From b76a57a208a2e69810e81338b110836bff661e05 Mon Sep 17 00:00:00 2001 From: ArturRibeiro-CX Date: Sun, 1 Dec 2024 01:09:24 +0000 Subject: [PATCH] fix some..in lint issues with input.document iteration --- .../query.rego | 11 +++-- .../query.rego | 13 +++--- .../query.rego | 11 +++-- .../query.rego | 8 ++-- .../azure_front_door_waf_disabled/query.rego | 6 ++- .../query.rego | 11 +++-- .../cosmos_db_account_without_tags/query.rego | 6 ++- .../query.rego | 6 ++- .../azure/dashboard_is_enabled/query.rego | 6 ++- .../azure/email_alerts_disabled/query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../function_app_http2_disabled/query.rego | 16 ++++--- .../query.rego | 6 ++- .../query.rego | 6 ++- .../geo_redundancy_is_disabled/query.rego | 11 +++-- .../azure/key_expiration_not_set/query.rego | 6 ++- .../query.rego | 6 ++- .../azure/log_retention_is_not_set/query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../query.rego | 13 +++--- .../query.rego | 13 +++--- .../mysql_ssl_connection_disabled/query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 8 ++-- .../network_watcher_flow_disabled/query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../query.rego | 6 ++- .../azure/public_storage_account/query.rego | 30 +++++++----- .../query.rego | 6 ++- .../redis_entirely_accessible/query.rego | 6 ++- .../redis_not_updated_regularly/query.rego | 6 ++- .../redis_publicly_accessible/query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 6 ++- .../secret_expiration_not_set/query.rego | 6 ++- .../query.rego | 6 ++- .../azure/security_contact_email/query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 8 ++-- .../query.rego | 8 ++-- .../query.rego | 8 ++-- .../query.rego | 16 ++++--- .../query.rego | 16 ++++--- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../query.rego | 6 ++- .../sql_database_audit_disabled/query.rego | 11 +++-- .../query.rego | 13 +++--- .../sql_server_auditing_disabled/query.rego | 6 ++- .../sql_server_ingress_from_any_ip/query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../azure/ssl_enforce_is_disabled/query.rego | 11 +++-- .../query.rego | 11 +++-- .../query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 28 ++++++----- .../unrestricted_sql_server_access/query.rego | 6 ++- .../azure/vault_auditing_disabled/query.rego | 6 ++- .../query.rego | 11 +++-- .../vm_not_attached_to_network/query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../autoscale_badly_setup/query.rego | 11 +++-- .../cluster_aws_attributes/query.rego | 21 +++++---- .../cluster_azure_attributes/query.rego | 16 ++++--- .../cluster_gcp_attributes/query.rego | 6 ++- .../databricks_permissions/query.rego | 27 ++++++----- .../query.rego | 6 ++- .../indefinitely_obo_token/query.rego | 6 ++- .../databricks/indefinitely_token/query.rego | 6 ++- .../databricks/unrestricted_acl/query.rego | 6 ++- .../use_lts_spark_version/query.rego | 11 +++-- .../use_spark_submit_task/query.rego | 11 +++-- .../gcp/bigquery_dataset_is_public/query.rego | 6 ++- .../gcp/cloud_dns_without_dnssec/query.rego | 6 ++- .../query.rego | 20 ++++---- .../query.rego | 11 +++-- .../query.rego | 6 ++- .../query.rego | 11 +++-- .../gcp/cluster_labels_disabled/query.rego | 6 ++- .../gcp/cos_node_image_not_used/query.rego | 6 ++- .../gcp/disk_encryption_disabled/query.rego | 16 ++++--- .../gcp/dnssec_using_rsasha1/query.rego | 7 ++- .../query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 8 ++-- .../query.rego | 8 ++-- .../query.rego | 11 +++-- .../query.rego | 6 ++- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../query.rego | 21 +++++---- .../query.rego | 11 +++-- .../query.rego | 21 +++++---- .../query.rego | 11 +++-- .../query.rego | 11 +++-- .../query.rego | 16 ++++--- .../gcp/ip_aliasing_disabled/query.rego | 16 ++++--- .../gcp/ip_forwarding_enabled/query.rego | 6 ++- .../query.rego | 6 ++- .../query.rego | 11 +++-- .../gcp/network_policy_disabled/query.rego | 21 +++++---- .../gcp/node_auto_upgrade_disabled/query.rego | 23 ++++++---- .../query.rego | 8 ++-- .../gcp/os_login_disabled/query.rego | 15 +++--- .../query.rego | 6 ++- .../gcp/outdated_gke_version/query.rego | 6 ++- .../pod_security_policy_disabled/query.rego | 11 +++-- .../gcp/private_cluster_disabled/query.rego | 16 ++++--- .../query.rego | 16 ++++--- .../rdp_access_is_not_restricted/query.rego | 6 ++- .../query.rego | 16 ++++--- .../shielded_gke_nodes_disabled/query.rego | 6 ++- .../gcp/shielded_vm_disabled/query.rego | 18 ++++---- .../query.rego | 24 ++++++---- .../query.rego | 21 +++++---- .../query.rego | 22 +++++---- .../ssh_access_is_not_restricted/query.rego | 6 ++- .../stackdriver_logging_disabled/query.rego | 11 +++-- .../query.rego | 11 +++-- .../gcp/user_with_iam_role/query.rego | 11 +++-- .../using_default_service_account/query.rego | 26 +++++++---- .../query.rego | 16 ++++--- .../gcp/vm_with_full_cloud_access/query.rego | 6 ++- .../terraform/gcp_bom/dataflow/query.rego | 6 ++- .../queries/terraform/gcp_bom/fi/query.rego | 6 ++- .../queries/terraform/gcp_bom/pd/query.rego | 6 ++- .../kubernetes/cpu_limits_not_set/query.rego | 37 +++++++++------ .../cpu_requests_not_set/query.rego | 33 +++++++------ .../query.rego | 36 +++++++++------ .../memory_limits_not_defined/query.rego | 35 ++++++++------ .../memory_requests_not_defined/query.rego | 35 ++++++++------ .../query.rego | 43 ++++++++++------- .../query.rego | 33 +++++++------ .../query.rego | 33 +++++++------ .../query.rego | 46 +++++++++++-------- .../query.rego | 31 ++++++++----- .../kubernetes/tiller_is_deployed/query.rego | 31 ++++++++----- .../query.rego | 43 ++++++++++------- .../query.rego | 41 ++++++++++------- .../tke_cluster_has_public_access/query.rego | 41 ++++++++++------- 155 files changed, 1234 insertions(+), 738 deletions(-) diff --git a/assets/queries/terraform/azure/azure_active_directory_authentication/query.rego b/assets/queries/terraform/azure/azure_active_directory_authentication/query.rego index 06f223159da..d9079331d15 100644 --- a/assets/queries/terraform/azure/azure_active_directory_authentication/query.rego +++ b/assets/queries/terraform/azure/azure_active_directory_authentication/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - active := input.document[i].resource.azurerm_service_fabric_cluster[name].azure_active_directory + some document in input.document + active := document.resource.azurerm_service_fabric_cluster[name].azure_active_directory not common_lib.valid_key(active, "tenant_id") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_service_fabric_cluster", "resourceName": tf_lib.get_resource_name(active, name), "searchKey": sprintf("azurerm_service_fabric_cluster[%s].azure_active_directory", [name]), @@ -21,12 +23,13 @@ CxPolicy[result] { } CxPolicy[result] { - azure := input.document[i].resource.azurerm_service_fabric_cluster[name] + some document in input.document + azure := document.resource.azurerm_service_fabric_cluster[name] not common_lib.valid_key(azure, "azure_active_directory") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_service_fabric_cluster", "resourceName": tf_lib.get_resource_name(azure, name), "searchKey": sprintf("azurerm_service_fabric_cluster[%s]", [name]), diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego index 289756da90f..bf9609ef87f 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego @@ -2,15 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.azurerm_app_service[name] + some document in input.document + resource := document.resource.azurerm_app_service[name] not common_lib.valid_key(resource, "client_cert_enabled") result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "azurerm_app_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_app_service[%s]", [name]), @@ -24,13 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.azurerm_app_service[name] + some document in input.document + resource := document.resource.azurerm_app_service[name] resource.client_cert_enabled == false result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "azurerm_app_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_app_service[%s].client_cert_enabled", [name]), diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/query.rego b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/query.rego index 0a14fd8b498..83fd6e6471c 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/query.rego +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - search := input.document[i].resource.azurerm_search_service[name] + some document in input.document + search := document.resource.azurerm_search_service[name] not common_lib.valid_key(search, "public_network_access_enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_search_service", "resourceName": tf_lib.get_resource_name(search, name), "searchKey": sprintf("azurerm_search_service[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - search := input.document[i].resource.azurerm_search_service[name] + some document in input.document + search := document.resource.azurerm_search_service[name] search.public_network_access_enabled == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_search_service", "resourceName": tf_lib.get_resource_name(search, name), "searchKey": sprintf("azurerm_search_service[%s].public_network_access_enabled", [name]), diff --git a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/query.rego b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/query.rego index d2541052db0..8612f0eefac 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/query.rego +++ b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resourceRegistry := input.document[i].resource.azurerm_container_registry[name] - resourceLock := input.document[i].resource.azurerm_management_lock[k] + some document in input.document + resourceRegistry := document.resource.azurerm_container_registry[name] + resourceLock := document.resource.azurerm_management_lock[k] scopeSplitted := split(resourceLock.scope, ".") not re_match(scopeSplitted[1], name) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_container_registry", "resourceName": tf_lib.get_resource_name(resourceRegistry, name), "searchKey": sprintf("azurerm_container_registry[%s]", [name]), diff --git a/assets/queries/terraform/azure/azure_front_door_waf_disabled/query.rego b/assets/queries/terraform/azure/azure_front_door_waf_disabled/query.rego index 4d70764666f..655c2bf3ca7 100644 --- a/assets/queries/terraform/azure/azure_front_door_waf_disabled/query.rego +++ b/assets/queries/terraform/azure/azure_front_door_waf_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - door := input.document[i].resource.azurerm_frontdoor[name].frontend_endpoint + some document in input.document + door := document.resource.azurerm_frontdoor[name].frontend_endpoint not common_lib.valid_key(door, "web_application_firewall_policy_link_id") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_frontdoor", "resourceName": tf_lib.get_resource_name(door, name), "searchKey": sprintf("azurerm_frontdoor[%s].frontend_endpoint", [name]), diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego index 8d8f6184588..b5dfb9033af 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.terraform as tf_lib import future.keywords.if +import future.keywords.in CxPolicy[result] { - vm := input.document[i].resource.azurerm_virtual_machine[name] + some document in input.document + vm := document.resource.azurerm_virtual_machine[name] object.get(vm, "os_profile_linux_config", false) vm.os_profile_linux_config.disable_password_authentication == false resource_type := "azurerm_virtual_machine" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource_type, "resourceName": tf_lib.get_resource_name(vm, name), "searchKey": sprintf("%s[%s].admin_ssh_key", [resource_type, name]), @@ -20,11 +22,12 @@ CxPolicy[result] { } CxPolicy[result] { - vm := input.document[i].resource.azurerm_linux_virtual_machine[name] + some document in input.document + vm := document.resource.azurerm_linux_virtual_machine[name] vm.disable_password_authentication == false resource_type := "azurerm_linux_virtual_machine" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource_type, "resourceName": tf_lib.get_resource_name(vm, name), "searchKey": sprintf("%s[%s].admin_ssh_key", [resource_type, name]), diff --git a/assets/queries/terraform/azure/cosmos_db_account_without_tags/query.rego b/assets/queries/terraform/azure/cosmos_db_account_without_tags/query.rego index e2f29ea3c1b..82747de5fde 100644 --- a/assets/queries/terraform/azure/cosmos_db_account_without_tags/query.rego +++ b/assets/queries/terraform/azure/cosmos_db_account_without_tags/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_cosmosdb_account[name] + some document in input.document + resource := document.resource.azurerm_cosmosdb_account[name] not resource.tags result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_cosmosdb_account", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_cosmosdb_account[%s]", [name]), diff --git a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/query.rego b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/query.rego index 69430f07f58..667cc2bff90 100644 --- a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/query.rego +++ b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_cosmosdb_account[name] + some document in input.document + resource := document.resource.azurerm_cosmosdb_account[name] not resource.ip_range_filter result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_cosmosdb_account", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_cosmosdb_account[%s].ip_range_filter", [name]), diff --git a/assets/queries/terraform/azure/dashboard_is_enabled/query.rego b/assets/queries/terraform/azure/dashboard_is_enabled/query.rego index 988740ef9f6..979822c02ec 100644 --- a/assets/queries/terraform/azure/dashboard_is_enabled/query.rego +++ b/assets/queries/terraform/azure/dashboard_is_enabled/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - cluster := input.document[i].resource.azurerm_kubernetes_cluster[name] + some document in input.document + cluster := document.resource.azurerm_kubernetes_cluster[name] profile := cluster.addon_profile kube := profile.kube_dashboard kube.enabled == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("azurerm_kubernetes_cluster[%s].addon_profile.kube_dashboard.enabled", [name]), diff --git a/assets/queries/terraform/azure/email_alerts_disabled/query.rego b/assets/queries/terraform/azure/email_alerts_disabled/query.rego index f632358cd7f..941d5724f87 100644 --- a/assets/queries/terraform/azure/email_alerts_disabled/query.rego +++ b/assets/queries/terraform/azure/email_alerts_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_security_center_contact[name] + some document in input.document + resource := document.resource.azurerm_security_center_contact[name] resource.alert_notifications == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_security_center_contact", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_security_center_contact[%s].alert_notifications", [name]), diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/query.rego b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/query.rego index b1ea011df69..e4ab5e1a22b 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/query.rego +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource + some document in input.document + resource := document.resource encryption := resource.azurerm_managed_disk[name] not common_lib.valid_key(encryption, "encryption_settings") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_managed_disk", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_managed_disk[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource + some document in input.document + resource := document.resource encryption := resource.azurerm_managed_disk[name] encryption.encryption_settings.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_managed_disk", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_managed_disk[%s].encryption_settings.enabled", [name]), diff --git a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/query.rego b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/query.rego index 5ab3e86ce08..9fd26ee5fd3 100644 --- a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/query.rego +++ b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as commonLib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - fire_rule := input.document[i].resource.azurerm_redis_firewall_rule[name] + some document in input.document + fire_rule := document.resource.azurerm_redis_firewall_rule[name] occupied_hosts := commonLib.calc_IP_value(fire_rule.start_ip) all_hosts := commonLib.calc_IP_value(fire_rule.end_ip) available := abs(all_hosts - occupied_hosts) @@ -12,7 +14,7 @@ CxPolicy[result] { available > 255 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_redis_firewall_rule", "resourceName": tf_lib.get_resource_name(fire_rule, name), "searchKey": sprintf("azurerm_redis_firewall_rule[%s].start_ip", [name]), diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego index 50faf901a67..5fcbcd01631 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + some document in input.document + function := document.resource.azurerm_function_app[name] not common_lib.valid_key(function, "auth_settings") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(function, name), "searchKey": sprintf("azurerm_function_app[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + some document in input.document + function := document.resource.azurerm_function_app[name] function.auth_settings.enabled != true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(function, name), "searchKey": sprintf("azurerm_function_app[%s].auth_settings.enabled", [name]), diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego index f2f3859f7ce..6569c58b096 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + some document in input.document + function := document.resource.azurerm_function_app[name] not common_lib.valid_key(function, "client_cert_mode") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(function, name), "searchKey": sprintf("azurerm_function_app[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + some document in input.document + function := document.resource.azurerm_function_app[name] function.client_cert_mode != "Required" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(function, name), "searchKey": sprintf("azurerm_function_app[%s].client_cert_mode", [name]), diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego index 18ffa37e062..4ea2ae77ba8 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + some document in input.document + function := document.resource.azurerm_function_app[name] not common_lib.valid_key(function.site_config, "ftps_state") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(function, name), "searchKey": sprintf("azurerm_function_app[%s].site_config'", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + some document in input.document + function := document.resource.azurerm_function_app[name] function.site_config.ftps_state == "AllAllowed" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(function, name), "searchKey": sprintf("azurerm_function_app[%s].site_config.ftps_state", [name]), diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego index cd29c8c67ce..48111c27a00 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - app := input.document[i].resource.azurerm_function_app[name] + some document in input.document + app := document.resource.azurerm_function_app[name] not common_lib.valid_key(app, "site_config") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(app, name), "searchKey": sprintf("azurerm_function_app[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - app := input.document[i].resource.azurerm_function_app[name] + some document in input.document + app := document.resource.azurerm_function_app[name] not common_lib.valid_key(app.site_config, "http2_enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(app, name), "searchKey": sprintf("azurerm_function_app[%s].site_config", [name]), @@ -42,12 +45,13 @@ CxPolicy[result] { } CxPolicy[result] { - app := input.document[i].resource.azurerm_function_app[name] + some document in input.document + app := document.resource.azurerm_function_app[name] app.site_config.http2_enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(app, name), "searchKey": sprintf("azurerm_function_app[%s].site_config.http2_enabled", [name]), diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego b/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego index 7151f4f905c..c49f5fd57a3 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + some document in input.document + function := document.resource.azurerm_function_app[name] not common_lib.valid_key(function, "identity") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(function, name), "searchKey": sprintf("azurerm_function_app[%s]", [name]), diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego index 5579f1df96d..d70e41e590c 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - app := input.document[i].resource.azurerm_function_app[name] + some document in input.document + app := document.resource.azurerm_function_app[name] to_number(app.site_config.min_tls_version) != 1.2 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(app, name), "searchKey": sprintf("azurerm_function_app[%s].site_config.min_tls_version", [name]), diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/query.rego b/assets/queries/terraform/azure/geo_redundancy_is_disabled/query.rego index 88538a6a157..b58c6c021c5 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/query.rego +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_server[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_server[var0] not common_lib.valid_key(resource, "geo_redundant_backup_enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_server", "resourceName": tf_lib.get_resource_name(resource, var0), "searchKey": sprintf("azurerm_postgresql_server[%s]", [var0]), @@ -22,11 +24,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_server[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_server[var0] resource.geo_redundant_backup_enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_server", "resourceName": tf_lib.get_resource_name(resource, var0), "searchKey": sprintf("azurerm_postgresql_server[%s].geo_redundant_backup_enabled", [var0]), diff --git a/assets/queries/terraform/azure/key_expiration_not_set/query.rego b/assets/queries/terraform/azure/key_expiration_not_set/query.rego index