refactor(checks): migrate from Go to Rego

.gitignore

@@ -1,3 +1,4 @@
 .idea
 bundle.tar.gz
 opa
+.vscode

checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego

@@ -0,0 +1,45 @@
+# METADATA
+# title: Enable IAM Access analyzer for IAM policies about all resources in each region.
+# description: |
+#   AWS IAM Access Analyzer helps you identify the resources in your organization and
+#   accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
+#   This lets you identify unintended access to your resources and data. Access Analyzer
+#   identifies resources that are shared with external principals by using logic-based reasoning
+#   to analyze the resource-based policies in your AWS environment. IAM Access Analyzer
+#   continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service)
+#   keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
+# custom:
+#   id: AVD-AWS-0175
+#   avd_id: AVD-AWS-0175
+#   provider: aws
+#   service: accessanalyzer
+#   severity: LOW
+#   short_code: enable-access-analyzer
+#   recommended_action: Enable IAM Access analyzer across all regions.
+#   frameworks:
+#     cis-aws-1.4:
+#       - "1.20"
+#   input:
+#     selector:
+#       - type: aws
+#         subtypes:
+#           - service: accessanalyzer
+#             provider: aws
+package builtin.aws.accessanalyzer.aws0175
+
+import rego.v1
+
+deny contains res if {
+	is_analyzer_nonactive
+	res := result.new("Access Analyzer is not enabled.", {})
+}
+
+is_analyzer_nonactive if {
+	some analyzer in input.aws.accessanalyzer.analyzers
+	not analyzer.active.value
+}

checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.rego

@@ -0,0 +1,21 @@
+package builtin.aws.accessanalyzer.aws0175_test
+
+import rego.v1
+
+import data.builtin.aws.accessanalyzer.aws0175 as check
+import data.lib.test
+
+test_disallow_analyzer_disabled if {
+	r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}]}}}
+	test.assert_equal_message(r, "Access Analyzer is not enabled.")
+}
+
+test_disallow_one_of_analyzer_disabled if {
+	r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}, {"active": {"value": true}}]}}}
+	test.assert_equal_message(r, "Access Analyzer is not enabled.")
+}
+
+test_allow_analyzer_enabled if {
+	r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": true}}]}}}
+	test.assert_empty(r)
+}

checks/cloud/aws/apigateway/enable_access_logging.rego

@@ -0,0 +1,46 @@
+# METADATA
+# title: API Gateway stages for V1 and V2 should have access logging enabled
+# description: |
+#   API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
+# custom:
+#   id: AVD-AWS-0001
+#   avd_id: AVD-AWS-0001
+#   provider: aws
+#   service: api-gateway
+#   severity: MEDIUM
+#   short_code: enable-access-logging
+#   recommended_action: Enable logging for API Gateway stages
+#   input:
+#     selector:
+#       - type: aws
+#         subtypes:
+#           - service: api-gateway
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings
+#     good_examples: checks/cloud/aws/apigateway/enable_access_logging.tf.go
+#     bad_examples: checks/cloud/aws/apigateway/enable_access_logging.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/apigateway/enable_access_logging.cf.go
+#     bad_examples: checks/cloud/aws/apigateway/enable_access_logging.cf.go
+package builtin.aws.apigateway.aws0001
+
+import rego.v1
+
+deny contains res if {
+	some api in apis
+	some stage in api.stages
+	arn := stage.accesslogging.cloudwatchloggrouparn
+	arn.value == "" # TODO: check if unresolvable?
+	res := result.new("Access logging is not configured.", arn)
+}
+
+apis contains input.aws.apigateway.v1.apis[_]
+
+apis contains input.aws.apigateway.v2.apis[_]

checks/cloud/aws/apigateway/enable_access_logging_test.rego

@@ -0,0 +1,17 @@
+package builtin.aws.apigateway.aws0001_test
+
+import rego.v1
+
+import data.builtin.aws.apigateway.aws0001 as check
+import data.lib.test
+
+test_disallow_api_gateway_without_log_group_arn if {
+	r := check.deny with input as {"aws": {"apigateway": {"v1": {"apis": [{"stages": [{"accesslogging": {"cloudwatchloggrouparn": {"value": ""}}}]}]}}}}
+	test.assert_equal_message(r, "Access logging is not configured.")
+}
+
+test_allow_api_gateway_with_log_group_arn if {
+	test.assert_empty(check.deny) with input as {"aws": {"apigateway": {"v1": {"apis": [{"stages": [{"accesslogging": {"cloudwatchloggrouparn": {"value": "log-group-arn"}}}]}]}}}}
+}
+
+# TODO add test for v2

