schosterbarak/HTTPNotSendingPasswords.yaml

## HTTPNotSendingPasswords.yaml
metadata:
  id: "CKV2_AWS_36"
  name: "Ensure terraform is not sending SSM secrets to untrusted domains over HTTP"
  category: "SUPPLY_CHAIN"
# inspired by: https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/
definition:
  or:
    - and:
        - cond_type: connection
          operator: exists
          resource_types:
            - data.http
          connected_resource_types:
            - aws_ssm_parameter
        - cond_type: attribute
          value: "SecureString"
          attribute: type
          resource_types:
            - aws_ssm_parameter
          operator: not_equals
        - cond_type: filter
          attribute: resource_type
          value:
            - data.http
          operator: within
    - and:
        - cond_type: connection
          operator: not_exists
          resource_types:
            - data.http
          connected_resource_types:
            - aws_ssm_parameter
        - cond_type: filter
          attribute: resource_type
          value:
            - data.http
          operator: within
	metadata:
	id: "CKV2_AWS_36"
	name: "Ensure terraform is not sending SSM secrets to untrusted domains over HTTP"
	category: "SUPPLY_CHAIN"
	# inspired by: https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/
	definition:
	or:
	- and:
	- cond_type: connection
	operator: exists
	resource_types:
	- data.http
	connected_resource_types:
	- aws_ssm_parameter
	- cond_type: attribute
	value: "SecureString"
	attribute: type
	resource_types:
	- aws_ssm_parameter
	operator: not_equals
	- cond_type: filter
	attribute: resource_type
	value:
	- data.http
	operator: within
	- and:
	- cond_type: connection
	operator: not_exists
	resource_types:
	- data.http
	connected_resource_types:
	- aws_ssm_parameter
	- cond_type: filter
	attribute: resource_type
	value:
	- data.http
	operator: within