d03f3eb6013..f25c73d9934 100644 --- a/assets/queries/terraform/azure/key_expiration_not_set/query.rego +++ b/assets/queries/terraform/azure/key_expiration_not_set/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_key_vault_key[name] + some document in input.document + resource := document.resource.azurerm_key_vault_key[name] not resource.expiration_date result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_key_vault_key", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_key_vault_key[%s]", [name]), diff --git a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/query.rego b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/query.rego index efa7592be75..f16c42ad400 100644 --- a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/query.rego +++ b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - key := input.document[i].resource.azurerm_key_vault_secret[name] + some document in input.document + key := document.resource.azurerm_key_vault_secret[name] not common_lib.valid_key(key, "content_type") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_key_vault_secret", "resourceName": tf_lib.get_resource_name(key, name), "searchKey": sprintf("azurerm_key_vault_secret[%s]", [name]), diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/query.rego b/assets/queries/terraform/azure/log_retention_is_not_set/query.rego index 21bb13073bf..d2d8739d976 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/query.rego +++ b/assets/queries/terraform/azure/log_retention_is_not_set/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_configuration[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_configuration[var0] is_string(resource.name) name := lower(resource.name) @@ -16,7 +18,7 @@ CxPolicy[result] { value != "ON" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_configuration", "resourceName": tf_lib.get_resource_name(resource, var0), "searchKey": sprintf("azurerm_postgresql_configuration[%s].value", [var0]), diff --git a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/query.rego b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/query.rego index d43283c7c6e..c87509ab68a 100644 --- a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/query.rego +++ b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - mariadbServer := input.document[i].resource.azurerm_mariadb_server[name] + some document in input.document + mariadbServer := document.resource.azurerm_mariadb_server[name] not common_lib.valid_key(mariadbServer, "public_network_access_enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_mariadb_server", "resourceName": tf_lib.get_resource_name(mariadbServer, name), "searchKey": sprintf("azurerm_mariadb_server[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - mariadbServer := input.document[i].resource.azurerm_mariadb_server[name] + some document in input.document + mariadbServer := document.resource.azurerm_mariadb_server[name] mariadbServer.public_network_access_enabled == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_mariadb_server", "resourceName": tf_lib.get_resource_name(mariadbServer, name), "searchKey": sprintf("azurerm_mariadb_server[%s].public_network_access_enabled", [name]), diff --git a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/query.rego b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/query.rego index 5bc5a1fb46c..f9668e92f7d 100644 --- a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/query.rego +++ b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - mdb := input.document[i].resource.azurerm_mariadb_server[name] + some document in input.document + mdb := document.resource.azurerm_mariadb_server[name] not common_lib.valid_key(mdb, "geo_redundant_backup_enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_mariadb_server", "resourceName": tf_lib.get_resource_name(mdb, name), "searchKey": sprintf("azurerm_mariadb_server[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - mdb := input.document[i].resource.azurerm_mariadb_server[name] + some document in input.document + mdb := document.resource.azurerm_mariadb_server[name] mdb.geo_redundant_backup_enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_mariadb_server", "resourceName": tf_lib.get_resource_name(mdb, name), "searchKey": sprintf("azurerm_mariadb_server[%s].geo_redundant_backup_enabled", [name]), diff --git a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/query.rego b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/query.rego index 092f69fda00..3cffb32035b 100644 --- a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/query.rego +++ b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/query.rego @@ -2,15 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.azurerm_mssql_server[name] + some document in input.document + resource := document.resource.azurerm_mssql_server[name] not common_lib.valid_key(resource, "public_network_access_enabled") result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "azurerm_mssql_server", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_mssql_server[%s]", [name]), @@ -24,13 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.azurerm_mssql_server[name] + some document in input.document + resource := document.resource.azurerm_mssql_server[name] resource.public_network_access_enabled == true result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "azurerm_mssql_server", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_mssql_server[%s].public_network_access_enabled", [name]), diff --git a/assets/queries/terraform/azure/mysql_server_public_access_enabled/query.rego b/assets/queries/terraform/azure/mysql_server_public_access_enabled/query.rego index 0c40fd8167c..6953f1130ed 100644 --- a/assets/queries/terraform/azure/mysql_server_public_access_enabled/query.rego +++ b/assets/queries/terraform/azure/mysql_server_public_access_enabled/query.rego @@ -2,15 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.azurerm_mysql_server[name] + some document in input.document + resource := document.resource.azurerm_mysql_server[name] not common_lib.valid_key(resource, "public_network_access_enabled") result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "azurerm_mssql_server", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_mysql_server[%s]", [name]), @@ -24,13 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.azurerm_mysql_server[name] + some document in input.document + resource := document.resource.azurerm_mysql_server[name] resource.public_network_access_enabled == true result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "azurerm_mssql_server", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_mysql_server[%s].public_network_access_enabled", [name]), diff --git a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/query.rego b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/query.rego index 133d372cc65..7062cf474cd 100644 --- a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/query.rego +++ b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_mysql_server[name] + some document in input.document + resource := document.resource.azurerm_mysql_server[name] resource.ssl_enforcement_enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_mssql_server", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_mysql_server[%s].ssl_enforcement_enabled", [name]), diff --git a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/query.rego b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/query.rego index c39ed16418f..2ba91d1d56e 100644 --- a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/query.rego +++ b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - ip := input.document[i].resource.azurerm_network_interface[name] + some document in input.document + ip := document.resource.azurerm_network_interface[name] ip.enable_ip_forwarding == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_interface", "resourceName": tf_lib.get_resource_name(ip, name), "searchKey": sprintf("azurerm_network_interface[%s].enable_ip_forwarding", [name]), diff --git a/assets/queries/terraform/azure/network_interfaces_with_public_ip/query.rego b/assets/queries/terraform/azure/network_interfaces_with_public_ip/query.rego index fc40c29013f..848b06b53c9 100644 --- a/assets/queries/terraform/azure/network_interfaces_with_public_ip/query.rego +++ b/assets/queries/terraform/azure/network_interfaces_with_public_ip/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - network := input.document[i].resource.azurerm_network_interface[name].ip_configuration + some document in input.document + network := document.resource.azurerm_network_interface[name].ip_configuration common_lib.valid_key(network, "public_ip_address_id") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_interface", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.azurerm_network_interface[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.azurerm_network_interface[name], name), "searchKey": sprintf("azurerm_network_interface[%s].ip_configuration.public_ip_address_id", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_network_interface[%s].ip_configuration.public_ip_address_id' should be undefined", [name]), diff --git a/assets/queries/terraform/azure/network_watcher_flow_disabled/query.rego b/assets/queries/terraform/azure/network_watcher_flow_disabled/query.rego index 8b060da2f77..275d63c9635 100644 --- a/assets/queries/terraform/azure/network_watcher_flow_disabled/query.rego +++ b/assets/queries/terraform/azure/network_watcher_flow_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - network := input.document[i].resource.azurerm_network_watcher_flow_log[name] + some document in input.document + network := document.resource.azurerm_network_watcher_flow_log[name] network.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_watcher_flow_log", "resourceName": tf_lib.get_resource_name(network, name), "searchKey": sprintf("azurerm_network_watcher_flow_log[%s].enable", [name]), diff --git a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/query.rego b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/query.rego index 64cc68a7253..0f96619099e 100644 --- a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/query.rego +++ b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_configuration[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_configuration[var0] is_string(resource.name) name := lower(resource.name) @@ -16,7 +18,7 @@ CxPolicy[result] { value != "ON" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_configuration", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_postgresql_configuration[%s].value", [var0]), diff --git a/assets/queries/terraform/azure/postgresql_log_connections_not_set/query.rego b/assets/queries/terraform/azure/postgresql_log_connections_not_set/query.rego index d8c6356ab8b..62f83acdfab 100644 --- a/assets/queries/terraform/azure/postgresql_log_connections_not_set/query.rego +++ b/assets/queries/terraform/azure/postgresql_log_connections_not_set/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_configuration[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_configuration[var0] is_string(resource.name) name := lower(resource.name) @@ -16,7 +18,7 @@ CxPolicy[result] { value != "ON" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_configuration", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_postgresql_configuration[%s].value", [var0]), diff --git a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/query.rego b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/query.rego index a005215a00d..8fb4d0aff1c 100644 --- a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/query.rego +++ b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_configuration[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_configuration[var0] is_string(resource.name) name := lower(resource.name) @@ -16,7 +18,7 @@ CxPolicy[result] { value != "ON" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_configuration", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_postgresql_configuration[%s].value", [var0]), diff --git a/assets/queries/terraform/azure/postgresql_log_duration_not_set/query.rego b/assets/queries/terraform/azure/postgresql_log_duration_not_set/query.rego index e3bf93e47cc..d993e80df47 100644 --- a/assets/queries/terraform/azure/postgresql_log_duration_not_set/query.rego +++ b/assets/queries/terraform/azure/postgresql_log_duration_not_set/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_configuration[x] + some document in input.document + resource := document.resource.azurerm_postgresql_configuration[x] is_string(resource.name) name := lower(resource.name) @@ -16,7 +18,7 @@ CxPolicy[result] { value != "ON" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_configuration", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_postgresql_configuration[%s].value", [x]), diff --git a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/query.rego b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/query.rego index 8bbf44202fe..fb50425e948 100644 --- a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/query.rego +++ b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - pg := input.document[i].resource.azurerm_postgresql_server[name] + some document in input.document + pg := document.resource.azurerm_postgresql_server[name] not common_lib.valid_key(pg, "infrastructure_encryption_enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_server", "resourceName": tf_lib.get_resource_name(pg, name), "searchKey": sprintf("azurerm_postgresql_server[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - pg := input.document[i].resource.azurerm_postgresql_server[name] + some document in input.document + pg := document.resource.azurerm_postgresql_server[name] pg.infrastructure_encryption_enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_server", "resourceName": tf_lib.get_resource_name(pg, name), "searchKey": sprintf("azurerm_postgresql_server[%s].infrastructure_encryption_enabled", [name]), diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/query.rego b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/query.rego index bb4b7f700ef..a022fc7a84c 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/query.rego +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - pg := input.document[i].resource.azurerm_postgresql_server[name] + some document in input.document + pg := document.resource.azurerm_postgresql_server[name] not common_lib.valid_key(pg, "threat_detection_policy") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_server", "resourceName": tf_lib.get_resource_name(pg, name), "searchKey": sprintf("azurerm_postgresql_server[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - pg := input.document[i].resource.azurerm_postgresql_server[name] + some document in input.document + pg := document.resource.azurerm_postgresql_server[name] pg.threat_detection_policy.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_server", "resourceName": tf_lib.get_resource_name(pg, name), "searchKey": sprintf("azurerm_postgresql_server[%s].threat_detection_policy.enabled", [name]), diff --git a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/query.rego b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/query.rego index 970a1a8874c..303b852c55a 100644 --- a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/query.rego +++ b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_configuration[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_configuration[var0] is_string(resource.name) name := lower(resource.name) @@ -16,7 +18,7 @@ CxPolicy[result] { value != "ON" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_configuration", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_postgresql_configuration[%s].value", [var0]), diff --git a/assets/queries/terraform/azure/public_storage_account/query.rego b/assets/queries/terraform/azure/public_storage_account/query.rego index 8ca65457921..914d73163ff 100644 --- a/assets/queries/terraform/azure/public_storage_account/query.rego +++ b/assets/queries/terraform/azure/public_storage_account/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - network_rules := input.document[i].resource.azurerm_storage_account[name].network_rules + some document in input.document + network_rules := document.resource.azurerm_storage_account[name].network_rules network_rules.ip_rules[l] == "0.0.0.0/0" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.azurerm_storage_account[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.azurerm_storage_account[name], name), "searchKey": sprintf("azurerm_storage_account[%s].network_rules.ip_rules", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "'network_rules.ip_rules' should not contain 0.0.0.0/0", @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - network_rules := input.document[i].resource.azurerm_storage_account[name].network_rules + some document in input.document + network_rules := document.resource.azurerm_storage_account[name].network_rules not common_lib.valid_key(network_rules, "ip_rules") network_rules.default_action == "Allow" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.azurerm_storage_account[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.azurerm_storage_account[name], name), "searchKey": sprintf("azurerm_storage_account[%s].network_rules", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'network_rules.ip_rules' should be defined and not null", @@ -37,11 +40,12 @@ CxPolicy[result] { } CxPolicy[result] { - rules := input.document[i].resource.azurerm_storage_account_network_rules[name] + some document in input.document + rules := document.resource.azurerm_storage_account_network_rules[name] rules.ip_rules[l] == "0.0.0.0/0" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account_network_rules", "resourceName": tf_lib.get_resource_name(rules, name), "searchKey": sprintf("azurerm_storage_account_network_rules[%s].ip_rules", [name]), @@ -53,11 +57,12 @@ CxPolicy[result] { } CxPolicy[result] { - rules := input.document[i].resource.azurerm_storage_account_network_rules[name] + some document in input.document + rules := document.resource.azurerm_storage_account_network_rules[name] not common_lib.valid_key(rules, "ip_rules") rules.default_action == "Allow" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account_network_rules", "resourceName": tf_lib.get_resource_name(rules, name), "searchKey": sprintf("azurerm_storage_account_network_rules[%s]", [name]), @@ -69,12 +74,13 @@ CxPolicy[result] { } CxPolicy[result] { - storage := input.document[i].resource.azurerm_storage_account[name] + some document in input.document + storage := document.resource.azurerm_storage_account[name] storage.allow_blob_public_access != false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", "resourceName": tf_lib.get_resource_name(storage, name), "searchKey": sprintf("azurerm_storage_account[%s].allow_blob_public_access", [name]), diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/query.rego b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/query.rego index 8602f553b8b..984c6a29747 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/query.rego +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - cache := input.document[i].resource.azurerm_redis_cache[name] + some document in input.document + cache := document.resource.azurerm_redis_cache[name] cache.enable_non_ssl_port == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_redis_cache", "resourceName": tf_lib.get_resource_name(cache, name), "searchKey": sprintf("azurerm_redis_cache[%s].enable_non_ssl_port", [name]), diff --git a/assets/queries/terraform/azure/redis_entirely_accessible/query.rego b/assets/queries/terraform/azure/redis_entirely_accessible/query.rego index d9a774e51c1..f27236cdad3 100644 --- a/assets/queries/terraform/azure/redis_entirely_accessible/query.rego +++ b/assets/queries/terraform/azure/redis_entirely_accessible/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - firewall_rule := input.document[i].resource.azurerm_redis_firewall_rule[name] + some document in input.document + firewall_rule := document.resource.azurerm_redis_firewall_rule[name] firewall_rule.start_ip == "0.0.0.0" firewall_rule.end_ip == "0.0.0.0" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_redis_firewall_rule", "resourceName": tf_lib.get_resource_name(firewall_rule, name), "searchKey": sprintf("azurerm_redis_firewall_rule[%s].start_ip", [name]), diff --git a/assets/queries/terraform/azure/redis_not_updated_regularly/query.rego b/assets/queries/terraform/azure/redis_not_updated_regularly/query.rego index bee62688d8e..55c3fa8a48c 100644 --- a/assets/queries/terraform/azure/redis_not_updated_regularly/query.rego +++ b/assets/queries/terraform/azure/redis_not_updated_regularly/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - redis_cache := input.document[i].resource.azurerm_redis_cache[name] + some document in input.document + redis_cache := document.resource.azurerm_redis_cache[name] not common_lib.valid_key(redis_cache, "patch_schedule") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_redis_cache", "resourceName": tf_lib.get_resource_name(redis_cache, name), "searchKey": sprintf("azurerm_redis_cache[%s]", [name]), diff --git a/assets/queries/terraform/azure/redis_publicly_accessible/query.rego b/assets/queries/terraform/azure/redis_publicly_accessible/query.rego index f9573c3c07d..358a2978e35 100644 --- a/assets/queries/terraform/azure/redis_publicly_accessible/query.rego +++ b/assets/queries/terraform/azure/redis_publicly_accessible/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as commonLib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - firewall_rule := input.document[i].resource.azurerm_redis_firewall_rule[name] + some document in input.document + firewall_rule := document.resource.azurerm_redis_firewall_rule[name] not commonLib.isPrivateIP(firewall_rule.start_ip) not commonLib.isPrivateIP(firewall_rule.end_ip) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_redis_firewall_rule", "resourceName": tf_lib.get_resource_name(firewall_rule, name), "searchKey": sprintf("azurerm_redis_firewall_rule[%s].start_ip", [name]), diff --git a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/query.rego b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/query.rego index 2a5a3a0b544..5bd12ffbb39 100644 --- a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/query.rego +++ b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - role_assign := input.document[i].resource.azurerm_role_assignment[name] + some document