policy metadata changes to include policy_type and resource_type (#…

…792)

* aws policy changes
* azure policy changes
* gcp policy changes
* github policy changes
* k8s policy changes

pkg/policies/opa/rego/aws/aws_ami/AWS.EC2.Encryption&KeyManagement.Medium.0688.json

@@ -1,6 +1,8 @@
 {
     "name": "amiNotEncrypted",
     "file": "amiNotEncrypted.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_ami",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS AMI Encryption",

pkg/policies/opa/rego/aws/aws_ami_launch_permission/AWS.AMI.NS.Medium.1040.json

@@ -1,6 +1,8 @@
 {
     "name": "amiSharedToMultipleAccounts",
     "file": "amiSharedToMultipleAccounts.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_ami_launch_permission",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_api_gateway_method/AC_AWS_056.json

@@ -1,6 +1,8 @@
 {
     "name": "apiGatewayAuthorizationDisabled",
     "file": "apiGatewayAuthorizationDisabled.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_method",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_api_gateway_method_settings/AWS.API Gateway.Logging.Medium.0569.json

@@ -1,6 +1,8 @@
 {
     "name": "apiGatewaySettingMetrics",
     "file": "apiGatewaySettingMetrics.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_method_settings",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable Detailed CloudWatch Metrics for APIs",

pkg/policies/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Medium.0568.json

@@ -1,10 +1,12 @@
 {
-  "name": "apiGatewayContentEncoding",
-  "file": "apiGatewayContentEncoding.rego",
-  "template_args": null,
-  "severity": "MEDIUM",
-  "description": "Enable Content Encoding",
-  "reference_id": "AWS.APIGateway.Medium.0568",
-  "category": "Infrastructure Security",
-  "version": 1
-}
+    "name": "apiGatewayContentEncoding",
+    "file": "apiGatewayContentEncoding.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_rest_api",
+    "template_args": null,
+    "severity": "MEDIUM",
+    "description": "Enable Content Encoding",
+    "reference_id": "AWS.APIGateway.Medium.0568",
+    "category": "Infrastructure Security",
+    "version": 1
+}

pkg/policies/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Network Security.Medium.0570.json

@@ -1,6 +1,8 @@
 {
     "name": "apiGatewayEndpointConfig",
     "file": "apiGatewayEndpointConfig.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_rest_api",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "API Gateway Private Endpoints",

pkg/policies/opa/rego/aws/aws_api_gateway_rest_api_policy/AC_AWS_064.json

@@ -1,6 +1,8 @@
 {
     "name": "apiGatewayRestApiPolicyNotSecure",
     "file": "apiGatewayRestApiPolicyNotSecure.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_rest_api_policy",
     "template_args": {
         "prefix": ""
     },
@@ -9,5 +11,4 @@
     "reference_id": "AC_AWS_064",
     "category": "Identity and Access Management",
     "version": 1
-}
-
+}

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json

@@ -1,6 +1,8 @@
 {
     "name": "apiGatewayName",
     "file": "apiGatewayName.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_stage",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS CloudWatch Logs for APIs",

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0571.json

@@ -1,6 +1,8 @@
 {
     "name": "apiGatewayTracing",
     "file": "apiGatewayTracing.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_stage",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable Active Tracing",

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0572.json

@@ -1,6 +1,8 @@
 {
     "name": "apiGatewayLogging",
     "file": "apiGatewayLogging.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_stage",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Network Security.Medium.0565.json

@@ -1,6 +1,8 @@
 {
     "name": "apiGatewaySslCertificate",
     "file": "apiGatewaySslCertificate.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_api_gateway_stage",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable SSL Client Certificate",

pkg/policies/opa/rego/aws/aws_apigatewayv2_api/AWS.ApiGatewayV2Api.AccessControl.Medium.0630.json

@@ -1,10 +1,12 @@
 {
     "name": "apiGatewayMiconfiguredCors",
     "file": "apiGatewayMiconfiguredCors.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_apigatewayv2_api",
     "template_args": null,
     "severity": "Medium",
     "description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
     "reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
     "category": "Security Best Practices",
     "version": 2
-}
+}

pkg/policies/opa/rego/aws/aws_apigatewayv2_stage/AWS.ApiGatewayV2Stage.Logging.Low.0630.json

@@ -1,10 +1,12 @@
 {
     "name": "apiGatewayNoAccessLogs",
     "file": "apiGatewayNoAccessLogs.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_apigatewayv2_stage",
     "template_args": null,
     "severity": "Low",
     "description": "AWS API Gateway V2 Stage is missing access logs",
     "reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
     "category": "Logging and Monitoring",
     "version": 2
-}
+}

pkg/policies/opa/rego/aws/aws_athena_database/AC_AWS_016.json

@@ -1,6 +1,8 @@
 {
     "name": "athenaDatabaseEncrypted",
     "file": "athenaDatabaseEncrypted.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_athena_database",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0599.json

@@ -1,6 +1,8 @@
 {
     "name": "awsCloudFormationInUse",
     "file": "cloudFormationNullCheck.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudformation_stack",
     "template_args": {
         "name": "awsCloudFormationInUse",
         "property": "template_url"

