Barak Schoster Goihman schosterbarak

## main.tf
variable acl {
  type    = string
  default = "public-read-write"
}

variable versioning_enabled {
  default = false
}

locals {

## cfn_iam_policy.tf
AWSTemplateFormatVersion: 2010-09-09
Description: IAM policy
Resources:
 ExamplePolicy:
   Type: 'AWS::IAM::Policy'
   Properties:
     PolicyName: root
     PolicyDocument:
       Version: 2012-10-17
       Statement:

## ExternalData.py
from typing import Dict, List, Any

from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.data.base_check import BaseDataCheck


class ExternalData(BaseDataCheck):
    def __init__(self) -> None:
        name = 'Ensure terraform external data blocks runs vetted code'
        id = "CKV_TF_DATA_EXTERNAL_1"

## HTTPNotSendingPasswords.yaml
metadata:
  id: "CKV2_AWS_36"
  name: "Ensure terraform is not sending SSM secrets to untrusted domains over HTTP"
  category: "SUPPLY_CHAIN"
# inspired by: https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/
definition:
  or:
    - and:
        - cond_type: connection
          operator: exists

## main.tf
resource "aws_ssm_parameter" "param" {
  name = var.parameter_name
  type = "SecureString"
  value = random_password.password.result
}

resource "random_password" "password" {
  length = 16
  special = true
  override_special = "_%@"

## main.tf
module "not_immutable_s3_bucket" {
  source = "example/s3-bucket/aws"
  version = "0.3.4"
  acl                      = "private"
  enabled                  = true
  user_enabled             = true
  versioning_enabled       = false
  allowed_bucket_actions   = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
  name                     = "app"
  stage                    = "test"

## immutable_module.py
import re

from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.module.base_module_check import BaseModuleCheck

MODULE_GIT_VERSION_PATTERN = re.compile(r"git::https?:\/\/[^\/]+\/.+.git\?ref=(\b[0-9a-f]{5,40}\b)")


class ModuleSourceHashCheck(BaseModuleCheck):
    def __init__(self):

## s3_module_version.py
from packaging import version as v

from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.module.base_module_check import BaseModuleCheck


class S3ModuleVersionCheck(BaseModuleCheck):
    def __init__(self):
        name = "Ensure S3 module is from version 0.47.0"
        id = "CKV_TF_MODULE_1"

## main.tf
module "old_s3_bucket_module_version" {
  source = "cloudposse/s3-bucket/aws"
  version = "0.2.1"
  acl                      = "private"
  enabled                  = true
  user_enabled             = true
  versioning_enabled       = false
  allowed_bucket_actions   = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
  name                     = "app"
  stage                    = "test"

## emr.tf
resource "aws_emr_cluster" "production_data_engineering" {
  name          = "emr-test-arn"
  release_label = "emr-4.6.0"
  applications  = ["Spark"]

  ec2_attributes {
    emr_managed_master_security_group = aws_security_group.dev.id
    emr_managed_slave_security_group  = aws_security_group.dev.id
    instance_profile                  = "connected_to_aws_iam_instance_profile"
  }
	variable acl {
	type = string
	default = "public-read-write"
	}

	variable versioning_enabled {
	default = false
	}

	locals {
	AWSTemplateFormatVersion: 2010-09-09
	Description: IAM policy
	Resources:
	ExamplePolicy:
	Type: 'AWS::IAM::Policy'
	Properties:
	PolicyName: root
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	from typing import Dict, List, Any

	from checkov.common.models.enums import CheckResult, CheckCategories
	from checkov.terraform.checks.data.base_check import BaseDataCheck


	class ExternalData(BaseDataCheck):
	def __init__(self) -> None:
	name = 'Ensure terraform external data blocks runs vetted code'
	id = "CKV_TF_DATA_EXTERNAL_1"
	metadata:
	id: "CKV2_AWS_36"
	name: "Ensure terraform is not sending SSM secrets to untrusted domains over HTTP"
	category: "SUPPLY_CHAIN"
	# inspired by: https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/
	definition:
	or:
	- and:
	- cond_type: connection
	operator: exists
	resource "aws_ssm_parameter" "param" {
	name = var.parameter_name
	type = "SecureString"
	value = random_password.password.result
	}

	resource "random_password" "password" {
	length = 16
	special = true
	override_special = "_%@"
	module "not_immutable_s3_bucket" {
	source = "example/s3-bucket/aws"
	version = "0.3.4"
	acl = "private"
	enabled = true
	user_enabled = true
	versioning_enabled = false
	allowed_bucket_actions = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
	name = "app"
	stage = "test"
	import re

	from checkov.common.models.enums import CheckResult
	from checkov.terraform.checks.module.base_module_check import BaseModuleCheck

	MODULE_GIT_VERSION_PATTERN = re.compile(r"git::https?:\/\/[^\/]+\/.+.git\?ref=(\b[0-9a-f]{5,40}\b)")


	class ModuleSourceHashCheck(BaseModuleCheck):
	def __init__(self):
	from packaging import version as v

	from checkov.common.models.enums import CheckResult
	from checkov.terraform.checks.module.base_module_check import BaseModuleCheck


	class S3ModuleVersionCheck(BaseModuleCheck):
	def __init__(self):
	name = "Ensure S3 module is from version 0.47.0"
	id = "CKV_TF_MODULE_1"
	module "old_s3_bucket_module_version" {
	source = "cloudposse/s3-bucket/aws"
	version = "0.2.1"
	acl = "private"
	enabled = true
	user_enabled = true
	versioning_enabled = false
	allowed_bucket_actions = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
	name = "app"
	stage = "test"
	resource "aws_emr_cluster" "production_data_engineering" {
	name = "emr-test-arn"
	release_label = "emr-4.6.0"
	applications = ["Spark"]

	ec2_attributes {
	emr_managed_master_security_group = aws_security_group.dev.id
	emr_managed_slave_security_group = aws_security_group.dev.id
	instance_profile = "connected_to_aws_iam_instance_profile"
	}