checks/cloud/aws/apigateway/enable_cache.rego

@@ -0,0 +1,39 @@
+# METADATA
+# title: Ensure that response caching is enabled for your Amazon API Gateway REST APIs.
+# description: |
+#   A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html
+# custom:
+#   id: AVD-AWS-0190
+#   avd_id: AVD-AWS-0190
+#   provider: aws
+#   service: api-gateway
+#   severity: LOW
+#   short_code: enable-cache
+#   recommended_action: Enable cache
+#   input:
+#     selector:
+#       - type: aws
+#         subtypes:
+#           - service: api-gateway
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_enabled
+#     good_examples: checks/cloud/aws/apigateway/enable_cache.tf.go
+#     bad_examples: checks/cloud/aws/apigateway/enable_cache.tf.go
+package builtin.aws.apigateway.aws0190
+
+import rego.v1
+
+deny contains res if {
+	some api in input.aws.apigateway.v1.apis # TODO: support v2?
+	some stage in api.stages
+	some settings in stage.restmethodsettings
+	not settings.cacheenabled.value
+	res := result.new("Cache data is not enabled.", settings.cacheenabled)
+}

checks/cloud/aws/apigateway/enable_cache_encryption.rego

@@ -0,0 +1,38 @@
+# METADATA
+# title: API Gateway must have cache enabled
+# description: |
+#   Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-AWS-0002
+#   avd_id: AVD-AWS-0002
+#   provider: aws
+#   service: api-gateway
+#   severity: MEDIUM
+#   short_code: enable-cache-encryption
+#   recommended_action: Enable cache encryption
+#   input:
+#     selector:
+#       - type: aws
+#         subtypes:
+#           - service: api-gateway
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted
+#     good_examples: checks/cloud/aws/apigateway/enable_cache_encryption.tf.go
+#     bad_examples: checks/cloud/aws/apigateway/enable_cache_encryption.tf.go
+package builtin.aws.apigateway.aws0002
+
+import rego.v1
+
+deny contains res if {
+	some api in input.aws.apigateway.v1.apis # TODO: support v2?
+	some stage in api.stages
+	some settings in stage.restmethodsettings
+	settings.cacheenabled.value
+	not settings.cachedataencrypted.value
+	res := result.new("Cache data is not encrypted.", settings.cachedataencrypted)
+}

checks/cloud/aws/apigateway/enable_cache_encryption_test.rego

@@ -0,0 +1,16 @@
+package builtin.aws.apigateway.aws0002_test
+
+import rego.v1
+
+import data.builtin.aws.apigateway.aws0002 as check
+import data.lib.test
+
+test_allow_api_gateway_with_cache_encryption if {
+	test.assert_empty(check.deny) with input as {"aws": {"apigateway": {"v1": {"apis": [{"stages": [{"restmethodsettings": [{"cacheenabled": {"value": true}, "cachedataencrypted": {"value": true}}]}]}]}}}}
+}
+
+test_disallow_api_gateway_without_cache_encryption if {
+	r := check.deny with input as {"aws": {"apigateway": {"v1": {"apis": [{"stages": [{"restmethodsettings": [{"cacheenabled": {"value": true}, "cachedataencrypted": {"value": false}}]}]}]}}}}
+
+	test.assert_equal_message(r, "Cache data is not encrypted.")
+}

checks/cloud/aws/apigateway/enable_cache_test.rego

@@ -0,0 +1,16 @@
+package builtin.aws.apigateway.aws0190_test
+
+import rego.v1
+
+import data.builtin.aws.apigateway.aws0190 as check
+import data.lib.test
+
+test_allow_cache_enabled if {
+	test.assert_empty(check.deny) with input as {"aws": {"apigateway": {"v1": {"apis": [{"stages": [{"restmethodsettings": [{"cacheenabled": {"value": true}}]}]}]}}}}
+}
+
+test_disallow_cache_disabled if {
+	r := check.deny with input as {"aws": {"apigateway": {"v1": {"apis": [{"stages": [{"restmethodsettings": [{"cacheenabled": {"value": false}}]}]}]}}}}
+
+	test.assert_equal_message(r, "Cache data is not enabled.")
+}

