fix(query): fn for EFS volume with disabled transit encryption--cloudformation/aws

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/query.rego

@@ -7,37 +7,37 @@ CxPolicy[result] {
 	resource := input.document[i].Resources
 	elem := resource[key]
 	elem.Type == "AWS::ECS::TaskDefinition"
-    efs := elem.Properties.volumes[index].efsVolumeConfiguration
+    efs := elem.Properties.Volumes[index].EFSVolumeConfiguration
     value := efs.TransitEncryption 
 	not value == "ENABLED"
 
     result := {
 		"documentId": input.document[i].id,
 		"resourceType": elem.Type,
 		"resourceName": cf_lib.get_resource_name(elem, key),
-		"searchKey": sprintf("Resources.%s.Properties.volumes", [key]),
+		"searchKey": sprintf("Resources.%s.Properties.Volumes", [key]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'Resources.%s.Properties.volumes[%d].efsVolumeConfiguration.TransitEncryption' should be set to 'ENABLED'", [key, index]),
-		"keyActualValue": sprintf("'Resources.%s.Properties.volumes[%d].efsVolumeConfiguration.TransitEncryption' is set to '%s'", [key, index, value]),
-		"searchLine": common_lib.build_search_line(["Resources",key,"Properties","volumes", index,"efsVolumeConfiguration","TransitEncryption"], []),
+		"keyExpectedValue": sprintf("'Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption' should be set to 'ENABLED'", [key, index]),
+		"keyActualValue": sprintf("'Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption' is set to '%s'", [key, index, value]),
+		"searchLine": common_lib.build_search_line(["Resources",key,"Properties","Volumes", index,"EFSVolumeConfiguration","TransitEncryption"], []),
 	}
 }
 
 CxPolicy[result] {
 	resource := input.document[i].Resources
 	elem := resource[key]
 	elem.Type == "AWS::ECS::TaskDefinition"
-    efs := elem.Properties.volumes[index].efsVolumeConfiguration
+    efs := elem.Properties.Volumes[index].EFSVolumeConfiguration
     not efs.TransitEncryption 
 
     result := {
 		"documentId": input.document[i].id,
 		"resourceType": elem.Type,
 		"resourceName": cf_lib.get_resource_name(elem, key),
-		"searchKey": sprintf("Resources.%s.Properties.volumes", [key]),
+		"searchKey": sprintf("Resources.%s.Properties.Volumes", [key]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'Resources.%s.Properties.volumes[%d].efsVolumeConfiguration.TransitEncryption' should be set to 'ENABLED'", [key, index]),
-		"keyActualValue": sprintf("'Resources.%s.Properties.volumes[%d].efsVolumeConfiguration.TransitEncryption' is not set", [key, index]),
-		"searchLine": common_lib.build_search_line(["Resources",key,"Properties","volumes", index,"efsVolumeConfiguration"], []),
+		"keyExpectedValue": sprintf("'Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption' should be set to 'ENABLED'", [key, index]),
+		"keyActualValue": sprintf("'Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption' is not set", [key, index]),
+		"searchLine": common_lib.build_search_line(["Resources",key,"Properties","Volumes", index,"EFSVolumeConfiguration"], []),
 	}
 }

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/negative1.json

@@ -56,7 +56,7 @@
             "Volumes": [
                 {
                     "Name": "myEfsVolume",
-                    "EfsVolumeConfiguration": {
+                    "EFSVolumeConfiguration": {
                         "FileSystemId": "fs-1234",
                         "RootDirectory": "/path/to/my/data",
                         "TransitEncryptionPort": 10,

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/negative2.yaml

@@ -0,0 +1,51 @@
+Resources:
+  taskdefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        -
+          Name:
+            Ref: "AppName"
+          MountPoints:
+            -
+              SourceVolume: "my-vol"
+              ContainerPath: "/var/www/my-vol"
+          Image: "amazon/amazon-ecs-sample"
+          Cpu: 256
+          PortMappings:
+            -
+              ContainerPort:
+                Ref: "AppContainerPort"
+              HostPort:
+                Ref: "AppHostPort"
+          EntryPoint:
+            - "/usr/sbin/apache2"
+            - "-D"
+            - "FOREGROUND"
+          Memory: 512
+          Essential: true
+          Environment:
+            -
+              Name: PASSWORD
+        -
+          Name: "busybox"
+          Image: "busybox"
+          Cpu: 256
+          EntryPoint:
+            - "sh"
+            - "-c"
+          Memory: 512
+          Command:
+            - "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
+          Essential: false
+          VolumesFrom:
+            -
+              SourceContainer:
+                Ref: "AppName"
+      Volumes:
+        -
+          Host:
+            SourcePath: "/var/lib/docker/vfs/dir/"
+          EFSVolumeConfiguration:
+            TransitEncryption: ENABLED
+          Name: "my-vol"

