fix(query): fn for EFS volume with disabled transit encryption--cloudformation/aws

assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego

@@ -3,7 +3,7 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
 
-CxPolicy[result] {  
+CxPolicy[result] {
 	resource := input.document[i].Resources
 	elem := resource[key]
 	elem.Type == "AWS::ECS::Service"
@@ -12,16 +12,16 @@ CxPolicy[result] {
 	taskDefinition := resource[taskdefinitionkey]
 
 	count(taskDefinition.Properties.ContainerDefinitions) > 0
-	res := is_transit_encryption_disabled(taskDefinition, taskdefinitionkey)
-    
+	taskDefinition.Properties.Volumes[j].EFSVolumeConfiguration.TransitEncryption == "DISABLED"
+
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": elem.Type,
-		"resourceName": cf_lib.get_resource_name(resource, key), 
-		"searchKey": res["sk"],
-		"issueType": res["issueT"],
-		"keyExpectedValue": res["kev"],
-        "keyActualValue": res["kav"],
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties.Volumes", [taskdefinitionkey]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be enabled", [taskdefinitionkey, j]),
+		"keyActualValue": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is disabled", [taskdefinitionkey, j]),
 	}
 }
 
@@ -44,48 +44,9 @@ CxPolicy[result] {
 	}
 }
 
-is_transit_encryption_disabled(taskDefinition, taskdefinitionkey) = res {
-	volume := taskDefinition.Properties.Volumes[j]
-    common_lib.valid_key(volume.EFSVolumeConfiguration, "TransitEncryption") 
-    volume.EFSVolumeConfiguration.TransitEncryption == "DISABLED"
-    res := {
-		"sk": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption", [taskdefinitionkey, j]),
-    	"issueT": "IncorrectValue",
-    	"kev": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be enabled", [taskdefinitionkey, j]),
-		"kav": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is disabled", [taskdefinitionkey, j]),
-    }
-} else = res { 
-	volume := taskDefinition.Properties.Volumes[j]
-    efsVolumeConfiguration := volume.EFSVolumeConfiguration
-    not common_lib.valid_key(efsVolumeConfiguration, "TransitEncryption")
-    res := {
-		"sk": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration", [taskdefinitionkey, j]),
-    	"issueT": "MissingAttribute",
-    	"kev": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be defined", [taskdefinitionkey, j]),
-        "kav": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", [taskdefinitionkey, j]),
-    }
-} else = res {
-	volume := taskDefinition.Properties.Volumes[j]
-	not common_lib.valid_key(volume, "EFSVolumeConfiguration")
-	res := {
-		"sk": sprintf("Resources.%s.Properties.Volumes[%d]", [taskdefinitionkey, j]),
-		"issueT": "MissingAttribute",
-		"kev": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration should be defined", [taskdefinitionkey, j]),
-		"kav": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration is not defined", [taskdefinitionkey, j]),
-	}
-} else = res {
-	not common_lib.valid_key(taskDefinition.Properties, "Volumes")
-	res := {
-		"sk": sprintf("Resources.%s.Properties", [taskdefinitionkey]),
-		"issueT": "MissingAttribute",
-		"kev": sprintf("Resources.%s.Properties.Volumes should be defined", [taskdefinitionkey]),
-		"kav": sprintf("Resources.%s.Properties.Volumes is not defined", [taskdefinitionkey]),
-	}
-} 
-
 getTaskDefinitionName(resource) := name {
 	name := resource.Properties.TaskDefinition
 	not common_lib.valid_key(name, "Ref")
 } else := name {
 	name := resource.Properties.TaskDefinition.Ref
-}
+}

assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative1.yaml

@@ -88,6 +88,33 @@ Resources:
       TaskDefinition: !Ref taskdefinition
       ServiceName: !Ref ServiceName
       Role: !Ref Role
+  elb:
+    Type: AWS::ElasticLoadBalancing::LoadBalancer
+    Properties:
+      LoadBalancerName: !Ref LoadBalancerName
+      Listeners:
+        - InstancePort: !Ref AppHostPort
+          LoadBalancerPort: '80'
+          Protocol: HTTP
+      Subnets:
+        - !Ref Subnet1
+    DependsOn: GatewayAttachment
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/24
+  Subnet1:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: 10.0.0.0/25
+  InternetGateway:
+    Type: AWS::EC2::InternetGateway
+  GatewayAttachment:
+    Type: AWS::EC2::VPCGatewayAttachment
+    Properties:
+      InternetGatewayId: !Ref InternetGateway
+      VpcId: !Ref VPC
   Role:
     Type: AWS::IAM::Role
     Properties:

assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative2.json

@@ -1,3 +1,4 @@
+
 {
   "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
   "Description": "Creating ECS service",
@@ -28,6 +29,16 @@
     }
   },
   "Resources": {
+    "InternetGateway": {
+      "Type": "AWS::EC2::InternetGateway"
+    },
+    "GatewayAttachment": {
+      "Type": "AWS::EC2::VPCGatewayAttachment",
+      "Properties": {
+        "InternetGatewayId": "InternetGateway",
+        "VpcId": "VPC"
+      }
+    },
     "Role": {
       "Type": "AWS::IAM::Role",
       "Properties": {
@@ -68,12 +79,61 @@
             "LoadBalancerName": "elb"
           }
         ],
+        "PlacementStrategies": [
+          {
+            "Type": "binpack",
+            "Field": "memory"
+          },
+          {
+            "Type": "spread",
+            "Field": "host"
+          }
+        ],
+        "PlacementConstraints": [
+          {
+            "Type": "memberOf",
+            "Expression": "attribute:ecs.availability-zone != us-east-1d"
+          },
+          {
+            "Type": "distinctInstance"
+          }
+        ],
         "ServiceName": "ServiceName",
         "Cluster": "cluster",
         "DesiredCount": 0,
         "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds"
       }
     },
+    "elb": {
+      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
+      "Properties": {
+        "Subnets": [
+          "Subnet1"
+        ],
+        "LoadBalancerName": "LoadBalancerName",
+        "Listeners": [
+          {
+            "LoadBalancerPort": "80",
+            "Protocol": "HTTP",
+            "InstancePort": "AppHostPort"
+          }
+        ]
+      },
+      "DependsOn": "GatewayAttachment"
+    },
+    "VPC": {
+      "Type": "AWS::EC2::VPC",
+      "Properties": {
+        "CidrBlock": "10.0.0.0/24"
+      }
+    },
+    "Subnet1": {
+      "Type": "AWS::EC2::Subnet",
+      "Properties": {
+        "CidrBlock": "10.0.0.0/25",
+        "VpcId": "VPC"
+      }
+    },
     "taskdefinition": {
       "Type": "AWS::ECS::TaskDefinition",
       "Properties": {

assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative3.yaml

@@ -0,0 +1,62 @@
+Resources:
+  TaskDef54694570:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        - Environment:
+            - Name: DEPLOYMENT_TIMESTAMP
+              Value: "2024-08-20T00:41:57.620Z"
+          Essential: true
+          HealthCheck:
+            Command:
+              - CMD-SHELL
+              - curl -f http://localhost:3000/health || exit
+            Interval: 30
+            Retries: 3
+            StartPeriod: 30
+            Timeout: 5
+          Image:
+            Fn::Join:
+              - ""
+              - - 123456789012.dkr.ecr.us-west-2.
+                - Ref: AWS::URLSuffix
+                - /example-nms:latest
+      ExecutionRoleArn:
+        Fn::GetAtt:
+          - TaskDefExecutionRoleB4775C97
+          - Arn
+      RequiresCompatibilities:
+        - EC2
+      Tags:
+        - Key: classification
+          Value: internal
+        - Key: component
+          Value: example-nms
+        - Key: env
+          Value: development
+        - Key: owner
+          Value: example@owner.com
+        - Key: product
+          Value: internal_tools
+      TaskRoleArn:
+        Fn::GetAtt:
+          - EcsTaskRole8DFA0181
+          - Arn
+  ExampleNameMatchService0992A2E7:
+    Type: AWS::ECS::Service
+    Properties:
+      Cluster: example-ecs
+      SchedulingStrategy: REPLICA
+      Tags:
+        - Key: classification
+          Value: internal
+        - Key: component
+          Value: example-nms
+        - Key: env
+          Value: development
+        - Key: owner
+          Value: example@owner.com
+        - Key: product
+          Value: internal_tools
+      TaskDefinition:
+        Ref: TaskDef54694570