aquasecurity · nikpivkin · Oct 14, 2024
@@ -15,7 +15,7 @@ fmt-rego:
 
 .PHONY: test-rego
 test-rego:
-	go run ./cmd/opa test --explain=fails lib/ checks/
+	go run ./cmd/opa test --explain=fails lib/ checks/ --ignore '*.yaml'
 
 .PHONY: bundle
 bundle: create-bundle verify-bundle
@@ -53,6 +53,10 @@ verify-bundle:
 build-opa:
 	go build ./cmd/opa
 
+.PHONY: fmt-examples
+fmt-examples:
+	go run ./cmd/fmt-examples
+
 start-registry:
 	docker run --rm -it -d -p ${REGISTRY_PORT}:5000 --name registry registry:2 
 

@@ -1,12 +1,15 @@
 
 Enable logging for API Gateway stages
 
-```yaml---
-AWSTemplateFormatVersion: 2010-09-09
+```yaml
+AWSTemplateFormatVersion: "2010-09-09"
+
 Description: Good Example of ApiGateway
+
 Resources:
   GoodApi:
     Type: AWS::ApiGatewayV2::Api
+
   GoodApiStage:
     Type: AWS::ApiGatewayV2::Stage
     Properties:
@@ -15,7 +18,6 @@ Resources:
         Format: json
       ApiId: !Ref GoodApi
       StageName: GoodApiStage
-
 ```
 
 
@@ -2,27 +2,26 @@
 Enable logging for API Gateway stages
 
 ```hcl
- resource "aws_apigatewayv2_stage" "good_example" {
-   api_id = aws_apigatewayv2_api.example.id
-   name   = "example-stage"
-
-   access_log_settings {
+resource "aws_apigatewayv2_stage" "good_example" {
+  api_id = aws_apigatewayv2_api.example.id
+  name   = "example-stage"
+
+  access_log_settings {
+    destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
+    format          = "json"
+  }
+}
+
+resource "aws_api_gateway_stage" "good_example" {
+  deployment_id = aws_api_gateway_deployment.example.id
+  rest_api_id   = aws_api_gateway_rest_api.example.id
+  stage_name    = "example"
+
+  access_log_settings {
     destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
     format          = "json"
-   }
- }
-
- resource "aws_api_gateway_stage" "good_example" {
-   deployment_id = aws_api_gateway_deployment.example.id
-   rest_api_id   = aws_api_gateway_rest_api.example.id
-   stage_name    = "example"
-
-   access_log_settings {
-     destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
-     format          = "json"
-   }
- }
-
+  }
+}
 ```
 
 #### Remediation Links

@@ -2,27 +2,26 @@
 Enable cache encryption
 
 ```hcl
- resource "aws_api_gateway_rest_api" "example" {
-
- }
-
- resource "aws_api_gateway_stage" "example" {
-
- }
-
- resource "aws_api_gateway_method_settings" "good_example" {
-   rest_api_id = aws_api_gateway_rest_api.example.id
-   stage_name  = aws_api_gateway_stage.example.stage_name
-   method_path = "path1/GET"
-
-   settings {
-     metrics_enabled = true
-     logging_level   = "INFO"
-     caching_enabled = true
-     cache_data_encrypted = true
-   }
- }
-
+resource "aws_api_gateway_rest_api" "example" {
+
+}
+
+resource "aws_api_gateway_stage" "example" {
+
+}
+
+resource "aws_api_gateway_method_settings" "good_example" {
+  rest_api_id = aws_api_gateway_rest_api.example.id
+  stage_name  = aws_api_gateway_stage.example.stage_name
+  method_path = "path1/GET"
+
+  settings {
+    metrics_enabled      = true
+    logging_level        = "INFO"
+    caching_enabled      = true
+    cache_data_encrypted = true
+  }
+}
 ```
 
 #### Remediation Links

@@ -2,17 +2,16 @@
 Enable tracing
 
 ```hcl
- resource "aws_api_gateway_rest_api" "test" {
-
- }
+resource "aws_api_gateway_rest_api" "test" {
 
- resource "aws_api_gateway_stage" "good_example" {
-   stage_name    = "prod"
-   rest_api_id   = aws_api_gateway_rest_api.test.id
-   deployment_id = aws_api_gateway_deployment.test.id
-   xray_tracing_enabled = true
- }
-
+}
+
+resource "aws_api_gateway_stage" "good_example" {
+  stage_name           = "prod"
+  rest_api_id          = aws_api_gateway_rest_api.test.id
+  deployment_id        = aws_api_gateway_deployment.test.id
+  xray_tracing_enabled = true
+}
 ```
 
 #### Remediation Links

@@ -2,56 +2,53 @@
 Use and authorization method or require API Key
 
