(efs, "EFSVolumeConfiguration")
+
+    result := {
+		"documentId": input.document[i].id,
+		"resourceType": elem.Type,
+		"resourceName": cf_lib.get_resource_name(elem, key),
+		"searchKey": sprintf("Resources.%s.Properties.Volumes", [key]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration' should be defined", [key, index]),
+		"keyActualValue": sprintf("'Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration' is not defined", [key, index]),
+		"searchLine": common_lib.build_search_line(["Resources",key,"Properties","Volumes", index], []),
+	}
 }

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive3.json

@@ -0,0 +1,64 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Description": "A sample template",
+    "Resources": {
+      "ECSService": {
+        "Properties": {
+          "LoadBalancers": [
+            {
+              "TargetGroupArn": {
+                "Ref": "TargetGroup"
+              },
+              "ContainerPort": 80,
+              "ContainerName": "sample-app"
+            }
+          ],
+          "Cluster": {
+            "Ref": "ECSCluster"
+          },
+          "LaunchType": "FARGATE",
+          "Role": {
+            "Ref": "ECSServiceRole"
+          },
+          "TaskDefinition": {
+            "Ref": "ECSTaskDefinition"
+          },
+          "DesiredCount": 1
+        },
+        "Type": "AWS::ECS::Service",
+        "DependsOn": [
+          "Listener"
+        ]
+      },
+      "taskdefinition": {
+        "Type": "AWS::ECS::TaskDefinition",
+        "Properties": {
+            "ContainerDefinitions": [
+                {
+                    "Name": "container-using-efs",
+                    "Image": "amazonlinux:2",
+                    "EntryPoint": [
+                        "sh",
+                        "-c"
+                    ],
+                    "Command": [
+                        "ls -la /mount/efs"
+                    ],
+                    "MountPoints": [
+                        {
+                            "SourceVolume": "myEfsVolume",
+                            "ContainerPath": "/mount/efs",
+                            "ReadOnly": true
+                        }
+                    ]
+                }
+            ],
+            "Volumes": [
+                {
+                    "Name": "myEfsVolume"
+                }
+            ]
+        }
+      }
+    }
+  }

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive4.yaml

@@ -47,4 +47,5 @@ Resources:
           Host:
             SourcePath: "/var/lib/docker/vfs/dir/"
           EFSVolumeConfiguration:
+            TransitEncryption: DISABLED
           Name: "my-vol"

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive3.yaml renamed to assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive5.yaml

@@ -47,5 +47,4 @@ Resources:
           Host:
             SourcePath: "/var/lib/docker/vfs/dir/"
           EFSVolumeConfiguration:
-            TransitEncryption: DISABLED
           Name: "my-vol"

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive6.yaml

@@ -0,0 +1,49 @@
+Resources:
+  taskdefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        -
+          Name:
+            Ref: "AppName"
+          MountPoints:
+            -
+              SourceVolume: "my-vol"
+              ContainerPath: "/var/www/my-vol"
+          Image: "amazon/amazon-ecs-sample"
+          Cpu: 256
+          PortMappings:
+            -
+              ContainerPort:
+                Ref: "AppContainerPort"
+              HostPort:
+                Ref: "AppHostPort"
+          EntryPoint:
+            - "/usr/sbin/apache2"
+            - "-D"
+            - "FOREGROUND"
+          Memory: 512
+          Essential: true
+          Environment:
+            -
+              Name: PASSWORD
+        -
+          Name: "busybox"
+          Image: "busybox"
+          Cpu: 256
+          EntryPoint:
+            - "sh"
+            - "-c"
+          Memory: 512
+          Command:
+            - "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
+          Essential: false
+          VolumesFrom:
+            -
+              SourceContainer:
+                Ref: "AppName"
+      Volumes:
+        -
+          Host:
+            SourcePath: "/var/lib/docker/vfs/dir/"
+          Name: "my-vol"

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json

@@ -11,16 +11,28 @@
     "line": 59,
     "fileName": "positive2.json"
   },
+  {
+    "queryName": "EFS Volume With Disabled Transit Encryption",
+    "severity": "MEDIUM",
+    "line": 53,
+    "fileName": "positive3.json"
+  },
   {
     "queryName": "EFS Volume With Disabled Transit Encryption",
     "severity": "MEDIUM",
     "line": 50,
-    "fileName": "positive3.yaml"
+    "fileName": "positive4.yaml"
   },
   {
     "queryName": "EFS Volume With Disabled Transit Encryption",
     "severity": "MEDIUM",
     "line": 49,
-    "fileName": "positive4.yaml"
+    "fileName": "positive5.yaml"
+  },
+  {
+    "queryName": "EFS Volume With Disabled Transit Encryption",
+    "severity": "MEDIUM",
+    "line": 45,
+    "fileName": "positive6.yaml"
   }
 ]

assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/test/positive_expected_result.json

@@ -1,12 +1,13 @@
 {
   "id": "4d46ff3b-7160-41d1-a310-71d6d370b08f",
-  "queryName": "ECS Task Definition Volume Not Encrypted",
-  "severity": "HIGH",
+  "queryName": "EFS Volume With Disabled Transit Encryption",
+  "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#transit_encryption",
   "platform": "Terraform",
   "descriptionID": "b01e131b",
   "cloudProvider": "aws",
-  "cwe": "311"
+  "cwe": "312",
+  "oldSeverity": "HIGH"
 }