feat(cloudformation): add support for logging and endpoint access for EKS (aquasecurity#6440)

nikpivkin · web-flow · commit 86714bf6bf40 · 2024-04-02T22:41:30.000Z
diff --git a/pkg/iac/adapters/cloudformation/aws/eks/cluster.go b/pkg/iac/adapters/cloudformation/aws/eks/cluster.go
@@ -12,49 +12,83 @@ func getClusters(ctx parser.FileContext) (clusters []eks.Cluster) {
 
 	for _, r := range clusterResources {
 		cluster := eks.Cluster{
-			Metadata: r.Metadata(),
-			// Logging not supported for cloudformation https://github.com/aws/containers-roadmap/issues/242
-			// TODO: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-logging
-			Logging: eks.Logging{
-				Metadata:          r.Metadata(),
-				API:               iacTypes.BoolUnresolvable(r.Metadata()),
-				Audit:             iacTypes.BoolUnresolvable(r.Metadata()),
-				Authenticator:     iacTypes.BoolUnresolvable(r.Metadata()),
-				ControllerManager: iacTypes.BoolUnresolvable(r.Metadata()),
-				Scheduler:         iacTypes.BoolUnresolvable(r.Metadata()),
-			},
-			Encryption: getEncryptionConfig(r),
-			// endpoint protection not supported - https://github.com/aws/containers-roadmap/issues/242
-			// TODO: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-resourcesvpcconfig
-			PublicAccessEnabled: iacTypes.BoolUnresolvable(r.Metadata()),
-			PublicAccessCIDRs:   nil,
+			Metadata:            r.Metadata(),
+			Logging:             getLogging(r),
+			Encryption:          getEncryptionConfig(r),
+			PublicAccessEnabled: r.GetBoolProperty("ResourcesVpcConfig.EndpointPublicAccess"),
+			PublicAccessCIDRs:   getPublicCIDRs(r),
 		}
 
 		clusters = append(clusters, cluster)
 	}
 	return clusters
 }
 
+func getPublicCIDRs(r *parser.Resource) []iacTypes.StringValue {
+	publicAccessCidrs := r.GetProperty("ResourcesVpcConfig.PublicAccessCidrs")
+	if publicAccessCidrs.IsNotList() {
+		return nil
+	}
+
+	var cidrs []iacTypes.StringValue
+	for _, el := range publicAccessCidrs.AsList() {
+		cidrs = append(cidrs, el.AsStringValue())
+	}
+
+	return cidrs
+}
+
 func getEncryptionConfig(r *parser.Resource) eks.Encryption {
 
-	encryption := eks.Encryption{
+	encryptionConfigs := r.GetProperty("EncryptionConfig")
+	if encryptionConfigs.IsNotList() {
+		return eks.Encryption{
+			Metadata: r.Metadata(),
+		}
+	}
+
+	for _, encryptionConfig := range encryptionConfigs.AsList() {
+		resources := encryptionConfig.GetProperty("Resources")
+		hasSecrets := resources.IsList() && resources.Contains("secrets")
+		return eks.Encryption{
+			Metadata: encryptionConfig.Metadata(),
+			KMSKeyID: encryptionConfig.GetStringProperty("Provider.KeyArn"),
+			Secrets:  iacTypes.Bool(hasSecrets, resources.Metadata()),
+		}
+	}
+
+	return eks.Encryption{
 		Metadata: r.Metadata(),
-		Secrets:  iacTypes.BoolDefault(false, r.Metadata()),
-		KMSKeyID: iacTypes.StringDefault("", r.Metadata()),
-	}
-
-	// TODO: EncryptionConfig is a list
-	// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-encryptionconfig
-	if encProp := r.GetProperty("EncryptionConfig"); encProp.IsNotNil() {
-		encryption.Metadata = encProp.Metadata()
-		encryption.KMSKeyID = encProp.GetStringProperty("Provider.KeyArn")
-		resourcesProp := encProp.GetProperty("Resources")
-		if resourcesProp.IsList() {
-			if resourcesProp.Contains("secrets") {
-				encryption.Secrets = iacTypes.Bool(true, resourcesProp.Metadata())
-			}
+	}
+}
+
+func getLogging(r *parser.Resource) eks.Logging {
+	enabledTypes := r.GetProperty("Logging.ClusterLogging.EnabledTypes")
+	if enabledTypes.IsNotList() {
+		return eks.Logging{
+			Metadata: r.Metadata(),
 		}
 	}
 
-	return encryption
+	logging := eks.Logging{
+		Metadata: enabledTypes.Metadata(),
+	}
+
+	for _, typeConf := range enabledTypes.AsList() {
+		switch typ := typeConf.GetProperty("Type"); typ.AsString() {
+		case "api":
+			logging.API = iacTypes.Bool(true, typ.Metadata())
+		case "audit":
+			logging.Audit = iacTypes.Bool(true, typ.Metadata())
+		case "authenticator":
+			logging.Authenticator = iacTypes.Bool(true, typ.Metadata())
+		case "controllerManager":
+			logging.ControllerManager = iacTypes.Bool(true, typ.Metadata())
+		case "scheduler":
+			logging.Scheduler = iacTypes.Bool(true, typ.Metadata())
+		}
+
+	}
+
+	return logging
 }
diff --git a/pkg/iac/adapters/cloudformation/aws/eks/eks_test.go b/pkg/iac/adapters/cloudformation/aws/eks/eks_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/testutil"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/eks"
+	"github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
 func TestAdapt(t *testing.T) {
@@ -19,9 +20,44 @@ func TestAdapt(t *testing.T) {
 Resources:
   EKSCluster:
       Type: AWS::EKS::Cluster
+      Properties:
+        Logging:
+          ClusterLogging:
+            EnabledTypes:
+              - Type: api
+              - Type: audit
+              - Type: authenticator
+              - Type: controllerManager
+              - Type: scheduler
+        EncryptionConfig:
+          - Provider:
+              KeyArn: alias/mykey
+            Resources: [secrets]
+        ResourcesVpcConfig:
+          EndpointPublicAccess: True
+          PublicAccessCidrs:
+            - 0.0.0.0/0
 `,
 			expected: eks.EKS{
-				Clusters: []eks.Cluster{{}},
+				Clusters: []eks.Cluster{
+					{
+						Logging: eks.Logging{
+							API:               types.BoolTest(true),
+							Audit:             types.BoolTest(true),
+							Authenticator:     types.BoolTest(true),
+							ControllerManager: types.BoolTest(true),
+							Scheduler:         types.BoolTest(true),
+						},
+						Encryption: eks.Encryption{
+							KMSKeyID: types.StringTest("alias/mykey"),
+							Secrets:  types.BoolTest(true),
+						},
+						PublicAccessEnabled: types.BoolTest(true),
+						PublicAccessCIDRs: []types.StringValue{
+							types.StringTest("0.0.0.0/0"),
+						},
+					},
+				},
 			},
 		},
 		{