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive1.json

@@ -54,10 +54,10 @@
                     ]
                 }
             ],
-            "volumes": [
+            "Volumes": [
                 {
                     "name": "myEfsVolume",
-                    "efsVolumeConfiguration": {
+                    "EFSVolumeConfiguration": {
                         "fileSystemId": "fs-1234",
                         "rootDirectory": "/path/to/my/data",
                         "TransitEncryptionPort": 10,

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive2.json

@@ -53,10 +53,10 @@
                     ]
                 }
             ],
-            "volumes": [
+            "Volumes": [
                 {
                     "Name": "myEfsVolume",
-                    "efsVolumeConfiguration": {
+                    "EFSVolumeConfiguration": {
                         "FileSystemId": "fs-1234",
                         "RootDirectory": "/path/to/my/data",
                         "TransitEncryptionPort": 10

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive3.yaml

@@ -0,0 +1,51 @@
+Resources:
+  taskdefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        -
+          Name:
+            Ref: "AppName"
+          MountPoints:
+            -
+              SourceVolume: "my-vol"
+              ContainerPath: "/var/www/my-vol"
+          Image: "amazon/amazon-ecs-sample"
+          Cpu: 256
+          PortMappings:
+            -
+              ContainerPort:
+                Ref: "AppContainerPort"
+              HostPort:
+                Ref: "AppHostPort"
+          EntryPoint:
+            - "/usr/sbin/apache2"
+            - "-D"
+            - "FOREGROUND"
+          Memory: 512
+          Essential: true
+          Environment:
+            -
+              Name: PASSWORD
+        -
+          Name: "busybox"
+          Image: "busybox"
+          Cpu: 256
+          EntryPoint:
+            - "sh"
+            - "-c"
+          Memory: 512
+          Command:
+            - "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
+          Essential: false
+          VolumesFrom:
+            -
+              SourceContainer:
+                Ref: "AppName"
+      Volumes:
+        -
+          Host:
+            SourcePath: "/var/lib/docker/vfs/dir/"
+          EFSVolumeConfiguration:
+            TransitEncryption: DISABLED
+          Name: "my-vol"

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive4.yaml

@@ -0,0 +1,50 @@
+Resources:
+  taskdefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        -
+          Name:
+            Ref: "AppName"
+          MountPoints:
+            -
+              SourceVolume: "my-vol"
+              ContainerPath: "/var/www/my-vol"
+          Image: "amazon/amazon-ecs-sample"
+          Cpu: 256
+          PortMappings:
+            -
+              ContainerPort:
+                Ref: "AppContainerPort"
+              HostPort:
+                Ref: "AppHostPort"
+          EntryPoint:
+            - "/usr/sbin/apache2"
+            - "-D"
+            - "FOREGROUND"
+          Memory: 512
+          Essential: true
+          Environment:
+            -
+              Name: PASSWORD
+        -
+          Name: "busybox"
+          Image: "busybox"
+          Cpu: 256
+          EntryPoint:
+            - "sh"
+            - "-c"
+          Memory: 512
+          Command:
+            - "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
+          Essential: false
+          VolumesFrom:
+            -
+              SourceContainer:
+                Ref: "AppName"
+      Volumes:
+        -
+          Host:
+            SourcePath: "/var/lib/docker/vfs/dir/"
+          EFSVolumeConfiguration:
+          Name: "my-vol"

assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json

@@ -10,5 +10,17 @@
     "severity": "MEDIUM",
     "line": 59,
     "fileName": "positive2.json"
+  },
+  {
+    "queryName": "EFS Volume With Disabled Transit Encryption",
+    "severity": "MEDIUM",
+    "line": 50,
+    "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "EFS Volume With Disabled Transit Encryption",
+    "severity": "MEDIUM",
+    "line": 49,
+    "fileName": "positive4.yaml"
   }
 ]