Merge pull request #7098 from Checkmarx/tf_bug_security_groups

fix(query): security groups not used query with false positive in aws_elasticache_instance resources
Checkmarx · Jun 26, 2024 · 9453cb9 · 9453cb9
2 parents 6855628 + a237c72
commit 9453cb9
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 0 deletions.
diff --git a/assets/queries/terraform/aws/security_groups_not_used/query.rego b/assets/queries/terraform/aws/security_groups_not_used/query.rego
@@ -32,6 +32,13 @@ is_used(securityGroupName, doc, resource) {
 	contains(securityGroupUsed, sprintf("aws_security_group.%s", [securityGroupName]))
 }
 
+# check security groups assigned to aws_elasticache_instance resources
+is_used(securityGroupName, doc, resource) {
+	[path, value] := walk(doc)
+	securityGroupUsed := value.security_group_ids[_]
+	contains(securityGroupUsed, sprintf("aws_security_group.%s", [securityGroupName]))
+}
+
 # check security groups assigned to aws_instance resources
 is_used(securityGroupName, doc, resource) {
 	[path, value] := walk(doc)

diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/negative6.tf b/assets/queries/terraform/aws/security_groups_not_used/test/negative6.tf
@@ -0,0 +1,23 @@
+resource "aws_security_group" "example" {
+  name        = "example"
+  description = "Allow Redis traffic"
+  vpc_id      = data.aws_vpc.selected.id
+
+  ingress {
+
+    from_port   = 6379
+    to_port     = 6379
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.selected.cidr_block]
+  }
+}
+
+resource "aws_elasticache_replication_group" "redis" {
+  replication_group_id       = "Example"
+  parameter_group_name       = "default.redis6.x"
+  engine                     = "redis"
+  engine_version             = "6.x"
+  automatic_failover_enabled = false
+
+  security_group_ids = [aws_security_group.example.id]
+}
diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/positive5.tf b/assets/queries/terraform/aws/security_groups_not_used/test/positive5.tf
@@ -0,0 +1,22 @@
+resource "aws_security_group" "example" {
+  name        = "example"
+  description = "Allow Redis traffic"
+  vpc_id      = data.aws_vpc.selected.id
+
+  ingress {
+
+    from_port   = 6379
+    to_port     = 6379
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.selected.cidr_block]
+  }
+}
+
+resource "aws_elasticache_replication_group" "redis" {
+  replication_group_id       = "Example"
+  parameter_group_name       = "default.redis6.x"
+  engine                     = "redis"
+  engine_version             = "6.x"
+  automatic_failover_enabled = false
+
+}
diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json
@@ -22,5 +22,11 @@
     "severity": "INFO",
     "line": 21,
     "filename": "positive4.tf"
+  },
+  {
+    "queryName": "Security Group Not Used",
+    "severity": "INFO",
+    "line": 1,
+    "filename": "positive5.tf"
   }
 ]