in input.document + role_assign := document.resource.azurerm_role_assignment[name] role_assign.role_definition_name == "Guest" ref := split(role_assign.role_definition_id, ".") @@ -12,7 +14,7 @@ CxPolicy[result] { not restricted(role_definition) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_role_assignment", "resourceName": tf_lib.get_resource_name(role_assign, name), "searchKey": sprintf("azurerm_role_assignment[%s].role_definition_id", [name]), diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/query.rego b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/query.rego index 7cbb2f13d54..bb7a2412e72 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/query.rego +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_role_definition[name] + some document in input.document + resource := document.resource.azurerm_role_definition[name] actions := resource.permissions.actions allows_custom_roles_creation(actions) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_role_definition", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_role_definition[%s].permissions.actions", [name]), diff --git a/assets/queries/terraform/azure/secret_expiration_not_set/query.rego b/assets/queries/terraform/azure/secret_expiration_not_set/query.rego index 89a90b28699..726fbba6f95 100644 --- a/assets/queries/terraform/azure/secret_expiration_not_set/query.rego +++ b/assets/queries/terraform/azure/secret_expiration_not_set/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_key_vault_secret[name] + some document in input.document + resource := document.resource.azurerm_key_vault_secret[name] not resource.expiration_date result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_key_vault_secret", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_key_vault_secret[%s]", [name]), diff --git a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/query.rego b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/query.rego index 0c5f67dad62..a031a5d85fb 100644 --- a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/query.rego +++ b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_security_center_subscription_pricing[name] + some document in input.document + resource := document.resource.azurerm_security_center_subscription_pricing[name] tier := lower(resource.tier) tier == "free" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_security_center_subscription_pricing", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_security_center_subscription_pricing[%s].tier", [name]), diff --git a/assets/queries/terraform/azure/security_contact_email/query.rego b/assets/queries/terraform/azure/security_contact_email/query.rego index 5c95632ef27..14b2973bf2c 100644 --- a/assets/queries/terraform/azure/security_contact_email/query.rego +++ b/assets/queries/terraform/azure/security_contact_email/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - scc := input.document[i].resource.azurerm_security_center_contact[name] + some document in input.document + scc := document.resource.azurerm_security_center_contact[name] not common_lib.valid_key(scc, "email") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_security_center_contact", "resourceName": tf_lib.get_resource_name(scc, name), "searchKey": sprintf("azurerm_security_center_contact[%s]", [name]), diff --git a/assets/queries/terraform/azure/security_group_is_not_configured/query.rego b/assets/queries/terraform/azure/security_group_is_not_configured/query.rego index be4929297dc..13afd34ceff 100644 --- a/assets/queries/terraform/azure/security_group_is_not_configured/query.rego +++ b/assets/queries/terraform/azure/security_group_is_not_configured/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azure_virtual_network[name] + some document in input.document + resource := document.resource.azure_virtual_network[name] not common_lib.valid_key(resource.subnet, "security_group") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azure_virtual_network", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azure_virtual_network[%s].subnet", [name]), @@ -19,11 +21,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azure_virtual_network[name] + some document in input.document + resource := document.resource.azure_virtual_network[name] count(resource.subnet.security_group) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azure_virtual_network", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azure_virtual_network[%s].subnet.security_group", [name]), diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/query.rego b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/query.rego index 1eaf2476ce0..6db5f070b8e 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/query.rego +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as commonLib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_network_security_rule[name] + some document in input.document + resource := document.resource.azurerm_network_security_rule[name] portContent := commonLib.tcpPortsMap[port] portNumber = port portName = portContent - protocol := tf_lib.getProtocolList(resource.protocol)[_] + some protocol in tf_lib.getProtocolList(resource.protocol) upper(resource.access) == "ALLOW" upper(resource.direction) == "INBOUND" @@ -19,7 +21,7 @@ CxPolicy[result] { isTCPorUDP(protocol) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_security_rule", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_network_security_rule[%s].destination_port_range", [name]), diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/query.rego b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/query.rego index b3ab9eab12b..6b43f8d28ab 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/query.rego +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as commonLib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_network_security_rule[name] + some document in input.document + resource := document.resource.azurerm_network_security_rule[name] portContent := commonLib.tcpPortsMap[port] portNumber = port portName = portContent - protocol := tf_lib.getProtocolList(resource.protocol)[_] + some protocol in tf_lib.getProtocolList(resource.protocol) upper(resource.access) == "ALLOW" upper(resource.direction) == "INBOUND" @@ -19,7 +21,7 @@ CxPolicy[result] { isTCPorUDP(protocol) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_security_rule", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_network_security_rule[%s].destination_port_range", [name]), diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/query.rego b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/query.rego index 428561e4b91..eaaff2cec9e 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/query.rego +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as commonLib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_network_security_rule[name] + some document in input.document + resource := document.resource.azurerm_network_security_rule[name] portContent := commonLib.tcpPortsMap[port] portNumber = port portName = portContent - protocol := tf_lib.getProtocolList(resource.protocol)[_] + some protocol in tf_lib.getProtocolList(resource.protocol) upper(resource.access) == "ALLOW" upper(resource.direction) == "INBOUND" @@ -19,7 +21,7 @@ CxPolicy[result] { isTCPorUDP(protocol) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_security_rule", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_network_security_rule[%s].destination_port_range", [name]), diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego b/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego index fa428f589f5..31632691b6c 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - monitor := input.document[i].resource.azurerm_monitor_log_profile[name] + some document in input.document + monitor := document.resource.azurerm_monitor_log_profile[name] monitor.retention_policy.enabled == true not common_lib.valid_key(monitor.retention_policy, "days") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_monitor_log_profile", "resourceName": tf_lib.get_resource_name(monitor, name), "searchKey": sprintf("azurerm_monitor_log_profile[%s].retention_policy", [name]), @@ -24,12 +26,13 @@ CxPolicy[result] { } CxPolicy[result] { - monitor := input.document[i].resource.azurerm_monitor_log_profile[name] + some document in input.document + monitor := document.resource.azurerm_monitor_log_profile[name] monitor.retention_policy.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_monitor_log_profile", "resourceName": tf_lib.get_resource_name(monitor, name), "searchKey": sprintf("azurerm_monitor_log_profile[%s].retention_policy.enabled", [name]), @@ -46,14 +49,15 @@ CxPolicy[result] { } CxPolicy[result] { - monitor := input.document[i].resource.azurerm_monitor_log_profile[name] + some document in input.document + monitor := document.resource.azurerm_monitor_log_profile[name] retentionPolicy := monitor.retention_policy retentionPolicy.enabled == true common_lib.between(retentionPolicy.days, 1, 364) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_monitor_log_profile", "resourceName": tf_lib.get_resource_name(monitor, name), "searchKey": sprintf("azurerm_monitor_log_profile[%s].retention_policy.days", [name]), diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/query.rego b/assets/queries/terraform/azure/small_flow_logs_retention_period/query.rego index 1bf7a72fa24..753e67e5db1 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_network_watcher_flow_log[name] + some document in input.document + resource := document.resource.azurerm_network_watcher_flow_log[name] var := resource.retention_policy.days var < 90 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_watcher_flow_log", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_network_watcher_flow_log[%s].retention_policy.days", [name]), @@ -27,12 +29,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_network_watcher_flow_log[name] + some document in input.document + resource := document.resource.azurerm_network_watcher_flow_log[name] not common_lib.valid_key(resource, "retention_policy") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_watcher_flow_log", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_network_watcher_flow_log[%s]", [name]), @@ -46,14 +49,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_network_watcher_flow_log[name] + some document in input.document + resource := document.resource.azurerm_network_watcher_flow_log[name] resource.retention_policy enabled := resource.retention_policy.enabled enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_network_watcher_flow_log", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_network_watcher_flow_log[%s].retention_policy.enabled", [name]), diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/query.rego b/assets/queries/terraform/azure/small_msql_server_audit_retention/query.rego index 74e34f415b3..fe612620596 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/query.rego +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource_type := ["azurerm_sql_database", "azurerm_sql_server"] - resource := input.document[i].resource[resource_type[t]][name] + some document in input.document + resource := document.resource[resource_type[t]][name] not common_lib.valid_key(resource.extended_auditing_policy, "retention_in_days") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource_type[t], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].extended_auditing_policy", [resource_type[t], name]), @@ -25,13 +27,14 @@ CxPolicy[result] { CxPolicy[result] { resource_type := ["azurerm_sql_database", "azurerm_sql_server"] - resource := input.document[i].resource[resource_type[t]][name] + some document in input.document + resource := document.resource[resource_type[t]][name] var := resource.extended_auditing_policy.retention_in_days var <= 90 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource_type[t], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].extended_auditing_policy.retention_in_days", [resource_type[t], name]), diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/query.rego b/assets/queries/terraform/azure/small_mssql_audit_retention_period/query.rego index 91c9e85da9c..2177c5b6479 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource_type := ["azurerm_mssql_database", "azurerm_mssql_server"] - resource := input.document[i].resource[resource_type[t]][name] + some document in input.document + resource := document.resource[resource_type[t]][name] not common_lib.valid_key(resource.extended_auditing_policy, "retention_in_days") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource_type[t], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].extended_auditing_policy", [resource_type[t], name]), @@ -25,13 +27,14 @@ CxPolicy[result] { CxPolicy[result] { resource_type := ["azurerm_mssql_database", "azurerm_mssql_server"] - resource := input.document[i].resource[resource_type[t]][name] + some document in input.document + resource := document.resource[resource_type[t]][name] var := resource.extended_auditing_policy.retention_in_days var <= 90 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource_type[t], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].extended_auditing_policy.retention_in_days", [resource_type[t], name]), diff --git a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/query.rego b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/query.rego index 5ccd78b362d..060d2798bd6 100644 --- a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as commonLib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - config := input.document[i].resource.azurerm_postgresql_configuration[name] + some document in input.document + config := document.resource.azurerm_postgresql_configuration[name] config.name == "log_retention_days" not commonLib.between(to_number(config.value), 4, 7) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_configuration", "resourceName": tf_lib.get_resource_name(config, name), "searchKey": sprintf("azurerm_postgresql_configuration[%s].value", [name]), diff --git a/assets/queries/terraform/azure/sql_database_audit_disabled/query.rego b/assets/queries/terraform/azure/sql_database_audit_disabled/query.rego index 1e68fb22281..8f9aa9090e6 100644 --- a/assets/queries/terraform/azure/sql_database_audit_disabled/query.rego +++ b/assets/queries/terraform/azure/sql_database_audit_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_database[name] + some document in input.document + resource := document.resource.azurerm_sql_database[name] not resource.threat_detection_policy result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_database", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_database[%s].threat_detection_policy", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_database[name] + some document in input.document + resource := document.resource.azurerm_sql_database[name] resource.threat_detection_policy.state == "Disabled" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_database", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_database[%s].threat_detection_policy.state", [name]), diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/query.rego b/assets/queries/terraform/azure/sql_server_alert_email_disabled/query.rego index 0ebfdc6f839..269b28467ee 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/query.rego +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/query.rego @@ -2,15 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.azurerm_mssql_server_security_alert_policy[name] + some document in input.document + resource := document.resource.azurerm_mssql_server_security_alert_policy[name] not common_lib.valid_key(resource, "email_account_admins") result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "azurerm_mssql_server_security_alert_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_mssql_server_security_alert_policy[%s]", [name]), @@ -24,13 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.azurerm_mssql_server_security_alert_policy[name] + some document in input.document + resource := document.resource.azurerm_mssql_server_security_alert_policy[name] resource.email_account_admins == false result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "azurerm_mssql_server_security_alert_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_mssql_server_security_alert_policy[%s].email_account_admins", [name]), diff --git a/assets/queries/terraform/azure/sql_server_auditing_disabled/query.rego b/assets/queries/terraform/azure/sql_server_auditing_disabled/query.rego index a10b70b4915..ad1fb673180 100644 --- a/assets/queries/terraform/azure/sql_server_auditing_disabled/query.rego +++ b/assets/queries/terraform/azure/sql_server_auditing_disabled/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_server[name] + some document in input.document + resource := document.resource.azurerm_sql_server[name] not resource.extended_auditing_policy result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_server", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_server[%s]", [name]), diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/query.rego b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/query.rego index 9f5194557df..bd62091b1cb 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/query.rego +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - firewall := input.document[i].resource.azurerm_sql_firewall_rule[name] + some document in input.document + firewall := document.resource.azurerm_sql_firewall_rule[name] firewall.start_ip_address = "0.0.0.0" checkEndIP(firewall.end_ip_address) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_firewall_rule", "resourceName": tf_lib.get_resource_name(firewall, name), "searchKey": sprintf("azurerm_sql_firewall_rule[%s]", [name]), diff --git a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/query.rego b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/query.rego index b79801396b8..79975bb6e62 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/query.rego +++ b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_active_directory_administrator[name] + some document in input.document + resource := document.resource.azurerm_sql_active_directory_administrator[name] count(resource.login) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_active_directory_administrator", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_active_directory_administrator[%s].login", [name]), @@ -18,11 +20,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_active_directory_administrator[name] + some document in input.document + resource := document.resource.azurerm_sql_active_directory_administrator[name] check_predictable(resource.login) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_active_directory_administrator", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_active_directory_administrator[%s].login", [name]), diff --git a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/query.rego b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/query.rego index 3ea0a6fd6ed..17432100b6d 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/query.rego +++ b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_server[name] + some document in input.document + resource := document.resource.azurerm_sql_server[name] count(resource.administrator_login) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_server", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_server[%s].administrator_login", [name]), @@ -18,11 +20,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_server[name] + some document in input.document + resource := document.resource.azurerm_sql_server[name] check_predictable(resource.administrator_login) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_server", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_server[%s].administrator_login", [name]), diff --git a/assets/queries/terraform/azure/ssl_enforce_is_disabled/query.rego b/assets/queries/terraform/azure/ssl_enforce_is_disabled/query.rego index 2f54304e951..59c9d1cb0fe 100644 --- a/assets/queries/terraform/azure/ssl_enforce_is_disabled/query.rego +++ b/assets/queries/terraform/azure/ssl_enforce_is_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_server[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_server[var0] not common_lib.valid_key(resource, "ssl_enforcement_enabled") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_server", "resourceName": tf_lib.get_resource_name(resource, var0), "searchKey": sprintf("azurerm_postgresql_server[%s].ssl_enforcement_enabled", [var0]), @@ -22,11 +24,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_postgresql_server[var0] + some document in input.document + resource := document.resource.azurerm_postgresql_server[var0] resource.ssl_enforcement_enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_postgresql_server", "resourceName": tf_lib.get_resource_name(resource, var0), "searchKey": sprintf("azurerm_postgresql_server[%s].ssl_enforcement_enabled", [var0]), diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/query.rego b/assets/queries/terraform/azure/storage_account_not_forcing_https/query.rego index 12394c66b5a..3f763c54ff4 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/query.rego +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account[var0] + some document in input.document + resource := document.resource.azurerm_storage_account[var0] not common_lib.valid_key(resource, "enable_https_traffic_only") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", "resourceName": tf_lib.get_resource_name(resource, var0), "searchKey": sprintf("azurerm_storage_account[%s]", [var0]), @@ -22,11 +24,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account[var0] + some document in input.document + resource := document.resource.azurerm_storage_account[var0] resource.enable_https_traffic_only == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", "resourceName": tf_lib.get_resource_name(resource, var0), "searchKey": sprintf("azurerm_storage_account[%s].enable_https_traffic_only", [var0]), diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/query.rego index a2a18b3ae39..806f022ac1b 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - storage := input.document[i].resource.azurerm_storage_account[name] + some document in input.document + storage := document.resource.azurerm_storage_account[name] storage.min_tls_version != "TLS1_2" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", "resourceName": tf_lib.get_resource_name(storage, name), "searchKey": sprintf("azurerm_storage_account[%s].min_tls_version", [name]), diff --git a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/query.rego b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/query.rego index 8dd51431f40..72a2c48c89c 100644 --- a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_container[name] + some document in input.document + resource := document.resource.azurerm_storage_container[name] resource.container_access_type != "private" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_container", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_storage_container[%s].container_access_type", [name]), diff --git a/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/query.rego b/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/query.rego index 0a2218ee4b9..c58853c3f11 100644 --- a/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/query.rego +++ b/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_share_file[name] + some document in input.document + resource := document.resource.azurerm_storage_share_file[name] storageShareName := split(resource.storage_share_id, ".")