From 757c52197a927f119d7359d067793deeac3e1190 Mon Sep 17 00:00:00 2001 From: Nick Gerow Date: Sat, 29 Oct 2022 19:32:33 -0400 Subject: [PATCH 1/2] Added a new check for API Gateway Method Settings data trace --- .../aws/APIGatewayMethodSettingsDataTrace.py | 21 ++++++++++ .../main.tf | 25 ++++++++++++ .../test_APIGatewayMethodSettingsDataTrace.py | 40 +++++++++++++++++++ 3 files changed, 86 insertions(+) create mode 100644 checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py create mode 100644 tests/terraform/checks/resource/aws/example_APIGatewayMethodSettingsDataTrace/main.tf create mode 100644 tests/terraform/checks/resource/aws/test_APIGatewayMethodSettingsDataTrace.py diff --git a/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py b/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py new file mode 100644 index 00000000000..5ac151a1618 --- /dev/null +++ b/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py @@ -0,0 +1,21 @@ +from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck +from checkov.common.models.enums import CheckCategories + + +class APIGatewayMethodSettingsDataTrace(BaseResourceNegativeValueCheck): + + def __init__(self): + name = "Ensure Data Trace is not enabled in API Gateway Method Settings" + id = "CKV_AWS_276" + supported_resources = ['aws_api_gateway_method_settings'] + categories = [CheckCategories.LOGGING] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self): + return "settings/[0]/data_trace_enabled" + + def get_forbidden_values(self): + return [True] + + +check = APIGatewayMethodSettingsDataTrace() diff --git a/tests/terraform/checks/resource/aws/example_APIGatewayMethodSettingsDataTrace/main.tf b/tests/terraform/checks/resource/aws/example_APIGatewayMethodSettingsDataTrace/main.tf new file mode 100644 index 00000000000..23e0519e648 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_APIGatewayMethodSettingsDataTrace/main.tf @@ -0,0 +1,25 @@ +resource "aws_api_gateway_method_settings" "fail" { + rest_api_id = aws_api_gateway_rest_api.test.id + stage_name = aws_api_gateway_stage.test.stage_name + method_path = "path1/GET" + + settings { + data_trace_enabled = true + } +} + +resource "aws_api_gateway_method_settings" "pass_explicit" { + rest_api_id = aws_api_gateway_rest_api.test.id + stage_name = aws_api_gateway_stage.test.stage_name + method_path = "path1/GET" + + settings { + data_trace_enabled = false + } +} + +resource "aws_api_gateway_method_settings" "pass_implicit" { + rest_api_id = aws_api_gateway_rest_api.test.id + stage_name = aws_api_gateway_stage.test.stage_name + method_path = "path1/GET" +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/test_APIGatewayMethodSettingsDataTrace.py b/tests/terraform/checks/resource/aws/test_APIGatewayMethodSettingsDataTrace.py new file mode 100644 index 00000000000..b26279d7818 --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_APIGatewayMethodSettingsDataTrace.py @@ -0,0 +1,40 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.aws.APIGatewayMethodSettingsDataTrace import check + + +class TestAPIGatewayMethodSettingsDataTrace(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_APIGatewayMethodSettingsDataTrace") + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "aws_api_gateway_method_settings.pass_explicit", + "aws_api_gateway_method_settings.pass_implicit", + } + failing_resources = { + "aws_api_gateway_method_settings.fail", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() From 808755baf84080a448ef15bbecdf494a8425dbb1 Mon Sep 17 00:00:00 2001 From: Nick Gerow Date: Tue, 1 Nov 2022 10:35:41 -0400 Subject: [PATCH 2/2] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Anton GrĂ¼bel --- .../checks/resource/aws/APIGatewayMethodSettingsDataTrace.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py b/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py index 5ac151a1618..fa28dcc211f 100644 --- a/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py +++ b/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py @@ -3,12 +3,11 @@ class APIGatewayMethodSettingsDataTrace(BaseResourceNegativeValueCheck): - def __init__(self): name = "Ensure Data Trace is not enabled in API Gateway Method Settings" id = "CKV_AWS_276" - supported_resources = ['aws_api_gateway_method_settings'] - categories = [CheckCategories.LOGGING] + supported_resources = ('aws_api_gateway_method_settings',) + categories = (CheckCategories.LOGGING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def get_inspected_key(self):