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0603.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudFormationStackNotifs",
     "file": "cloudFormationNullCheck.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudformation_stack",
     "template_args": {
         "name": "cloudFormationStackNotifs",
         "property": "notification_arns"

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0604.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudFormationStackPolicy",
     "file": "cloudFormationNullCheck.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudformation_stack",
     "template_args": {
         "name": "cloudFormationStackPolicy",
         "property": "policy_url"

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudFormationTerminationProtection",
     "file": "cloudFormationTerminationProtection.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudformation_stack",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS CloudFormation Stack Termination Protection",

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AC-AW-IS-CD-M-0026.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudfrontNoGeoRestriction",
     "file": "cloudfrontNoGeoRestriction.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AC-AW-IS-CD-M-1186.json

@@ -1,6 +1,8 @@
 {
     "name": "noWafEnabled",
     "file": "noWafEnabled.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": null,
     "severity": "Medium",
     "description": "Ensure that cloud-front has web application firewall enabled",

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudfrontNoHTTPSTraffic",
     "file": "cloudfrontNoHTTPSTraffic.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudfrontNoSecureCiphers",
     "file": "cloudfrontNoSecureCiphers.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudfrontNoLogging",
     "file": "cloudfrontNoLogging.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudfront_distribution",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudtrail/AC_AWS_067.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudTrailLogValidationDisabled",
     "file": "cloudTrailLogValidationDisabled.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudtrail",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.High.0399.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudTrailLogNotEncrypted",
     "file": "cloudTrailLogNotEncrypted.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudtrail",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.0559.json

@@ -1,6 +1,8 @@
 {
     "name": "reme_enableSNSTopic",
     "file": "enableSNSTopic.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudtrail",
     "template_args": {
         "prefix": "reme_"
     },

pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.0460.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudTrailMultiRegionNotCreated",
     "file": "cloudTrailMultiRegionNotCreated.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudtrail",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json

@@ -1,10 +1,12 @@
 {
     "name": "logGroupNotEncryptedWithKms",
     "file": "logGroupNotEncryptedWithKms.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudwatch",
     "template_args": null,
     "severity": "HIGH",
     "description": "AWS CloudWatch log group is not encrypted with a KMS CMK",
     "reference_id": "AWS.CloudWatch.EncryptionandKeyManagement.High.0632",
     "category": "Data Protection",
     "version": 2
-}
+}

pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.Logging.Medium.0631.json

@@ -1,6 +1,8 @@
 {
     "name": "awsCloudWatchRetentionPreiod",
     "file": "awsCloudWatchRetentionPreiod.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudwatch",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "App-Tier CloudWatch Log Group Retention Period",

pkg/policies/opa/rego/aws/aws_cloudwatch_log_group/AC_AWS_068.json

@@ -1,6 +1,8 @@
 {
     "name": "cloudWatchLogGroupNoRetentionPolicy",
     "file": "cloudWatchLogGroupNoRetentionPolicy.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_cloudwatch_log_group",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_config/AWS.Config.Encryption&KeyManagement.Medium.0660.json

@@ -1,6 +1,8 @@
 {
     "name": "awsConfigEncryptedVol",
     "file": "awsConfigEncryptedVol.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_config",
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Ensure AWS Config Rule is enabled for Encrypted Volumes",

pkg/policies/opa/rego/aws/aws_config_configuration_aggregator/AWS.Config.Logging.HIGH.0590.json

@@ -1,6 +1,8 @@
 {
     "name": "configEnabledForAllRegions",
     "file": "configEnabledForAllRegions.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_config_configuration_aggregator",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_dax_cluster/AC_AWS_021.json

@@ -1,6 +1,8 @@
 {
     "name": "daxSse",
     "file": "daxSse.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_dax_cluster",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_076.json

@@ -1,6 +1,8 @@
 {
     "name": "dbInstanceLoggingDisabled",
     "file": "dbInstanceLoggingDisabled.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_db_instance",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.DS.High.1041.json

@@ -1,6 +1,8 @@
 {
     "name": "rdsAutoMinorVersionUpgradeEnabled",
     "file": "rdsAutoMinorVersionUpgradeEnabled.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_db_instance",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.DS.High.1042.json

@@ -1,6 +1,8 @@
 {
     "name": "rdsCAExpired",
     "file": "rdsCAExpired.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_db_instance",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.DataSecurity.High.0414.json

@@ -1,6 +1,8 @@
 {
     "name": "rdsHasStorageEncrypted",
     "file": "rdsHasStorageEncrypted.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_db_instance",
     "template_args": null,
     "severity": "HIGH",
     "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.",

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.DataSecurity.High.0577.json

@@ -1,6 +1,8 @@
 {
     "name": "rdsIamAuthEnabled",
     "file": "rdsIamAuthEnabled.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_db_instance",
     "template_args": {
         "prefix": ""
     },

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.NS.High.0101.json

@@ -1,6 +1,8 @@
 {
     "name": "rdsPubliclyAccessible",
     "file": "rdsPubliclyAccessible.rego",
+    "policy_type": "aws",
+    "resource_type": "aws_db_instance",
     "template_args": {
         "prefix": ""
     },