[1] @@ -13,7 +15,7 @@ CxPolicy[result] { count({x | permission := p[x]; contains(permissions, permission)}) == 4 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_share", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_storage_share[%s].acl.access_policy.permissions", [storageShareName]), diff --git a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/query.rego b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/query.rego index fa07c74078f..ab03d02936d 100644 --- a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/query.rego +++ b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_table[name] + some document in input.document + resource := document.resource.azurerm_storage_table[name] permissions := resource.acl.access_policy.permissions @@ -12,7 +14,7 @@ CxPolicy[result] { count({x | permission := p[x]; contains(permissions, permission)}) == 4 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_table", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_storage_table[%s].acl.permissions", [name]), diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/query.rego b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/query.rego index 0b22882a75b..b82b75ffb8c 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/query.rego +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account[name] + some document in input.document + resource := document.resource.azurerm_storage_account[name] not common_lib.valid_key(resource, "network_rules") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_storage_account[%s]", [name]), @@ -19,13 +21,14 @@ CxPolicy[result] { } CxPolicy[result] { - network_rules := input.document[i].resource.azurerm_storage_account[name].network_rules + some document in input.document + network_rules := document.resource.azurerm_storage_account[name].network_rules not common_lib.valid_key(network_rules, "bypass") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.azurerm_storage_account[name], name), + "resourceName": tf_lib.get_resource_name(network_rules, name), "searchKey": sprintf("azurerm_storage_account[%s].network_rules", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'network_rules.bypass' should be defined and not null", @@ -34,12 +37,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account[name] + some document in input.document + resource := document.resource.azurerm_storage_account[name] bypass := resource.network_rules.bypass not common_lib.inArray(bypass, "AzureServices") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_storage_account[%s].network_rules.bypass", [name]), @@ -50,11 +54,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account_network_rules[name] + some document in input.document + resource := document.resource.azurerm_storage_account_network_rules[name] not common_lib.valid_key(resource, "bypass") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account_network_rules", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_storage_account_network_rules[%s]", [name]), @@ -65,12 +70,13 @@ CxPolicy[result] { } CxPolicy[result] { - network_rules := input.document[i].resource.azurerm_storage_account_network_rules[name] + some document in input.document + network_rules := document.resource.azurerm_storage_account_network_rules[name] bypass := network_rules.bypass not common_lib.inArray(bypass, "AzureServices") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_storage_account_network_rules", "resourceName": tf_lib.get_resource_name(network_rules, name), "searchKey": sprintf("azurerm_storage_account_network_rules[%s].bypass", [name]), diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego b/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego index 1c93c80c826..bf848f28f2b 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_firewall_rule[name] + some document in input.document + resource := document.resource.azurerm_sql_firewall_rule[name] startIP_value := common_lib.calc_IP_value(resource.start_ip_address) endIP_value := common_lib.calc_IP_value(resource.end_ip_address) abs(endIP_value - startIP_value) >= 256 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_sql_firewall_rule", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_firewall_rule[%s].start_ip_address", [name]), diff --git a/assets/queries/terraform/azure/vault_auditing_disabled/query.rego b/assets/queries/terraform/azure/vault_auditing_disabled/query.rego index e6b7afe264e..d60b4780a97 100644 --- a/assets/queries/terraform/azure/vault_auditing_disabled/query.rego +++ b/assets/queries/terraform/azure/vault_auditing_disabled/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_key_vault[name] + some document in input.document + resource := document.resource.azurerm_key_vault[name] count({x | diagnosticResource := input.document[x].resource.azurerm_monitor_diagnostic_setting[_] @@ -11,7 +13,7 @@ CxPolicy[result] { }) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_key_vault", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_key_vault[%s]", [name]), diff --git a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/query.rego b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/query.rego index a9a8cac7ca9..bf09b2ee0e1 100644 --- a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/query.rego +++ b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_virtual_network[name] + some document in input.document + resource := document.resource.azurerm_virtual_network[name] not common_lib.valid_key(resource, "ddos_protection_plan") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_virtual_network", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_virtual_network[%s]", [name]), @@ -21,12 +23,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_virtual_network[name] + some document in input.document + resource := document.resource.azurerm_virtual_network[name] resource.ddos_protection_plan.enable == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_virtual_network", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_virtual_network[%s].ddos_protection_plan.enable", [name]), diff --git a/assets/queries/terraform/azure/vm_not_attached_to_network/query.rego b/assets/queries/terraform/azure/vm_not_attached_to_network/query.rego index 067ff6acd68..30a16fe0f7f 100644 --- a/assets/queries/terraform/azure/vm_not_attached_to_network/query.rego +++ b/assets/queries/terraform/azure/vm_not_attached_to_network/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - vm := input.document[i].resource.azurerm_virtual_machine[name] + some document in input.document + vm := document.resource.azurerm_virtual_machine[name] count(vm.network_interface_ids) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_virtual_machine", "resourceName": tf_lib.get_resource_name(vm, name), "searchKey": sprintf("azurerm_virtual_machine[%s].network_interface_ids", [name]), diff --git a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/query.rego b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/query.rego index aeceb8e1f51..5cd77c20321 100644 --- a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/query.rego +++ b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - gateway := input.document[i].resource.azurerm_application_gateway[name] + some document in input.document + gateway := document.resource.azurerm_application_gateway[name] not common_lib.valid_key(gateway, "waf_configuration") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_application_gateway", "resourceName": tf_lib.get_resource_name(gateway, name), "searchKey": sprintf("azurerm_application_gateway[%s]", [name]), @@ -20,12 +22,13 @@ CxPolicy[result] { } CxPolicy[result] { - gateway := input.document[i].resource.azurerm_application_gateway[name] + some document in input.document + gateway := document.resource.azurerm_application_gateway[name] waf := gateway.waf_configuration waf.enabled != true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_application_gateway", "resourceName": tf_lib.get_resource_name(gateway, name), "searchKey": sprintf("azurerm_application_gateway[%s].waf_configuration.enabled", [name]), diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego index 5b575032ede..138eb376bc0 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_app_service[name] + some document in input.document + resource := document.resource.azurerm_app_service[name] not common_lib.valid_key(resource, "https_only") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_app_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_app_service[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_app_service[name] + some document in input.document + resource := document.resource.azurerm_app_service[name] resource.https_only != true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "azurerm_app_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_app_service[%s].https_only", [name]), diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego b/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego index e6e3c78c733..a4edc74193d 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] + some document in input.document + resource := document.resource.databricks_cluster[name] not resource.autoscale.min_workers result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].autoscale", [name]), @@ -18,11 +20,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] + some document in input.document + resource := document.resource.databricks_cluster[name] not resource.autoscale.max_workers result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].autoscale", [name]), diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego index a2e41bb6a5c..8ffcab6435d 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] + some document in input.document + resource := document.resource.databricks_cluster[name] resource.aws_attributes.availability == "SPOT" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].aws_attributes.availability", [name]), @@ -18,11 +20,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] + some document in input.document + resource := document.resource.databricks_cluster[name] resource.aws_attributes.first_on_demand == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].aws_attributes.first_on_demand", [name]), @@ -33,11 +36,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name].aws_attributes + some document in input.document + resource := document.resource.databricks_cluster[name].aws_attributes not resource.first_on_demand result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].aws_attributes.first_on_demand", [name]), @@ -48,11 +52,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name].aws_attributes + some document in input.document + resource := document.resource.databricks_cluster[name].aws_attributes not resource.zone_id == "auto" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].aws_attributes.zone_id", [name]), diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego b/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego index 29f8e7e43d4..df7ba14bb71 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] + some document in input.document + resource := document.resource.databricks_cluster[name] resource.azure_attributes.availability == "SPOT_AZURE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].azure_attributes.availability", [name]), @@ -18,11 +20,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] + some document in input.document + resource := document.resource.databricks_cluster[name] resource.azure_attributes.first_on_demand == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].azure_attributes.first_on_demand", [name]), @@ -33,11 +36,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name].azure_attributes + some document in input.document + resource := document.resource.databricks_cluster[name].azure_attributes not resource.first_on_demand result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].azure_attributes.first_on_demand", [name]), diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego b/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego index 395841e9b72..c6e9e89841c 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] + some document in input.document + resource := document.resource.databricks_cluster[name] resource.gcp_attributes.availability == "PREEMPTIBLE_GCP" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].gcp_attributes.availability", [name]), diff --git a/assets/queries/terraform/databricks/databricks_permissions/query.rego b/assets/queries/terraform/databricks/databricks_permissions/query.rego index 1b013d1d30e..803072df2b7 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/query.rego +++ b/assets/queries/terraform/databricks/databricks_permissions/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - databricks_job := input.document[i].resource.databricks_job[name] + some document in input.document + databricks_job := document.resource.databricks_job[name] - is_associated_to_job(name, input.document[i]) + is_associated_to_job(name, document) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_job", "resourceName": tf_lib.get_specific_resource_name(databricks_job, "databricks_job", name), "searchKey": sprintf("databricks_job[%s]", [name]), @@ -21,17 +23,18 @@ CxPolicy[result] { is_associated_to_job(databricks_job_name, doc) { [path, value] := walk(doc) - databricks_permissions_used := value.databricks_permissions[_] + some databricks_permissions_used in value.databricks_permissions not contains(databricks_permissions_used.job_id, sprintf("databricks_job.%s", [databricks_job_name])) } CxPolicy[result] { - databricks_cluster := input.document[i].resource.databricks_cluster[name] + some document in input.document + databricks_cluster := document.resource.databricks_cluster[name] - is_associated_to_cluster(name, input.document[i]) + is_associated_to_cluster(name, document) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_cluster", "resourceName": tf_lib.get_specific_resource_name(databricks_cluster, "databricks_cluster", name), "searchKey": sprintf("databricks_cluster[%s]", [name]), @@ -48,13 +51,14 @@ is_associated_to_cluster(databricks_cluster_name, doc) { } CxPolicy[result] { - databricks_permissions := input.document[i].resource.databricks_permissions[name] + some document in input.document + databricks_permissions := document.resource.databricks_permissions[name] databricks_permissions.access_control.permission_level == "IS_OWNER" not databricks_permissions.access_control.service_principal_name result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_permissions", "resourceName": tf_lib.get_specific_resource_name(databricks_permissions, "databricks_permissions", name), "searchKey": sprintf("databricks_permissions.[%s]", [name]), @@ -65,14 +69,15 @@ CxPolicy[result] { } CxPolicy[result] { - databricks_permissions := input.document[i].resource.databricks_permissions[name] + some document in input.document + databricks_permissions := document.resource.databricks_permissions[name] some j databricks_permissions.access_control[j].permission_level == "IS_OWNER" not databricks_permissions.access_control[j].service_principal_name result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_permissions", "resourceName": tf_lib.get_specific_resource_name(databricks_permissions, "databricks_permissions", name), "searchKey": sprintf("databricks_permissions.[%s]", [name]), diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/query.rego b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/query.rego index 539a00525d1..a9cac4dae91 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/query.rego +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - databricks_group := input.document[i].resource.databricks_group[name] + some document in input.document + databricks_group := document.resource.databricks_group[name] without_instance_profile(name) without_user(name) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "aws_databricks_group", "resourceName": tf_lib.get_resource_name(databricks_group, name), "searchKey": sprintf("databricks_group[%s]", [name]), diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/query.rego b/assets/queries/terraform/databricks/indefinitely_obo_token/query.rego index 8859aab47ed..3121704787a 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/query.rego +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.databricks_obo_token[name] + some document in input.document + resource := document.resource.databricks_obo_token[name] not resource.lifetime_seconds result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_obo_token", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_obo_token[%s]", [name]), diff --git a/assets/queries/terraform/databricks/indefinitely_token/query.rego b/assets/queries/terraform/databricks/indefinitely_token/query.rego index 4acf357414c..38369af6194 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/query.rego +++ b/assets/queries/terraform/databricks/indefinitely_token/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.databricks_token[name] + some document in input.document + resource := document.resource.databricks_token[name] not resource.lifetime_seconds result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_token", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_token[%s]", [name]), diff --git a/assets/queries/terraform/databricks/unrestricted_acl/query.rego b/assets/queries/terraform/databricks/unrestricted_acl/query.rego index a4c68fe2302..021800d018c 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/query.rego +++ b/assets/queries/terraform/databricks/unrestricted_acl/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.databricks_ip_access_list[name] + some document in input.document + resource := document.resource.databricks_ip_access_list[name] some j isEntireNetwork(resource.ip_addresses[j]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_ip_access_list", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_ip_access_list[%s].ip_addresses", [name]), diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/query.rego b/assets/queries/terraform/databricks/use_lts_spark_version/query.rego index 39b659f2b02..d9fecf16e2f 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/query.rego +++ b/assets/queries/terraform/databricks/use_lts_spark_version/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].data.databricks_spark_version[name] + some document in input.document + resource := document.data.databricks_spark_version[name] not resource.long_term_support result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_spark_version", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_spark_version[%s].long_term_support", [name]), @@ -19,13 +21,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_cluster[name] + some document in input.document + resource := document.resource.databricks_cluster[name] not isLtsVersion(resource.spark_version) not contains(resource.spark_version, "data.databricks_spark_version") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_spark_version", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_cluster[%s].spark_version", [name]), diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/query.rego b/assets/queries/terraform/databricks/use_spark_submit_task/query.rego index 24d6ff225e3..4a289f3ea47 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/query.rego +++ b/assets/queries/terraform/databricks/use_spark_submit_task/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.databricks_job[name] + some document in input.document + resource := document.resource.databricks_job[name] resource.task.spark_submit_task result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_job[%s].task.spark_submit_task", [name]), @@ -19,13 +21,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.databricks_job[name] + some document in input.document + resource := document.resource.databricks_job[name] some j resource.task[j].spark_submit_task result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "databricks_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("databricks_job[%s].task.spark_submit_task", [name]), diff --git a/assets/queries/terraform/gcp/bigquery_dataset_is_public/query.rego b/assets/queries/terraform/gcp/bigquery_dataset_is_public/query.rego index 9cf8d8adec9..147d4715393 100644 --- a/assets/queries/terraform/gcp/bigquery_dataset_is_public/query.rego +++ b/assets/queries/terraform/gcp/bigquery_dataset_is_public/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_bigquery_dataset[name] + some document in input.document + resource := document.resource.google_bigquery_dataset[name] publiclyAccessible(resource.access) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_bigquery_dataset", "resourceName": tf_lib.get_specific_resource_name(resource, "google_bigquery_dataset", name), "searchKey": sprintf("google_bigquery_dataset[%s].access.special_group", [name]), diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/query.rego b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/query.rego index 77c4cb35602..05ea7120e0f 100644 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/query.rego +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_dns_managed_zone[name] + some document in input.document + resource := document.resource.google_dns_managed_zone[name] withoutDNSSec(resource.dnssec_config) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_dns_managed_zone", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_dns_managed_zone[%s].dnssec_config.state", [name]), diff --git a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/query.rego b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/query.rego index 9463157cea2..e8970f15d8f 100644 --- a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/query.rego +++ b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_storage_bucket_iam_binding[name] + some document in input.document + resource := document.resource.google_storage_bucket_iam_binding[name] count(resource.members) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket_iam_binding", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_storage_bucket_iam_binding[%s].members", [name]), @@ -18,12 +20,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_storage_bucket_iam_binding[name] - member := resource.members[_] + some document in input.document + resource := document.resource.google_storage_bucket_iam_binding[name] + some member in resource.members contains(member, "allUsers") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket_iam_binding", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_storage_bucket_iam_binding[%s].members", [name]), @@ -34,12 +37,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_storage_bucket_iam_binding[name] - member := resource.members[_] + some document in input.document + resource := document.resource.google_storage_bucket_iam_binding[name] + some member in resource.members contains(member, "allAuthenticatedUsers") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket_iam_binding", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_storage_bucket_iam_binding[%s].members", [name]), diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/query.rego b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/query.rego index 73e2e83b40e..88bae4aaecb 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - iam_member := input.document[i].resource.google_storage_bucket_iam_member[name] + some document in input.document + iam_member := document.resource.google_storage_bucket_iam_member[name] public_access_users := ["allUsers", "allAuthenticatedUsers"] not iam_member.members @@ -11,7 +13,7 @@ CxPolicy[result] { public_access_users[j] == iam_member.member result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket_iam_member", "resourceName": tf_lib.get_resource_name(iam_member, name), "searchKey": sprintf("google_storage_bucket_iam_member[%s].member", [name]), @@ -22,14 +24,15 @@ CxPolicy[result] { } CxPolicy[result] { - iam_member := input.document[i].resource.google_storage_bucket_iam_member[name] + some document in input.document + iam_member := document.resource.google_storage_bucket_iam_member[name] public_access_users := ["allUsers", "allAuthenticatedUsers"] some j, k public_access_users[j] == iam_member.members[k] result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket_iam_member", "resourceName": tf_lib.get_resource_name(iam_member, name), "searchKey": sprintf("google_storage_bucket_iam_member[%s].members", [name]), diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/query.rego b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/query.rego index 6b763b72a43..d6e6913f8a5 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/query.rego +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_storage_bucket[name] + some document in input.document + resource := document.resource.google_storage_bucket[name] not common_lib.valid_key(resource, "logging") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_storage_bucket[%s]", [name]), diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/query.rego b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/query.rego index 5ab4acd765d..c53ec9ab95a 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/query.rego +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_storage_bucket[name] + some document in input.document + resource := document.resource.google_storage_bucket[name] not common_lib.valid_key(resource, "versioning") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_storage_bucket[%s]", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_storage_bucket[name] + some document in input.document + resource := document.resource.google_storage_bucket[name] resource.versioning.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_storage_bucket[%s].versioning.enabled", [name]), diff --git a/assets/queries/terraform/gcp/cluster_labels_disabled/query.rego b/assets/queries/terraform/gcp/cluster_labels_disabled/query.rego index 68233da89c9..72b2c8ea36f 100644 --- a/assets/queries/terraform/gcp/cluster_labels_disabled/query.rego +++ b/assets/queries/terraform/gcp/cluster_labels_disabled/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] not resource.resource_labels result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/query.rego b/assets/queries/terraform/gcp/cos_node_image_not_used/query.rego index 5c39f0c525f..8fe97a98653 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/query.rego +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_node_pool[name] + some document in input.document + resource := document.resource.google_container_node_pool[name] resource.node_config.image_type not startswith(lower(resource.node_config.image_type), "cos") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_node_pool", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_container_node_pool[%s].node_config.image_type", [name]), diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/query.rego b/assets/queries/terraform/gcp/disk_encryption_disabled/query.rego index 79cb729d1e4..30ba7f57f6c 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/query.rego +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_compute_disk[name] + some document in input.document + resource := document.resource.google_compute_disk[name] not common_lib.valid_key(resource, "disk_encryption_key") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_disk", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_disk[%s]", [name]), @@ -19,13 +21,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_compute_disk[name] + some document in input.document + resource := document.resource.google_compute_disk[name] not common_lib.valid_key(resource.disk_encryption_key, "raw_key") not common_lib.valid_key(resource.disk_encryption_key, "kms_key_self_link") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_disk", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_disk[%s].disk_encryption_key", [name]), @@ -36,11 +39,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_compute_disk[name] + some document in input.document + resource := document.resource.google_compute_disk[name] key := tf_lib.check_key_empty(resource.disk_encryption_key) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_disk", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_disk[%s].disk_encryption_key.%s", [name, key]), diff --git a/assets/queries/terraform/gcp/dnssec_using_rsasha1/query.rego b/assets/queries/terraform/gcp/dnssec_using_rsasha1/query.rego index cd3f940bf65..12b1931778d 100644 --- a/assets/queries/terraform/gcp/dnssec_using_rsasha1/query.rego +++ b/assets/queries/terraform/gcp/dnssec_using_rsasha1/query.rego @@ -2,12 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dnssec_config := input.document[i].resource.google_dns_managed_zone[name].dnssec_config + some document in input.document + dnssec_config := document.resource.google_dns_managed_zone[name].dnssec_config dnssec_config.default_key_specs.algorithm == "rsasha1" + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_dns_managed_zone", "resourceName": tf_lib.get_resource_name(dnssec_config, name), "searchKey": sprintf("google_dns_managed_zone[%s].dnssec_config.default_key_specs.algorithm", [name]), diff --git a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/query.rego b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/query.rego index 749ab47f9f9..72b3b820ea1 100644 --- a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/query.rego +++ b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.enable_legacy_abac == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].enable_legacy_abac", [primary]), diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/query.rego b/assets/queries/terraform/gcp/gke_using_default_service_account/query.rego index 8631fbf3594..1bce1d4d769 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/query.rego +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[name] + some document in input.document + resource := document.resource.google_container_cluster[name] not common_lib.valid_key(resource.node_config, "service_account") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_container_cluster[%s].node_config", [name]), @@ -21,12 +23,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[name] + some document in input.document + resource := document.resource.google_container_cluster[name] contains(resource.node_config.service_account, "default") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_container_cluster[%s].node_config.service_account", [name]), diff --git a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/query.rego b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/query.rego index f653c0200a9..0942db1d10f 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/query.rego +++ b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/query.rego @@ -2,17 +2,19 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - computeNetwork := input.document[i].resource.google_compute_network[name] + some document in input.document + computeNetwork := document.resource.google_compute_network[name] - firewall := input.document[_].resource.google_compute_firewall[_] + some firewall in document.resource.google_compute_firewall tf_lib.matches(firewall.network, name) contains(firewall.name, "default") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_network", "resourceName": tf_lib.get_resource_name(computeNetwork, name), "searchKey": sprintf("google_compute_network[%s]", [name]), diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego index f90f1f61726..38e42dabe88 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego @@ -2,18 +2,20 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - computeNetwork := input.document[i].resource.google_compute_network[name] + some document in input.document + computeNetwork := document.resource.google_compute_network[name] - firewall := input.document[_].resource.google_compute_firewall[_] + some firewall in input.document[_].resource.google_compute_firewall tf_lib.matches(firewall.network, name) common_lib.is_ingress(firewall) all_ports(firewall.allow) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_network", "resourceName": tf_lib.get_resource_name(computeNetwork, name), "searchKey": sprintf("google_compute_network[%s]", [name]), diff --git a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego index 1a17f105d46..7fefed11477 100644 --- a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego +++ b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - sslPolicy := input.document[i].resource.google_compute_ssl_policy[name] + some document in input.document + sslPolicy := document.resource.google_compute_ssl_policy[name] sslPolicy.min_tls_version != "TLS_1_2" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_ssl_policy", "resourceName": tf_lib.get_resource_name(sslPolicy, name), "searchKey": sprintf("google_compute_ssl_policy[%s].min_tls_version", [name]), @@ -25,11 +27,12 @@ CxPolicy[result] { } CxPolicy[result] { - sslPolicy := input.document[i].resource.google_compute_ssl_policy[name] + some document in input.document + sslPolicy := document.resource.google_compute_ssl_policy[name] not common_lib.valid_key(sslPolicy, "min_tls_version") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_ssl_policy", "resourceName": tf_lib.get_resource_name(sslPolicy, name), "searchKey": sprintf("google_compute_ssl_policy[%s].min_tls_version", [name]), diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/query.rego b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/query.rego index b35f18a3117..48b05720e10 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_compute_subnetwork[name] + some document in input.document + resource := document.resource.google_compute_subnetwork[name] not common_lib.valid_key(resource, "log_config") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_subnetwork", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_subnetwork[%s]", [name]), diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego index a44a2931451..82251ee8978 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_compute_subnetwork[name] + some document in input.document + resource := document.resource.google_compute_subnetwork[name] not common_lib.valid_key(resource, "private_ip_google_access") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_subnetwork", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_subnetwork[%s]", [name]), @@ -22,11 +24,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_compute_subnetwork[name] + some document in input.document + resource := document.resource.google_compute_subnetwork[name] resource.private_ip_google_access == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_subnetwork", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_subnetwork[%s].private_ip_google_access", [name]), diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/query.rego b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/query.rego index 0a83703079a..421a2f17098 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - nodePool := input.document[i].resource.google_container_node_pool[name] + some document in input.document + nodePool := document.resource.google_container_node_pool[name] nodePool.management.auto_repair == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_node_pool", "resourceName": tf_lib.get_resource_name(nodePool, name), "searchKey": sprintf("google_container_node_pool[%s].management.auto_repair", [name]), @@ -25,11 +27,12 @@ CxPolicy[result] { } CxPolicy[result] { - nodePool := input.document[i].resource.google_container_node_pool[name] + some document in input.document + nodePool := document.resource.google_container_node_pool[name] not common_lib.valid_key(nodePool, "management") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_node_pool", "resourceName": tf_lib.get_resource_name(nodePool, name), "searchKey": sprintf("google_container_node_pool[%s].management", [name]), diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/query.rego b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/query.rego index 88c557a6751..600d6fd6a30 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - project := input.document[i].resource.google_project[name] + some document in input.document + project := document.resource.google_project[name] project.auto_create_network == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project", "resourceName": tf_lib.get_resource_name(project, name), "searchKey": sprintf("google_project[%s].auto_create_network", [name]), @@ -25,11 +27,12 @@ CxPolicy[result] { } CxPolicy[result] { - project := input.document[i].resource.google_project[name] + some document in input.document + project := document.resource.google_project[name] not common_lib.valid_key(project, "auto_create_network") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project", "resourceName": tf_lib.get_resource_name(project, name), "searchKey": sprintf("google_project[%s]", [name]), diff --git a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/query.rego b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/query.rego index de9d1334875..dc22ad18f57 100644 --- a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/query.rego +++ b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_binding[name] + some document in input.document + projectIam := document.resource.google_project_iam_binding[name] startswith(projectIam.member, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountTokenCreator") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_binding", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_binding[%s].role", [name]), @@ -19,12 +21,13 @@ CxPolicy[result] { } CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_binding[name] + some document in input.document + projectIam := document.resource.google_project_iam_binding[name] inArray(projectIam.members, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountTokenCreator") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_binding", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_binding[%s].role", [name]), @@ -35,12 +38,13 @@ CxPolicy[result] { } CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_binding[name] + some document in input.document + projectIam := document.resource.google_project_iam_binding[name] startswith(projectIam.member, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountUser") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_binding", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_binding[%s].role", [name]), @@ -51,12 +55,13 @@ CxPolicy[result] { } CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_binding[name] + some document in input.document + projectIam := document.resource.google_project_iam_binding[name] inArray(projectIam.members, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountUser") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_binding", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_binding[%s].role", [name]), diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/query.rego b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/query.rego index b25adf200ab..32b88bff27d 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/query.rego +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_member[name] + some document in input.document + projectIam := document.resource.google_project_iam_member[name] startswith(projectIam.member, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountAdmin") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_member", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_member[%s].role", [name]), @@ -19,12 +21,13 @@ CxPolicy[result] { } CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_member[name] + some document in input.document + projectIam := document.resource.google_project_iam_member[name] inArray(projectIam.members, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountAdmin") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_member", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_member[%s].role", [name]), diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/query.rego b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/query.rego index f5b5a3fddf8..9817ff84d44 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/query.rego +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_member[name] + some document in input.document + projectIam := document.resource.google_project_iam_member[name] startswith(projectIam.member, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountTokenCreator") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_member", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_member[%s].role", [name]), @@ -19,12 +21,13 @@ CxPolicy[result] { } CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_member[name] + some document in input.document + projectIam := document.resource.google_project_iam_member[name] containsArray(projectIam.members, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountTokenCreator") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_member", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_member[%s].role", [name]), @@ -35,12 +38,13 @@ CxPolicy[result] { } CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_member[name] + some document in input.document + projectIam := document.resource.google_project_iam_member[name] startswith(projectIam.member, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountUser") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_member", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_member[%s].role", [name]), @@ -51,12 +55,13 @@ CxPolicy[result] { } CxPolicy[result] { - projectIam := input.document[i].resource.google_project_iam_member[name] + some document in input.document + projectIam := document.resource.google_project_iam_member[name] containsArray(projectIam.members, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountUser") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_member", "resourceName": tf_lib.get_resource_name(projectIam, name), "searchKey": sprintf("google_project_iam_member[%s].role", [name]), diff --git a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/query.rego b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/query.rego index 9d6a6208a66..5e7cd414af5 100644 --- a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - storageBucket := input.document[i].resource.google_storage_bucket[name] + some document in input.document + storageBucket := document.resource.google_storage_bucket[name] storageBucket.uniform_bucket_level_access == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket", "resourceName": tf_lib.get_resource_name(storageBucket, name), "searchKey": sprintf("google_storage_bucket[%s].uniform_bucket_level_access", [name]), @@ -25,11 +27,12 @@ CxPolicy[result] { } CxPolicy[result] { - storageBucket := input.document[i].resource.google_storage_bucket[name] + some document in input.document + storageBucket := document.resource.google_storage_bucket[name] not common_lib.valid_key(storageBucket, "uniform_bucket_level_access") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_storage_bucket", "resourceName": tf_lib.get_resource_name(storageBucket, name), "searchKey": sprintf("google_storage_bucket[%s]", [name]), diff --git a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/query.rego b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/query.rego index 1ed1323cc85..ef81e9432b3 100644 --- a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/query.rego +++ b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - cryptoKey := input.document[i].resource.google_kms_crypto_key[name] + some document in input.document + cryptoKey := document.resource.google_kms_crypto_key[name] rotationPeriod := substring(cryptoKey.rotation_period, 0, count(cryptoKey.rotation_period) - 1) to_number(rotationPeriod) > 7776000 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_kms_crypto_key", "resourceName": tf_lib.get_resource_name(cryptoKey, name), "searchKey": sprintf("google_kms_crypto_key[%s].rotation_period", [name]), @@ -26,12 +28,13 @@ CxPolicy[result] { } CxPolicy[result] { - cryptoKey := input.document[i].resource.google_kms_crypto_key[name] + some document in input.document + cryptoKey := document.resource.google_kms_crypto_key[name] not common_lib.valid_key(cryptoKey, "rotation_period") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_kms_crypto_key", "resourceName": tf_lib.get_resource_name(cryptoKey, name), "searchKey": sprintf("google_kms_crypto_key[%s]", [name]), diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/query.rego b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/query.rego index 09c542a27c9..19f3fc27699 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/query.rego +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_project_iam_audit_config[name] + some document in input.document + resource := document.resource.google_project_iam_audit_config[name] resource.service != "allServices" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_audit_config", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_project_iam_audit_config[%s].service", [name]), @@ -19,7 +21,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_project_iam_audit_config[name] + some document in input.document + resource := document.resource.google_project_iam_audit_config[name] count(resource.audit_log_config) < 3 @@ -29,7 +32,7 @@ CxPolicy[result] { audit_log_config.log_type != "ADMIN_READ" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_audit_config", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_project_iam_audit_config[%s].audit_log_config.log_type", [name]), @@ -40,14 +43,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_project_iam_audit_config[name] + some document in input.document + resource := document.resource.google_project_iam_audit_config[name] audit_log_config = resource.audit_log_config[_] exempted_members = audit_log_config.exempted_members count(exempted_members) != 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_audit_config", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_project_iam_audit_config[%s].audit_log_config.exempted_members", [name]), diff --git a/assets/queries/terraform/gcp/ip_aliasing_disabled/query.rego b/assets/queries/terraform/gcp/ip_aliasing_disabled/query.rego index 52270271890..7b52a8352d6 100644 --- a/assets/queries/terraform/gcp/ip_aliasing_disabled/query.rego +++ b/assets/queries/terraform/gcp/ip_aliasing_disabled/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] not resource.ip_allocation_policy not resource.networking_mode result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), @@ -19,12 +21,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] not resource.ip_allocation_policy resource.networking_mode result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), @@ -35,12 +38,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.ip_allocation_policy resource.networking_mode == "ROUTES" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), diff --git a/assets/queries/terraform/gcp/ip_forwarding_enabled/query.rego b/assets/queries/terraform/gcp/ip_forwarding_enabled/query.rego index 6fab53a05d7..9c3f81f274a 100644 --- a/assets/queries/terraform/gcp/ip_forwarding_enabled/query.rego +++ b/assets/queries/terraform/gcp/ip_forwarding_enabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dt := input.document[i].resource.google_compute_instance[appserver] + some document in input.document + dt := document.resource.google_compute_instance[appserver] dt.can_ip_forward == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(dt, appserver), "searchKey": sprintf("google_compute_instance[%s].can_ip_forward", [appserver]), diff --git a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/query.rego b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/query.rego index 923c972994e..b185323c89f 100644 --- a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/query.rego +++ b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_project_iam_policy[name] + some document in input.document + resource := document.resource.google_project_iam_policy[name] policyName := split(resource.policy_data, ".")[2] policy := input.document[_].data.google_iam_policy[policyName] @@ -12,7 +14,7 @@ CxPolicy[result] { count({x | binding = policy.binding[x]; binding.role == "roles/cloudkms.admin"; has_cryptokey_roles_in_use(policy, binding.members)}) != 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_project_iam_policy[%s].policy_data", [name]), diff --git a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/query.rego b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/query.rego index 8b07a4297ba..4132c919fb0 100644 --- a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/query.rego +++ b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.master_auth not resource.master_auth.client_certificate_config result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].master_auth", [primary]), @@ -20,12 +22,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.master_auth resource.master_auth.client_certificate_config.issue_client_certificate == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].master_auth.client_certificate_config.issue_client_certificate", [primary]), diff --git a/assets/queries/terraform/gcp/network_policy_disabled/query.rego b/assets/queries/terraform/gcp/network_policy_disabled/query.rego index 41b57f180d2..baa7887a0ad 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/query.rego +++ b/assets/queries/terraform/gcp/network_policy_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] not bothDefined(resource) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] bothDefined(resource) not resource.addons_config.network_policy_config result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].addons_config", [primary]), @@ -39,11 +42,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.network_policy.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].network_policy.enabled", [primary]), @@ -60,12 +64,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.network_policy.enabled == true resource.addons_config.network_policy_config.disabled == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].addons_config.network_policy_config.disabled", [primary]), diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/query.rego b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/query.rego index 26a635fa15b..e244c212635 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/query.rego +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/query.rego @@ -2,12 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_node_pool[name] + some document in input.document + resource := document.resource.google_container_node_pool[name] not common_lib.valid_key(resource, "management") + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_node_pool", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_container_node_pool[%s]", [name]), @@ -21,12 +24,14 @@ CxPolicy[result] { } CxPolicy[result] { - management := input.document[i].resource.google_container_node_pool[name].management + some document in input.document + management := document.resource.google_container_node_pool[name].management not common_lib.valid_key(management, "auto_upgrade") + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_node_pool", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_container_node_pool[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.google_container_node_pool[name], name), "searchKey": sprintf("google_container_node_pool[%s].management", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "management.auto_upgrade should be defined and not null", @@ -38,12 +43,14 @@ CxPolicy[result] { } CxPolicy[result] { - management := input.document[i].resource.google_container_node_pool[name].management + some document in input.document + management := document.resource.google_container_node_pool[name].management management.auto_upgrade == false + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_node_pool", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_container_node_pool[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.google_container_node_pool[name], name), "searchKey": sprintf("google_container_node_pool[%s].management.auto_upgrade", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "management.auto_upgrade should be true", diff --git a/assets/queries/terraform/gcp/not_proper_email_account_in_use/query.rego b/assets/queries/terraform/gcp/not_proper_email_account_in_use/query.rego index 716ff3fd09d..7265129a68a 100644 --- a/assets/queries/terraform/gcp/not_proper_email_account_in_use/query.rego +++ b/assets/queries/terraform/gcp/not_proper_email_account_in_use/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - members := input.document[i].resource.google_project_iam_binding[name].members - mail := members[_] + some document in input.document + members := document.resource.google_project_iam_binding[name].members + some mail in members contains(mail, "gmail.com") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_project_iam_binding", "resourceName": tf_lib.get_resource_name(members, name), "searchKey": sprintf("google_project_iam_binding[%s].members.%s", [name, mail]), diff --git a/assets/queries/terraform/gcp/os_login_disabled/query.rego b/assets/queries/terraform/gcp/os_login_disabled/query.rego index e4d48f38c96..dffcfbaf407 100644 --- a/assets/queries/terraform/gcp/os_login_disabled/query.rego +++ b/assets/queries/terraform/gcp/os_login_disabled/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_compute_project_metadata[name].metadata + some document in input.document + resource := document.resource.google_compute_project_metadata[name].metadata resource["enable-oslogin"] == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_project_metadata", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_compute_project_metadata[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.google_compute_project_metadata[name], name), "searchKey": sprintf("google_compute_project_metadata[%s].metadata.enable-oslogin", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("google_compute_project_metadata[%s].metadata['enable-oslogin'] should be true", [name]), @@ -25,13 +27,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_compute_project_metadata[name].metadata + some document in input.document + resource := document.resource.google_compute_project_metadata[name].metadata not common_lib.valid_key(resource, "enable-oslogin") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_project_metadata", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_compute_project_metadata[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.google_compute_project_metadata[name], name), "searchKey": sprintf("google_compute_project_metadata[%s].metadata", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("google_compute_project_metadata[%s].metadata['enable-oslogin'] should be true", [name]), diff --git a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/query.rego b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/query.rego index a527b186b55..16374195afa 100644 --- a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/query.rego +++ b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - compute := input.document[i].resource.google_compute_instance[name] + some document in input.document + compute := document.resource.google_compute_instance[name] metadata := compute.metadata oslogin := object.get(metadata, "enable-oslogin", "undefined") isFalse(oslogin) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(compute, name), "searchKey": sprintf("google_compute_instance[%s].metadata.enable-oslogin", [name]), diff --git a/assets/queries/terraform/gcp/outdated_gke_version/query.rego b/assets/queries/terraform/gcp/outdated_gke_version/query.rego index d87fd582a8c..d82bfeaa006 100644 --- a/assets/queries/terraform/gcp/outdated_gke_version/query.rego +++ b/assets/queries/terraform/gcp/outdated_gke_version/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] using_unrecommended_version(resource) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/query.rego b/assets/queries/terraform/gcp/pod_security_policy_disabled/query.rego index 7107ebcbc7f..74f8bb3b80d 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/query.rego +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] not resource.pod_security_policy_config result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), @@ -22,12 +24,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.pod_security_policy_config resource.pod_security_policy_config.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].pod_security_policy_config.enabled", [primary]), diff --git a/assets/queries/terraform/gcp/private_cluster_disabled/query.rego b/assets/queries/terraform/gcp/private_cluster_disabled/query.rego index d041e69fa5e..6bceaa45ec9 100644 --- a/assets/queries/terraform/gcp/private_cluster_disabled/query.rego +++ b/assets/queries/terraform/gcp/private_cluster_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] not common_lib.valid_key(resource, "private_cluster_config") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), @@ -19,13 +21,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.private_cluster_config not bothDefined(resource.private_cluster_config) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].private_cluster_config", [primary]), @@ -36,13 +39,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] bothDefined(resource.private_cluster_config) not bothTrue(resource.private_cluster_config) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].private_cluster_config", [primary]), diff --git a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego index 0a345bc3e06..ebf98c465b6 100644 --- a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego +++ b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - compute := input.document[i].resource.google_compute_instance[name] + some document in input.document + compute := document.resource.google_compute_instance[name] metadata := compute.metadata ssh_keys_enabled := metadata["block-project-ssh-keys"] not isTrue(ssh_keys_enabled) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(compute, name), "searchKey": sprintf("google_compute_instance[%s].metadata.block-project-ssh-keys", [name]), @@ -21,11 +23,12 @@ CxPolicy[result] { } CxPolicy[result] { - compute := input.document[i].resource.google_compute_instance[name] + some document in input.document + compute := document.resource.google_compute_instance[name] not common_lib.valid_key(compute, "metadata") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(compute, name), "searchKey": sprintf("google_compute_instance[%s]", [name]), @@ -36,11 +39,12 @@ CxPolicy[result] { } CxPolicy[result] { - compute := input.document[i].resource.google_compute_instance[name] + some document in input.document + compute := document.resource.google_compute_instance[name] not common_lib.valid_key(compute.metadata, "block-project-ssh-keys") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(compute, name), "searchKey": sprintf("google_compute_instance[%s].metadata", [name]), diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/query.rego b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/query.rego index 5e4e9024454..a6446538f50 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/query.rego +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - firewall := input.document[i].resource.google_compute_firewall[name] + some document in input.document + firewall := document.resource.google_compute_firewall[name] common_lib.is_ingress(firewall) common_lib.is_unrestricted(firewall.source_ranges[_]) @@ -12,7 +14,7 @@ CxPolicy[result] { isRDPport(allowed[a]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_firewall", "resourceName": tf_lib.get_resource_name(firewall, name), "searchKey": sprintf("google_compute_firewall[%s].allow.ports", [name]), diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego b/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego index df01758fa55..4accf530a25 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].data.google_iam_policy[name] + some document in input.document + resource := document.data.google_iam_policy[name] tf_lib.check_member(resource.binding, "serviceAccount:") has_improperly_privileges(resource.binding.role) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_iam_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_iam_policy[%s].binding.role", [name]), @@ -22,13 +24,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].data.google_iam_policy[name] + some document in input.document + resource := document.data.google_iam_policy[name] tf_lib.check_member(resource.binding[x], "serviceAccount:") has_improperly_privileges(resource.binding[x].role) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_iam_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_iam_policy[%s].binding[%s].role", [name, format_int(x, 10)]), @@ -41,13 +44,14 @@ CxPolicy[result] { CxPolicy[result] { resources := {"google_project_iam_binding", "google_project_iam_member"} - resource := input.document[i].resource[resources[idx]][name] + some document in input.document + resource := document.resource[resources[idx]][name] tf_lib.check_member(resource, "serviceAccount:") has_improperly_privileges(resource.role) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resources[idx], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].role", [resources[idx], name]), diff --git a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/query.rego b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/query.rego index 753032c72d1..4f740c5ef55 100644 --- a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/query.rego +++ b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - google_container_cluster := input.document[i].resource.google_container_cluster[name] + some document in input.document + google_container_cluster := document.resource.google_container_cluster[name] google_container_cluster.enable_shielded_nodes == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(google_container_cluster, name), "searchKey": sprintf("google_container_cluster[%s].enable_shielded_nodes", [name]), diff --git a/assets/queries/terraform/gcp/shielded_vm_disabled/query.rego b/assets/queries/terraform/gcp/shielded_vm_disabled/query.rego index 7ebf2f3e307..2e7a11ab44a 100644 --- a/assets/queries/terraform/gcp/shielded_vm_disabled/query.rego +++ b/assets/queries/terraform/gcp/shielded_vm_disabled/query.rego @@ -2,16 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - document := input.document[i] - + some document in input.document compute_instance := document.data.google_compute_instance[appserver] not common_lib.valid_key(compute_instance, "shielded_instance_config") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(compute_instance, appserver), "searchKey": sprintf("google_compute_instance[%s]", [appserver]), @@ -22,13 +22,14 @@ CxPolicy[result] { } CxPolicy[result] { - document := input.document[i] + some document in input.document compute_instance := document.data.google_compute_instance[appserver] fields := ["enable_secure_boot", "enable_vtpm", "enable_integrity_monitoring"] - fieldTypes := fields[_] + some fieldTypes in fields not common_lib.valid_key(compute_instance.shielded_instance_config, fieldTypes) + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(compute_instance, appserver), "searchKey": sprintf("google_compute_instance[%s].shielded_instance_config", [appserver]), @@ -39,12 +40,13 @@ CxPolicy[result] { } CxPolicy[result] { - document := input.document[i] + some document in input.document compute_instance := document.data.google_compute_instance[appserver] fields := ["enable_secure_boot", "enable_vtpm", "enable_integrity_monitoring"] compute_instance.shielded_instance_config[fields[j]] == false + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(compute_instance, appserver), "searchKey": sprintf("google_compute_instance[%s].shielded_instance_config.