2021-06-28 09:16:10 +00:00
|
|
|
package middlewares
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/sirupsen/logrus"
|
2022-06-28 07:23:29 +00:00
|
|
|
"github.com/snyk/driftctl/enumeration/resource"
|
2022-07-21 08:37:03 +00:00
|
|
|
"github.com/snyk/driftctl/pkg/resource/aws"
|
2021-06-28 09:16:10 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Remove default security group rules of the default security group from remote resources
|
|
|
|
type AwsDefaultSecurityGroupRule struct{}
|
|
|
|
|
|
|
|
func NewAwsDefaultSecurityGroupRule() AwsDefaultSecurityGroupRule {
|
|
|
|
return AwsDefaultSecurityGroupRule{}
|
|
|
|
}
|
|
|
|
|
2021-08-09 14:03:04 +00:00
|
|
|
func (m AwsDefaultSecurityGroupRule) Execute(remoteResources, resourcesFromState *[]*resource.Resource) error {
|
|
|
|
newRemoteResources := make([]*resource.Resource, 0)
|
2021-06-28 09:16:10 +00:00
|
|
|
|
|
|
|
for _, remoteResource := range *remoteResources {
|
|
|
|
existInState := false
|
|
|
|
|
|
|
|
// Ignore all resources other than security group rules
|
2021-08-18 13:58:28 +00:00
|
|
|
if remoteResource.ResourceType() != aws.AwsSecurityGroupRuleResourceType {
|
2021-06-28 09:16:10 +00:00
|
|
|
newRemoteResources = append(newRemoteResources, remoteResource)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ignore if it's not the default ingress or egress rule
|
2021-08-09 14:03:04 +00:00
|
|
|
if !isDefaultIngress(remoteResource, remoteResources) && !isDefaultEgress(remoteResource, remoteResources) {
|
2021-06-28 09:16:10 +00:00
|
|
|
newRemoteResources = append(newRemoteResources, remoteResource)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, stateResource := range *resourcesFromState {
|
2021-08-09 14:03:04 +00:00
|
|
|
if remoteResource.Equal(stateResource) {
|
2021-06-28 09:16:10 +00:00
|
|
|
existInState = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if existInState {
|
|
|
|
newRemoteResources = append(newRemoteResources, remoteResource)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !existInState {
|
|
|
|
logrus.WithFields(logrus.Fields{
|
2021-08-18 13:58:28 +00:00
|
|
|
"id": remoteResource.ResourceId(),
|
|
|
|
"type": remoteResource.ResourceType(),
|
2021-06-28 09:16:10 +00:00
|
|
|
}).Debug("Ignoring default unmanaged security group rule")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
*remoteResources = newRemoteResources
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-08-09 14:03:04 +00:00
|
|
|
func isDefaultIngress(rule *resource.Resource, remoteResources *[]*resource.Resource) bool {
|
2021-06-28 09:16:10 +00:00
|
|
|
if ty := rule.Attrs.GetString("type"); ty == nil || *ty != "ingress" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if from := rule.Attrs.GetInt("from_port"); from == nil || *from != 0 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if to := rule.Attrs.GetInt("to_port"); to == nil || *to != 0 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if protocol := rule.Attrs.GetString("protocol"); protocol == nil || *protocol != "-1" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if _, exist := rule.Attrs.Get("cidr_blocks"); exist {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if _, exist := rule.Attrs.Get("ipv6_cidr_blocks"); exist {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if _, exist := rule.Attrs.Get("prefix_list_ids"); exist {
|
|
|
|
return false
|
|
|
|
}
|
2021-07-22 10:46:20 +00:00
|
|
|
if self := rule.Attrs.GetBool("self"); self == nil || !*self {
|
|
|
|
return false
|
|
|
|
}
|
2021-06-28 09:16:10 +00:00
|
|
|
sgId := rule.Attrs.GetString("security_group_id")
|
2021-07-22 10:46:20 +00:00
|
|
|
if sgId == nil {
|
2021-06-28 09:16:10 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
return isFromDefaultSecurityGroup(sgId, remoteResources)
|
|
|
|
}
|
|
|
|
|
2021-08-09 14:03:04 +00:00
|
|
|
func isDefaultEgress(rule *resource.Resource, remoteResources *[]*resource.Resource) bool {
|
2021-06-28 09:16:10 +00:00
|
|
|
if ty := rule.Attrs.GetString("type"); ty == nil || *ty != "egress" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if from := rule.Attrs.GetInt("from_port"); from == nil || *from != 0 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if to := rule.Attrs.GetInt("to_port"); to == nil || *to != 0 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if protocol := rule.Attrs.GetString("protocol"); protocol == nil || *protocol != "-1" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if ipv4 := rule.Attrs.GetSlice("cidr_blocks"); ipv4 == nil || len(ipv4) != 1 || ipv4[0] != "0.0.0.0/0" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if _, exist := rule.Attrs.Get("ipv6_cidr_blocks"); exist {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if _, exist := rule.Attrs.Get("prefix_list_ids"); exist {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if self := rule.Attrs.GetBool("self"); self == nil || *self {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
sgId := rule.Attrs.GetString("security_group_id")
|
|
|
|
if sgId == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return isFromDefaultSecurityGroup(sgId, remoteResources)
|
|
|
|
}
|
|
|
|
|
2021-08-09 14:03:04 +00:00
|
|
|
func isFromDefaultSecurityGroup(sgId *string, remoteResources *[]*resource.Resource) bool {
|
2021-06-28 09:16:10 +00:00
|
|
|
for _, remoteResource := range *remoteResources {
|
2021-08-18 13:58:28 +00:00
|
|
|
if remoteResource.ResourceType() != aws.AwsDefaultSecurityGroupResourceType {
|
2021-06-28 09:16:10 +00:00
|
|
|
continue
|
|
|
|
}
|
2021-08-18 13:58:28 +00:00
|
|
|
if *sgId == remoteResource.ResourceId() {
|
2021-06-28 09:16:10 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|