checks/cloud/aws/apigateway/enable_tracing.rego

@@ -0,0 +1,36 @@
+# METADATA
+# title: API Gateway must have X-Ray tracing enabled
+# description: |
+#   X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-AWS-0003
+#   avd_id: AVD-AWS-0003
+#   provider: aws
+#   service: api-gateway
+#   severity: LOW
+#   short_code: enable-tracing
+#   recommended_action: Enable tracing
+#   input:
+#     selector:
+#       - type: aws
+#         subtypes:
+#           - service: api-gateway
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled
+#     good_examples: checks/cloud/aws/apigateway/enable_tracing.tf.go
+#     bad_examples: checks/cloud/aws/apigateway/enable_tracing.tf.go
+package builtin.aws.apigateway.aws0003
+
+import rego.v1
+
+deny contains res if {
+	some api in input.aws.apigateway.v1.apis
+	some stage in api.stages
+	not stage.xraytracingenabled.value
+	res := result.new("X-Ray tracing is not enabled.", stage.xraytracingenabled)
+}

checks/cloud/aws/apigateway/enable_tracing_test.rego

@@ -0,0 +1,16 @@
+package builtin.aws.apigateway.aws0003_test
+
+import rego.v1
+
+import data.builtin.aws.apigateway.aws0003 as check
+import data.lib.test
+
+test_allow_tracing_enabled if {
+	test.assert_empty(check.deny) with input as {"aws": {"apigateway": {"v1": {"apis": [{"stages": [{"xraytracingenabled": {"value": true}}]}]}}}}
+}
+
+test_disallow_tracing_disabled if {
+	r := check.deny with input as {"aws": {"apigateway": {"v1": {"apis": [{"stages": [{"xraytracingenabled": {"value": false}}]}]}}}}
+
+	test.assert_equal_message(r, "X-Ray tracing is not enabled.")
+}

checks/cloud/aws/apigateway/no_public_access.rego

@@ -0,0 +1,43 @@
+# METADATA
+# title: No unauthorized access to API Gateway methods
+# description: |
+#   API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-AWS-0004
+#   avd_id: AVD-AWS-0004
+#   provider: aws
+#   service: api-gateway
+#   severity: LOW
+#   short_code: no-public-access
+#   recommended_action: Use and authorization method or require API Key
+#   input:
+#     selector:
+#       - type: aws
+#         subtypes:
+#           - service: api-gateway
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method#authorization
+#     good_examples: checks/cloud/aws/apigateway/no_public_access.tf.go
+#     bad_examples: checks/cloud/aws/apigateway/no_public_access.tf.go
+package builtin.aws.apigateway.aws0004
+
+import rego.v1
+
+authorization_none := "NONE"
+
+deny contains res if {
+	some api in input.aws.apigateway.v1.apis
+	some resource in api.resources
+	some method in resource.methods
+
+	method.httpmethod.value != "OPTION"
+	not method.apikeyrequired.value
+	method.authorizationtype.value == authorization_none
+
+	res := result.new("Authorization is not enabled for this method.", method.authorizationtype)
+}

checks/cloud/aws/apigateway/no_public_access_test.rego

@@ -0,0 +1,26 @@
+package builtin.aws.apigateway.aws0004_test
+
+import rego.v1
+
+import data.builtin.aws.apigateway.aws0004 as check
+import data.lib.test
+
+test_disallow_get_method_without_auth if {
+	r := check.deny with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "NONE"}})
+
+	test.assert_equal_message(r, "Authorization is not enabled for this method.")
+}
+
+test_allow_option_method if {
+	test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "OPTION"}})
+}
+
+test_allow_get_method_with_auth if {
+	test.assert_empty(check.deny) with input as input_with_method({"methods": [{"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}}]})
+}
+
+test_allow_if_api_required if {
+	test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}})
+}
+
+input_with_method(method) = {"aws": {"apigateway": {"v1": {"apis": [{"resources": [{"methods": [method]}]}]}}}}