%s", [appserver, fields[j]]), diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/query.rego index 18441f70119..9409bc9e2b7 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - settings := input.document[i].resource.google_sql_database_instance[name].settings + some document in input.document + settings := document.resource.google_sql_database_instance[name].settings not common_lib.valid_key(settings, "backup_configuration") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.google_sql_database_instance[name], name), "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "settings.backup_configuration should be defined and not null", @@ -19,12 +21,14 @@ CxPolicy[result] { } CxPolicy[result] { - settings := input.document[i].resource.google_sql_database_instance[name].settings.backup_configuration + some document in input.document + settings := document.resource.google_sql_database_instance[name].settings.backup_configuration not common_lib.valid_key(settings, "enabled") + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.google_sql_database_instance[name], name), "searchKey": sprintf("google_sql_database_instance[%s].settings.backup_configuration", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "settings.backup_configuration.enabled should be defined and not null", @@ -36,12 +40,14 @@ CxPolicy[result] { } CxPolicy[result] { - settings := input.document[i].resource.google_sql_database_instance[name].settings + some document in input.document + settings := document.resource.google_sql_database_instance[name].settings settings.backup_configuration.enabled == false + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name], name), + "resourceName": tf_lib.get_resource_name(document.resource.google_sql_database_instance[name], name), "searchKey": sprintf("google_sql_database_instance[%s].settings.backup_configuration.enabled", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "settings.backup_configuration.enabled should be true", diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/query.rego b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/query.rego index 6f4d8bb03cb..2a5ca2c39d7 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_sql_database_instance[name] + some document in input.document + resource := document.resource.google_sql_database_instance[name] ip_configuration := resource.settings.ip_configuration count(ip_configuration.authorized_networks) > 0 @@ -14,7 +16,7 @@ CxPolicy[result] { contains(authorized_network[j].value, "0.0.0.0") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration.authorized_networks.value=%s", [name, authorized_network[j].value]), @@ -25,7 +27,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_sql_database_instance[name] + some document in input.document + resource := document.resource.google_sql_database_instance[name] ip_configuration := resource.settings.ip_configuration not common_lib.valid_key(ip_configuration, "authorized_networks") @@ -33,7 +36,7 @@ CxPolicy[result] { ip_configuration.ipv4_enabled result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration.ipv4_enabled", [name]), @@ -44,7 +47,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_sql_database_instance[name] + some document in input.document + resource := document.resource.google_sql_database_instance[name] ip_configuration := resource.settings.ip_configuration not common_lib.valid_key(ip_configuration, "authorized_networks") @@ -53,7 +57,7 @@ CxPolicy[result] { not common_lib.valid_key(ip_configuration, "private_network") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration", [name]), @@ -64,13 +68,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_sql_database_instance[name] + some document in input.document + resource := document.resource.google_sql_database_instance[name] settings := resource.settings not common_lib.valid_key(settings, "ip_configuration") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego index aa7e3592843..19daae284f5 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - settings := input.document[i].resource.google_sql_database_instance[name].settings + some document in input.document + settings := document.resource.google_sql_database_instance[name].settings not common_lib.valid_key(settings, "ip_configuration") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name), + "resourceName": tf_lib.get_resource_name(document.resource.google_sql_database_instance[name].settings, name), "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'settings.ip_configuration' should be defined and not null", @@ -23,15 +25,16 @@ CxPolicy[result] { } CxPolicy[result] { - settings := input.document[i].resource.google_sql_database_instance[name].settings + some document in input.document + settings := document.resource.google_sql_database_instance[name].settings ip_configuration := settings.ip_configuration not common_lib.valid_key(ip_configuration, "require_ssl") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name), + "resourceName": tf_lib.get_resource_name(document.resource.google_sql_database_instance[name].settings, name), "searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null", @@ -43,14 +46,15 @@ CxPolicy[result] { } CxPolicy[result] { - settings := input.document[i].resource.google_sql_database_instance[name].settings + some document in input.document + settings := document.resource.google_sql_database_instance[name].settings settings.ip_configuration.require_ssl == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_sql_database_instance", - "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name), + "resourceName": tf_lib.get_resource_name(document.resource.google_sql_database_instance[name].settings, name), "searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration.require_ssl", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "'settings.ip_configuration.require_ssl' should be true", diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/query.rego b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/query.rego index 6c186d14cc9..9985d8b8f62 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/query.rego +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - firewall := input.document[i].resource.google_compute_firewall[name] + some document in input.document + firewall := document.resource.google_compute_firewall[name] common_lib.is_ingress(firewall) common_lib.is_unrestricted(firewall.source_ranges[_]) # Allow traffic from anywhere allowed := getAllowed(firewall) @@ -12,7 +14,7 @@ CxPolicy[result] { ports := isSSHport(allowed[a]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_firewall", "resourceName": tf_lib.get_resource_name(firewall, name), "searchKey": sprintf("google_compute_firewall[%s].allow.ports=%s", [name, ports]), diff --git a/assets/queries/terraform/gcp/stackdriver_logging_disabled/query.rego b/assets/queries/terraform/gcp/stackdriver_logging_disabled/query.rego index 59af5795681..1f12d9c97d7 100644 --- a/assets/queries/terraform/gcp/stackdriver_logging_disabled/query.rego +++ b/assets/queries/terraform/gcp/stackdriver_logging_disabled/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.logging_service == "none" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].logging_service", [primary]), @@ -19,11 +21,12 @@ CxPolicy[result] { # legacy stackdriver was decomissioned Mar 31, 2021 https://cloud.google.com/stackdriver/docs/deprecations/legacy CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.logging_service == "logging.googleapis.com" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].logging_service", [primary]), diff --git a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/query.rego b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/query.rego index 86bf65a9147..772fa40c082 100644 --- a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/query.rego +++ b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.monitoring_service == "none" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].monitoring_service", [primary]), @@ -19,11 +21,12 @@ CxPolicy[result] { # Legacy Stackdriver was decomissioned Mar 31, 2021 CxPolicy[result] { - resource := input.document[i].resource.google_container_cluster[primary] + some document in input.document + resource := document.resource.google_container_cluster[primary] resource.monitoring_service == "monitoring.googleapis.com" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_container_cluster", "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s].monitoring_service", [primary]), diff --git a/assets/queries/terraform/gcp/user_with_iam_role/query.rego b/assets/queries/terraform/gcp/user_with_iam_role/query.rego index 69db722cec2..d2f5c6b12d6 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/query.rego +++ b/assets/queries/terraform/gcp/user_with_iam_role/query.rego @@ -2,17 +2,19 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in options := {"user:", "allUsers", "allAuthenticatedUsers"} CxPolicy[result] { - resource := input.document[i].data.google_iam_policy[name] + some document in input.document + resource := document.data.google_iam_policy[name] tf_lib.check_member(resource.binding, options[_]) common_lib.valid_key(resource.binding, "role") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_iam_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_iam_policy[%s].binding.role", [name]), @@ -25,13 +27,14 @@ CxPolicy[result] { CxPolicy[result] { resources := {"google_project_iam_binding", "google_project_iam_member"} - resource := input.document[i].resource[resources[idx]][name] + some document in input.document + resource := document.resource[resources[idx]][name] tf_lib.check_member(resource, options[_]) common_lib.valid_key(resource, "role") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resources[idx], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].role", [resources[idx], name]), diff --git a/assets/queries/terraform/gcp/using_default_service_account/query.rego b/assets/queries/terraform/gcp/using_default_service_account/query.rego index 9b918ec66a6..20f4e946b44 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/query.rego +++ b/assets/queries/terraform/gcp/using_default_service_account/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_compute_instance[name] + some document in input.document + resource := document.resource.google_compute_instance[name] not common_lib.valid_key(resource, "service_account") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_instance[%s]", [name]), @@ -19,11 +21,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_compute_instance[name] + some document in input.document + resource := document.resource.google_compute_instance[name] not common_lib.valid_key(resource.service_account, "email") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_instance[%s].service_account", [name]), @@ -34,11 +37,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_compute_instance[name] + some document in input.document + resource := document.resource.google_compute_instance[name] count(resource.service_account.email) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_instance[%s].service_account.email", [name]), @@ -49,13 +53,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_compute_instance[name] + some document in input.document + resource := document.resource.google_compute_instance[name] count(resource.service_account.email) > 0 not contains(resource.service_account.email, "@") not emailInVar(resource.service_account.email) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_instance[%s].service_account.email", [name]), @@ -66,11 +71,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.google_compute_instance[name] + some document in input.document + resource := document.resource.google_compute_instance[name] contains(resource.service_account.email, "@developer.gserviceaccount.com") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_instance[%s].service_account.email", [name]), diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/query.rego b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/query.rego index 79411702a94..2be772a6d85 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/query.rego +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - compute := input.document[i].resource.google_compute_instance[name] + some document in input.document + compute := document.resource.google_compute_instance[name] metadata := compute.metadata serialPortEnabled(metadata) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(compute, name), "searchKey": sprintf("google_compute_instance[%s].metadata.serial-port-enable", [name]), @@ -20,13 +22,14 @@ CxPolicy[result] { } CxPolicy[result] { - project := input.document[i].resource.google_compute_project_metadata[name] + some document in input.document + project := document.resource.google_compute_project_metadata[name] metadata := project.metadata serialPortEnabled(metadata) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_project_metadata", "resourceName": tf_lib.get_resource_name(project, name), "searchKey": sprintf("google_compute_project_metadata[%s].metadata.serial-port-enable", [name]), @@ -37,13 +40,14 @@ CxPolicy[result] { } CxPolicy[result] { - metadata := input.document[i].resource.google_compute_project_metadata_item[name] + some document in input.document + metadata := document.resource.google_compute_project_metadata_item[name] metadata.key == "serial-port-enable" isTrue(metadata.value) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_project_metadata_item", "resourceName": tf_lib.get_resource_name(metadata, name), "searchKey": sprintf("google_compute_project_metadata_item[%s].value", [name]), diff --git a/assets/queries/terraform/gcp/vm_with_full_cloud_access/query.rego b/assets/queries/terraform/gcp/vm_with_full_cloud_access/query.rego index 0a8e394bf6f..e63388f0449 100644 --- a/assets/queries/terraform/gcp/vm_with_full_cloud_access/query.rego +++ b/assets/queries/terraform/gcp/vm_with_full_cloud_access/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.google_compute_instance[name] + some document in input.document + resource := document.resource.google_compute_instance[name] scopes := resource.service_account.scopes some j scopes[j] == "cloud-platform" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "google_compute_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("google_compute_instance[%s].service_account.scopes", [name]), diff --git a/assets/queries/terraform/gcp_bom/dataflow/query.rego b/assets/queries/terraform/gcp_bom/dataflow/query.rego index 8200193ed69..cd0dab5cdf5 100644 --- a/assets/queries/terraform/gcp_bom/dataflow/query.rego +++ b/assets/queries/terraform/gcp_bom/dataflow/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dataflow_job := input.document[i].resource.google_dataflow_job[name] + some document in input.document + dataflow_job := document.resource.google_dataflow_job[name] bom_output = { "resource_type": "google_dataflow_job", @@ -16,7 +18,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("google_dataflow_job[%s]", [name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", diff --git a/assets/queries/terraform/gcp_bom/fi/query.rego b/assets/queries/terraform/gcp_bom/fi/query.rego index f7aad4bfaea..10564bdcd20 100644 --- a/assets/queries/terraform/gcp_bom/fi/query.rego +++ b/assets/queries/terraform/gcp_bom/fi/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - g_fsi := input.document[i].resource.google_filestore_instance[name] + some document in input.document + g_fsi := document.resource.google_filestore_instance[name] bom_output = { "resource_type": "google_filestore_instance", @@ -16,7 +18,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("google_filestore_instance[%s]", [name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", diff --git a/assets/queries/terraform/gcp_bom/pd/query.rego b/assets/queries/terraform/gcp_bom/pd/query.rego index 4ebd31c5019..4251520a755 100644 --- a/assets/queries/terraform/gcp_bom/pd/query.rego +++ b/assets/queries/terraform/gcp_bom/pd/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - gc_disk := input.document[i].resource.google_compute_disk[name] + some document in input.document + gc_disk := document.resource.google_compute_disk[name] bom_output = { "resource_type": "google_compute_disk", @@ -16,7 +18,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("google_compute_disk[%s]", [name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/query.rego b/assets/queries/terraform/kubernetes/cpu_limits_not_set/query.rego index 995d677463c..5b2815ea115 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/query.rego +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/query.rego @@ -2,22 +2,24 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containerTypes := containers[_] + some containerTypes in containers not common_lib.valid_key(containerTypes.resources.limits, "cpu") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -38,7 +41,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.resources.limits, "cpu") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources.limits", [resourceType, name, specInfo.path, types[x]]), @@ -49,18 +52,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containerTypes := containers[_] + some containerTypes in containers not common_lib.valid_key(containerTypes, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -71,7 +75,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -80,7 +85,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -91,18 +96,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containerTypes := containers[_] + some containerTypes in containers not common_lib.valid_key(containerTypes.resources, "limits") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -113,7 +119,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -123,7 +130,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.resources, "limits") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/query.rego b/assets/queries/terraform/kubernetes/cpu_requests_not_set/query.rego index a17e98182b6..89a19ffa197 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/query.rego +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -17,7 +19,7 @@ CxPolicy[result] { not common_lib.valid_key(requestedContainers, "cpu") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -38,7 +41,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.resources.requests, "cpu") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources.requests", [resourceType, name, specInfo.path, types[x]]), @@ -49,18 +52,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containerTypes := containers[_] + some containerTypes in containers not common_lib.valid_key(containerTypes, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -71,7 +75,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -80,7 +85,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -91,7 +96,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -102,7 +108,7 @@ CxPolicy[result] { not common_lib.valid_key(requestedContainers, "requests") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -113,7 +119,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -123,7 +130,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.resources, "requests") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/query.rego b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/query.rego index bc58869232c..9f17b7c62d9 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/query.rego +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_deployment[name] + some document in input.document + resource := document.resource.kubernetes_deployment[name] resource.spec.replicas > 2 not common_lib.valid_key(resource.spec.template.spec, "affinity") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_deployment", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_deployment[%s].spec.template.spec", [name]), @@ -22,7 +24,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_deployment[name] + some document in input.document + resource := document.resource.kubernetes_deployment[name] resource.spec.replicas > 2 @@ -30,7 +33,7 @@ CxPolicy[result] { not common_lib.valid_key(affinity, "pod_anti_affinity") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_deployment", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_deployment[%s].spec.template.spec.affinity", [name]), @@ -41,7 +44,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_deployment[name] + some document in input.document + resource := document.resource.kubernetes_deployment[name] resource.spec.replicas > 2 @@ -54,7 +58,7 @@ CxPolicy[result] { not common_lib.valid_key(podAntiAffinity, "required_during_scheduling_ignored_during_execution") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_deployment", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_deployment[%s].spec.template.spec.affinity", [name]), @@ -65,7 +69,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_deployment[name] + some document in input.document + resource := document.resource.kubernetes_deployment[name] resource.spec.replicas > 2 @@ -81,7 +86,7 @@ CxPolicy[result] { object.get(pref.pod_affinity_term, "topology_key", "undefined") != "kubernetes.io/hostname" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_deployment", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_deployment[%s].spec.template.spec.affinity", [name]), @@ -92,7 +97,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_deployment[name] + some document in input.document + resource := document.resource.kubernetes_deployment[name] resource.spec.replicas > 2 @@ -113,7 +119,7 @@ CxPolicy[result] { match_labels(templateLabels, selectorLabels) == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_deployment", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_deployment[%s].spec.template.spec.affinity", [name]), @@ -124,7 +130,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_deployment[name] + some document in input.document + resource := document.resource.kubernetes_deployment[name] resource.spec.replicas > 2 @@ -140,7 +147,7 @@ CxPolicy[result] { object.get(pref, "topology_key", "undefined") != "kubernetes.io/hostname" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_deployment", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_deployment[%s].spec.template.spec.affinity", [name]), @@ -151,7 +158,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_deployment[name] + some document in input.document + resource := document.resource.kubernetes_deployment[name] resource.spec.replicas > 2 @@ -172,7 +180,7 @@ CxPolicy[result] { match_labels(templateLabels, selectorLabels) == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_deployment", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_deployment[%s].spec.template.spec.affinity", [name]), diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/query.rego b/assets/queries/terraform/kubernetes/memory_limits_not_defined/query.rego index b3269cfbb0b..bed840b37bc 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/query.rego +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -17,7 +19,7 @@ CxPolicy[result] { not common_lib.valid_key(containerLimits, "memory") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -38,7 +41,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.resources.limits, "memory") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources.limits", [resourceType, name, specInfo.path, types[x]]), @@ -49,18 +52,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containersType := containers[_] + some containersType in containers not common_lib.valid_key(containersType, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -71,7 +75,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -80,7 +85,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -91,18 +96,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containersType := containers[_] + some containersType in containers not common_lib.valid_key(containersType.resources, "limits") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -113,7 +119,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -123,7 +130,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.resources, "limits") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/query.rego b/assets/queries/terraform/kubernetes/memory_requests_not_defined/query.rego index c10ee36e220..94085cf1a80 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/query.rego +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -17,7 +19,7 @@ CxPolicy[result] { not common_lib.valid_key(containersRequest, "memory") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -38,7 +41,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.resources.requests, "memory") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources.requests", [resourceType, name, specInfo.path, types[x]]), @@ -49,18 +52,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containersType := containers[_] + some containersType in containers