Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): catch unknowns with WAF configs #6612

Merged
merged 1 commit into from
Jul 29, 2024
Merged

fix(terraform): catch unknowns with WAF configs #6612

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
statement = rule.get("statement")
if statement:
self.evaluated_keys = [f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement"]
if not isinstance(statement, list):
if not isinstance(statement, list) or not isinstance(statement[0], dict):
return CheckResult.UNKNOWN
managed_group = statement[0].get("managed_rule_group_statement")
if managed_group:
Expand Down
2 changes: 2 additions & 0 deletions checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
statements = rule.get('statement')
if statements and isinstance(statements, list):
for statement in statements:
if not isinstance(statement, dict):
continue
if statement.get('managed_rule_group_statement'):
passing = True

Expand Down
136 changes: 136 additions & 0 deletions tests/terraform/checks/resource/aws/example_WAFACLCVE202144228/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,3 +265,139 @@ resource "aws_wafv2_web_acl" "rule_group_count" {
sampled_requests_enabled = false
}
}


#unknown
resource "aws_wafv2_web_acl" "pass_dynamic" {
name = "default-${var.scope}-web-acl"
scope = var.scope


default_action {
block {}
}


rule {
name = "rule-${var.scope}-AWSManagedRulesCommonRuleSet"
priority = 1

override_action {
none {}
}

statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rule-${var.scope}-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}

rule {
name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
priority = 2

override_action {
none {}
}

statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rule-${var.scope}-AWSManagedRulesKnownBadInputsRuleSet"
sampled_requests_enabled = true
}
}

dynamic "rule" {
for_each = var.dynamic_ip_set == "" ? [] : [1]

content {
name = "rule-${var.scope}-ip-allowlist"
priority = 8

action {
allow {}
}

statement {
or_statement {
statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.allow.arn
}
}
statement {
ip_set_reference_statement {
arn = data.aws_wafv2_ip_set.github-actions[0].arn
}
}
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rule-${var.scope}-ip-allowlist"
sampled_requests_enabled = true
}
}
}


dynamic "rule" {
for_each = nonsensitive(var.review_token) == "" ? [] : [1]

content {
name = "rule-${var.scope}-review-token-check"
priority = 30

action {
allow {}
}

statement {
byte_match_statement {
positional_constraint = "EXACTLY"
search_string = var.review_token

field_to_match {
single_header {
name = "review-token"
}
}

text_transformation {
priority = 1
type = "NONE"
}
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rule-${var.scope}-review-token-check"
sampled_requests_enabled = true
}
}
}


visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${var.scope}-web-acl"
sampled_requests_enabled = true
}
}
140 changes: 140 additions & 0 deletions tests/terraform/checks/resource/aws/example_WAFRuleHasAnyActions/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,4 +326,144 @@ resource "aws_waf_rule_group" "pass" {
priority = 50
rule_id = aws_waf_rule.example.id
}
}

variable "scope" {
type = string # REGIONAL or CLOUDFRONT
default = "CLOUDFRONT"
}


resource "aws_wafv2_web_acl" "pass_dynamic" {
name = "default-${var.scope}-web-acl"
scope = var.scope


default_action {
block {}
}


rule {
name = "rule-${var.scope}-AWSManagedRulesCommonRuleSet"
priority = 1

override_action {
none {}
}

statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rule-${var.scope}-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}

rule {
name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
priority = 2

override_action {
none {}
}

statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rule-${var.scope}-AWSManagedRulesKnownBadInputsRuleSet"
sampled_requests_enabled = true
}
}

dynamic "rule" {
for_each = var.dynamic_ip_set == "" ? [] : [1]

content {
name = "rule-${var.scope}-ip-allowlist"
priority = 8

action {
allow {}
}

statement {
or_statement {
statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.allow.arn
}
}
statement {
ip_set_reference_statement {
arn = data.aws_wafv2_ip_set.github-actions[0].arn
}
}
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rule-${var.scope}-ip-allowlist"
sampled_requests_enabled = true
}
}
}


dynamic "rule" {
for_each = nonsensitive(var.review_token) == "" ? [] : [1]

content {
name = "rule-${var.scope}-review-token-check"
priority = 30

action {
allow {}
}

statement {
byte_match_statement {
positional_constraint = "EXACTLY"
search_string = var.review_token

field_to_match {
single_header {
name = "review-token"
}
}

text_transformation {
priority = 1
type = "NONE"
}
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rule-${var.scope}-review-token-check"
sampled_requests_enabled = true
}
}
}


visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${var.scope}-web-acl"
sampled_requests_enabled = true
}
}
3 changes: 2 additions & 1 deletion tests/terraform/checks/resource/aws/test_WAFRuleHasAnyActions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ def test(self):
'aws_wafv2_rule_group.pass',
'aws_wafregional_rule_group.pass',
'aws_waf_rule_group.pass',
'aws_wafv2_web_acl.pass_managed'
'aws_wafv2_web_acl.pass_managed',
'aws_wafv2_web_acl.pass_dynamic'
}

failing_resources = {
Expand Down
Loading