 ```hcl
- resource "aws_api_gateway_rest_api" "MyDemoAPI" {
-
- }
-
- resource "aws_api_gateway_resource" "MyDemoResource" {
-	rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
- }
-
- resource "aws_api_gateway_method" "good_example" {
-   rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
-   resource_id   = aws_api_gateway_resource.MyDemoResource.id
-   http_method   = "GET"
-   authorization = "AWS_IAM"
- }
-
+resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+
+}
+
+resource "aws_api_gateway_resource" "MyDemoResource" {
+  rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+}
+
+resource "aws_api_gateway_method" "good_example" {
+  rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
+  resource_id   = aws_api_gateway_resource.MyDemoResource.id
+  http_method   = "GET"
+  authorization = "AWS_IAM"
+}
 ```
 ```hcl
- resource "aws_api_gateway_rest_api" "MyDemoAPI" {
-
- }
-
- resource "aws_api_gateway_resource" "MyDemoResource" {
-	rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
- }
-
- resource "aws_api_gateway_method" "good_example" {
-   rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
-   resource_id      = aws_api_gateway_resource.MyDemoResource.id
-   http_method      = "GET"
-   authorization    = "NONE"
-   api_key_required = true
- }
-
+resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+
+}
+
+resource "aws_api_gateway_resource" "MyDemoResource" {
+  rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+}
+
+resource "aws_api_gateway_method" "good_example" {
+  rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
+  resource_id      = aws_api_gateway_resource.MyDemoResource.id
+  http_method      = "GET"
+  authorization    = "NONE"
+  api_key_required = true
+}
 ```
 ```hcl
- resource "aws_api_gateway_rest_api" "MyDemoAPI" {
-
- }
-
- resource "aws_api_gateway_resource" "MyDemoResource" {
-	rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
- }
-
- resource "aws_api_gateway_method" "good_example" {
-   rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
-   resource_id   = aws_api_gateway_resource.MyDemoResource.id
-   http_method   = "OPTION"
-   authorization = "NONE"
- }
-
+resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+
+}
+
+resource "aws_api_gateway_resource" "MyDemoResource" {
+  rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+}
+
+resource "aws_api_gateway_method" "good_example" {
+  rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
+  resource_id   = aws_api_gateway_resource.MyDemoResource.id
+  http_method   = "OPTION"
+  authorization = "NONE"
+}
 ```
 
 #### Remediation Links

@@ -2,10 +2,9 @@
 Use the most modern TLS/SSL policies available
 
 ```hcl
- resource "aws_api_gateway_domain_name" "good_example" {
- 	security_policy = "TLS_1_2"
- }
-
+resource "aws_api_gateway_domain_name" "good_example" {
+  security_policy = "TLS_1_2"
+}
 ```
 
 #### Remediation Links

@@ -2,26 +2,25 @@
 Enable cache
 
 ```hcl
- resource "aws_api_gateway_rest_api" "example" {
-
- }
-
- resource "aws_api_gateway_stage" "example" {
-
- }
-
- resource "aws_api_gateway_method_settings" "good_example" {
-   rest_api_id = aws_api_gateway_rest_api.example.id
-   stage_name  = aws_api_gateway_stage.example.stage_name
-   method_path = "path1/GET"
-
-   settings {
-     metrics_enabled = true
-     logging_level   = "INFO"
-     caching_enabled = true
-   }
- }
-
+resource "aws_api_gateway_rest_api" "example" {
+
+}
+
+resource "aws_api_gateway_stage" "example" {
+
+}
+
+resource "aws_api_gateway_method_settings" "good_example" {
+  rest_api_id = aws_api_gateway_rest_api.example.id
+  stage_name  = aws_api_gateway_stage.example.stage_name
+  method_path = "path1/GET"
+
+  settings {
+    metrics_enabled = true
+    logging_level   = "INFO"
+    caching_enabled = true
+  }
+}
 ```
 
 #### Remediation Links

@@ -1,17 +1,16 @@
 
 Enable encryption at rest for Athena databases and workgroup configurations
 
-```yaml---
+```yaml
 Resources:
   GoodExample:
+    Type: AWS::Athena::WorkGroup
     Properties:
       Name: goodExample
       WorkGroupConfiguration:
         ResultConfiguration:
           EncryptionConfiguration:
             EncryptionOption: SSE_KMS
-    Type: AWS::Athena::WorkGroup
-
 ```