not common_lib.valid_key(containersType, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -71,7 +75,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -80,7 +85,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -91,18 +96,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containersType := containers[_] + some containersType in containers not common_lib.valid_key(containersType.resources, "requests") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -113,7 +119,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -123,7 +130,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.resources, "requests") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/query.rego b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/query.rego index d712366e38f..8827bc1436e 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/query.rego +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -17,7 +19,7 @@ CxPolicy[result] { not common_lib.valid_key(containerCapabilities, "drop") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -40,7 +43,7 @@ CxPolicy[result] { not drop(dropList, options) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -51,7 +54,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -62,7 +66,7 @@ CxPolicy[result] { not common_lib.valid_key(containerSecurity, "capabilities") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -73,18 +77,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containersType := containers[_] + some containersType in containers not common_lib.valid_key(containersType, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -95,7 +100,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -104,7 +110,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.security_context.capabilities, "drop") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context.capabilities", [resourceType, name, specInfo.path, types[x]]), @@ -115,7 +121,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -126,7 +133,7 @@ CxPolicy[result] { not drop(containers.security_context.capabilities.drop, options) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context.capabilities.drop", [resourceType, name, specInfo.path, types[x]]), @@ -137,7 +144,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -146,7 +154,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.security_context, "capabilities") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context", [resourceType, name, specInfo.path, types[x]]), @@ -157,7 +165,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -166,7 +175,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/query.rego b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/query.rego index 8a1d43286be..a475f272ec1 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/query.rego +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/query.rego @@ -2,22 +2,24 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containersType := containers[_] + some containersType in containers not common_lib.valid_key(containersType, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -39,7 +42,7 @@ CxPolicy[result] { not common_lib.valid_key(containerSecurity, "capabilities") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -50,7 +53,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -61,7 +65,7 @@ CxPolicy[result] { not common_lib.valid_key(containerCapabilities, "drop") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -72,7 +76,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -81,7 +86,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -92,7 +97,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -101,7 +107,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.security_context, "capabilities") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context", [resourceType, name, specInfo.path, types[x]]), @@ -112,7 +118,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -121,7 +128,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.security_context.capabilities, "drop") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context.capabilities", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/query.rego b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/query.rego index d68a550ee38..0ef856f8c80 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/query.rego +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/query.rego @@ -2,22 +2,24 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containersType := containers[_] + some containersType in containers not common_lib.valid_key(containersType, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}", [resourceType, name, specInfo.path, types[x], containersType.name]), @@ -29,7 +31,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -39,7 +42,7 @@ CxPolicy[result] { not common_lib.valid_key(containers[j].security_context, "read_only_root_filesystem") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}.security_context", [resourceType, name, specInfo.path, types[x], containers[j].name]), "issueType": "IncorrectValue", @@ -52,7 +55,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -63,7 +67,7 @@ CxPolicy[result] { containers[y].security_context.read_only_root_filesystem == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}.security_context.read_only_root_filesystem", [resourceType, name, specInfo.path, types[x], containers[y].name]), @@ -80,7 +84,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -89,7 +94,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -101,7 +106,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -110,7 +116,7 @@ CxPolicy[result] { not common_lib.valid_key(containers.security_context, "read_only_root_filesystem") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context", [resourceType, name, specInfo.path, types[x]]), @@ -124,7 +130,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -133,7 +140,7 @@ CxPolicy[result] { containers.security_context.read_only_root_filesystem == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context.read_only_root_filesystem", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/query.rego b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/query.rego index a4449dfa007..2f85c53bf75 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/query.rego +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/query.rego @@ -2,10 +2,12 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in # pod CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] metadata := resource.metadata common_lib.valid_key(metadata, "annotations") @@ -14,7 +16,7 @@ CxPolicy[result] { not common_lib.valid_key(annotations, "${seccomp.security.alpha.kubernetes.io/defaultProfileName}") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].metadata.annotations", [name]), @@ -25,7 +27,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] metadata := resource.metadata common_lib.valid_key(metadata, "annotations") @@ -38,7 +41,7 @@ CxPolicy[result] { seccomp != "runtime/default" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].metadata.annotations", [name]), @@ -49,13 +52,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] metadata := resource.metadata not common_lib.valid_key(metadata, "annotations") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].metadata", [name]), @@ -67,13 +71,14 @@ CxPolicy[result] { # cron_job CxPolicy[result] { - resource := input.document[i].resource.kubernetes_cron_job[name] + some document in input.document + resource := document.resource.kubernetes_cron_job[name] metadata := resource.spec.job_template.spec.template.metadata not common_lib.valid_key(metadata, "annotations") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_cron_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.metadata", [name]), @@ -84,7 +89,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_cron_job[name] + some document in input.document + resource := document.resource.kubernetes_cron_job[name] metadata := resource.spec.job_template.spec.template.metadata common_lib.valid_key(metadata, "annotations") @@ -93,7 +99,7 @@ CxPolicy[result] { not common_lib.valid_key(annotations, "${seccomp.security.alpha.kubernetes.io/defaultProfileName}") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_cron_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.metadata.annotations", [name]), @@ -104,7 +110,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_cron_job[name] + some document in input.document + resource := document.resource.kubernetes_cron_job[name] metadata := resource.spec.job_template.spec.template.metadata common_lib.valid_key(metadata, "annotations") @@ -116,7 +123,7 @@ CxPolicy[result] { seccomp != "runtime/default" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_cron_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.metadata.annotations", [name]), @@ -130,7 +137,8 @@ CxPolicy[result] { resources := {"kubernetes_cron_job", "kubernetes_pod"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] resourceType != resources[x] @@ -138,7 +146,7 @@ CxPolicy[result] { not common_lib.valid_key(metadata, "annotations") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.metadata", [resourceType, name]), @@ -149,7 +157,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] resourceType != resources[x] @@ -160,7 +169,7 @@ CxPolicy[result] { not common_lib.valid_key(annotations, "${seccomp.security.alpha.kubernetes.io/defaultProfileName}") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.metadata.annotations", [resourceType, name]), @@ -171,7 +180,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] resourceType != resources[x] @@ -186,7 +196,7 @@ CxPolicy[result] { seccomp != "runtime/default" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.metadata.annotations", [resourceType, name]), diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/query.rego b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/query.rego index 4e9540fe851..2fb98adf588 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/query.rego +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] not common_lib.valid_key(resource.spec, "automount_service_account_token") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] resource.spec.automount_service_account_token == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec.automount_service_account_token", [name]), @@ -47,14 +50,15 @@ CxPolicy[result] { listKinds := {"kubernetes_deployment", "kubernetes_daemonset", "kubernetes_job", "kubernetes_stateful_set", "kubernetes_replication_controller"} CxPolicy[result] { - resource := input.document[i].resource + some document in input.document + resource := document.resource k8 := resource[listKinds[x]][name].spec.template.spec not common_lib.valid_key(k8, "automount_service_account_token") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": listKinds[x], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.spec", [listKinds[x], name]), @@ -68,12 +72,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource + some document in input.document + resource := document.resource resource[listKinds[x]][name].spec.template.spec.automount_service_account_token == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": listKinds[x], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.spec.automount_service_account_token", [listKinds[x], name]), @@ -90,12 +95,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_cron_job[name] + some document in input.document + resource := document.resource.kubernetes_cron_job[name] not common_lib.valid_key(resource.spec.jobTemplate.spec.template.spec, "automount_service_account_token") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_cron_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_cron_job[%s].spec.jobTemplate.spec.template.spec", [name]), @@ -109,12 +115,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_cron_job[name] + some document in input.document + resource := document.resource.kubernetes_cron_job[name] resource.spec.job_template.spec.template.spec.automount_service_account_token == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_cron_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.spec.automount_service_account_token", [name]), diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/query.rego b/assets/queries/terraform/kubernetes/tiller_is_deployed/query.rego index 5bbc8ba80ec..9df8393eb71 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/query.rego +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] checkMetadata(resource[name].metadata) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].metadata", [resourceType, name]), @@ -21,7 +23,8 @@ CxPolicy[result] { types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] spec := resource[name].spec containers := spec[types[x]] @@ -31,7 +34,7 @@ CxPolicy[result] { contains(object.get(containers[y], "image", "undefined"), "tiller") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.%s", [resourceType, name, types[x]]), @@ -42,7 +45,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] spec := resource[name].spec containers := spec[types[x]] @@ -51,7 +55,7 @@ CxPolicy[result] { contains(object.get(containers, "image", "undefined"), "tiller") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.%s.image", [resourceType, name, types[x]]), @@ -62,14 +66,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] spec := resource[name].spec checkMetadata(spec.template.metadata) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.metadata", [resourceType, name]), @@ -80,7 +85,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] spec := resource[name].spec.template.spec containers := spec[types[x]] @@ -90,7 +96,7 @@ CxPolicy[result] { contains(object.get(containers, "image", "undefined"), "tiller") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.spec.%s.image", [resourceType, name, types[x]]), @@ -101,7 +107,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] spec := resource[name].spec.template.spec containers := spec[types[x]] @@ -111,7 +118,7 @@ CxPolicy[result] { contains(object.get(containers[y], "image", "undefined"), "tiller") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.%s", [resourceType, name, types[x]]), diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/query.rego b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/query.rego index c9dbd519757..a8831e63ce0 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/query.rego +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -19,7 +21,7 @@ CxPolicy[result] { containers[y].volume_mount.read_only == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.volume_mount.read_only", [resourceType, name, specInfo.path, types[x]]), @@ -31,7 +33,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -44,7 +47,7 @@ CxPolicy[result] { volumeMounts[j].read_only == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.volume_mount.read_only", [resourceType, name, specInfo.path, types[x]]), @@ -56,7 +59,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -69,7 +73,7 @@ CxPolicy[result] { volumeMounts.read_only == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.volume_mount.read_only", [resourceType, name, specInfo.path, types[x]]), @@ -86,7 +90,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -99,7 +104,7 @@ CxPolicy[result] { volumeMounts[j].read_only == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.volume_mount.read_only", [resourceType, name, specInfo.path, types[x]]), @@ -116,7 +121,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -130,7 +136,7 @@ CxPolicy[result] { not common_lib.valid_key(volumeMounts, "read_only") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.volume_mount", [resourceType, name, specInfo.path, types[x]]), @@ -144,7 +150,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -154,12 +161,12 @@ CxPolicy[result] { volumeMounts := containers[y].volume_mount is_array(volumeMounts) == true is_os_dir(volumeMounts[j]) - volumeMountTypes := volumeMounts[_] + some volumeMountTypes in volumeMounts not common_lib.valid_key(volumeMountTypes, "read_only") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.volume_mount", [resourceType, name, specInfo.path, types[x]]), @@ -171,7 +178,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -185,7 +193,7 @@ CxPolicy[result] { not common_lib.valid_key(volumeMounts, "read_only") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.volume_mount", [resourceType, name, specInfo.path, types[x]]), @@ -199,7 +207,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -214,7 +223,7 @@ CxPolicy[result] { not common_lib.valid_key(volumeMountTypes, "read_only") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.volume_mount", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/query.rego b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/query.rego index 0e74e5a19c7..4680aacca09 100644 --- a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/query.rego +++ b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/query.rego @@ -2,10 +2,12 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in # ingress ipv4 CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] + some document in input.document + resource := document.resource.tencentcloud_security_group_rule_set[name] ingressCheck := resource.ingress common_lib.valid_key(ingressCheck, "action") @@ -19,7 +21,7 @@ CxPolicy[result] { ingressCheck.port == "ALL" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), @@ -31,7 +33,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] + some document in input.document + resource := document.resource.tencentcloud_security_group_rule_set[name] ingressCheck := resource.ingress[index] common_lib.valid_key(ingressCheck, "action") @@ -45,7 +48,7 @@ CxPolicy[result] { ingressCheck.port == "ALL" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), @@ -57,7 +60,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] + some document in input.document + resource := document.resource.tencentcloud_security_group_rule_set[name] ingressCheck := resource.ingress common_lib.valid_key(ingressCheck, "action") @@ -69,7 +73,7 @@ CxPolicy[result] { ingressCheck.action == "ACCEPT" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), @@ -81,7 +85,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] + some document in input.document + resource := document.resource.tencentcloud_security_group_rule_set[name] ingressCheck := resource.ingress[index] common_lib.valid_key(ingressCheck, "action") @@ -93,7 +98,7 @@ CxPolicy[result] { ingressCheck.action == "ACCEPT" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), @@ -106,7 +111,8 @@ CxPolicy[result] { # ingress ipv6 CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] + some document in input.document + resource := document.resource.tencentcloud_security_group_rule_set[name] ingressCheck := resource.ingress common_lib.valid_key(ingressCheck, "action") @@ -120,7 +126,7 @@ CxPolicy[result] { ingressCheck.port == "ALL" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), @@ -132,7 +138,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] + some document in input.document + resource := document.resource.tencentcloud_security_group_rule_set[name] ingressCheck := resource.ingress[index] common_lib.valid_key(ingressCheck, "action") @@ -146,7 +153,7 @@ CxPolicy[result] { ingressCheck.port == "ALL" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), @@ -158,7 +165,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] + some document in input.document + resource := document.resource.tencentcloud_security_group_rule_set[name] ingressCheck := resource.ingress common_lib.valid_key(ingressCheck, "action") @@ -170,7 +178,7 @@ CxPolicy[result] { ingressCheck.ipv6_cidr_block == "::/0" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), @@ -182,7 +190,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] + some document in input.document + resource := document.resource.tencentcloud_security_group_rule_set[name] ingressCheck := resource.ingress[index] common_lib.valid_key(ingressCheck, "action") @@ -194,7 +203,7 @@ CxPolicy[result] { ingressCheck.ipv6_cidr_block == "::/0" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego index d50ac695c24..27883afd8db 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -2,10 +2,12 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in # master_config CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] masterConfig := resource.master_config common_lib.valid_key(masterConfig, "public_ip_assigned") @@ -15,7 +17,7 @@ CxPolicy[result] { masterConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned", [name]), @@ -27,7 +29,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] masterConfig := resource.master_config[index] common_lib.valid_key(masterConfig, "public_ip_assigned") @@ -37,7 +40,7 @@ CxPolicy[result] { masterConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned", [name]), @@ -49,7 +52,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] masterConfig := resource.master_config not common_lib.valid_key(masterConfig, "public_ip_assigned") @@ -58,7 +62,7 @@ CxPolicy[result] { masterConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out", [name]), @@ -70,7 +74,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] masterConfig := resource.master_config[index] not common_lib.valid_key(masterConfig, "public_ip_assigned") @@ -79,7 +84,7 @@ CxPolicy[result] { masterConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out", [name]), @@ -92,7 +97,8 @@ CxPolicy[result] { # worker_config CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] workerConfig := resource.worker_config common_lib.valid_key(workerConfig, "public_ip_assigned") @@ -102,7 +108,7 @@ CxPolicy[result] { workerConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned", [name]), @@ -114,7 +120,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] workerConfig := resource.worker_config[index] common_lib.valid_key(workerConfig, "public_ip_assigned") @@ -124,7 +131,7 @@ CxPolicy[result] { workerConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned", [name]), @@ -136,7 +143,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] workerConfig := resource.worker_config not common_lib.valid_key(workerConfig, "public_ip_assigned") @@ -145,7 +153,7 @@ CxPolicy[result] { workerConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]), @@ -157,7 +165,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] workerConfig := resource.worker_config[index] not common_lib.valid_key(workerConfig, "public_ip_assigned") @@ -166,7 +175,7 @@ CxPolicy[result] { workerConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]),