Merge pull request #6562 from Checkmarx/kics-782-aws-pulumi

feat(query): amazon rds db instance publicly accessible query for pulumi

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "647de8aa-5a42-41b5-9faf-22136f117380",
+  "queryName": "RDS DB Instance Publicly Accessible",
+  "severity": "HIGH",
+  "category": "Insecure Configurations",
+  "descriptionText": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.",
+  "descriptionUrl": "https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/#publiclyaccessible_yaml",
+  "platform": "Pulumi",
+  "descriptionID": "be6d13f0",
+  "cloudProvider": "aws"
+}

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego

@@ -0,0 +1,20 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resources[name]
+	resource.type == "aws:rds:Instance"
+	resource.properties.publiclyAccessible == true
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.type,
+		"resourceName": name,
+		"searchKey": sprintf("resources[%s].properties.publiclyAccessible", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'resources.%s.properties.publiclyAccessible' should be set to 'false'", [name]),
+		"keyActualValue": sprintf("'resources.%s.properties.publiclyAccessible' is set to 'true'", [name]),
+		"searchLine": common_lib.build_search_line(["resources", name, "properties", "publiclyAccessible"], []),
+	}
+}

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative1.yaml

@@ -0,0 +1,16 @@
+name: aws-rds
+runtime: yaml
+description: An RDS cluster
+resources:
+  default:
+    type: aws:rds:Instance
+    properties:
+      allocatedStorage: 10
+      dbName: mydb
+      engine: mysql
+      engineVersion: '5.7'
+      instanceClass: db.t3.micro
+      parameterGroupName: default.mysql5.7
+      password: foobarbaz
+      skipFinalSnapshot: true
+      username: foo

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/negative2.yaml

@@ -0,0 +1,17 @@
+name: aws-rds
+runtime: yaml
+description: An RDS Instance
+resources:
+  default:
+    type: aws:rds:Instance
+    properties:
+      allocatedStorage: 10
+      dbName: mydb
+      engine: mysql
+      engineVersion: '5.7'
+      instanceClass: db.t3.micro
+      parameterGroupName: default.mysql5.7
+      password: foobarbaz
+      skipFinalSnapshot: true
+      username: foo
+      publiclyAccessible: false

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive1.yaml

@@ -0,0 +1,17 @@
+name: aws-rds
+runtime: yaml
+description: An RDS Instance
+resources:
+  default:
+    type: aws:rds:Instance
+    properties:
+      allocatedStorage: 10
+      dbName: mydb
+      engine: mysql
+      engineVersion: '5.7'
+      instanceClass: db.t3.micro
+      parameterGroupName: default.mysql5.7
+      password: foobarbaz
+      skipFinalSnapshot: true
+      username: foo
+      publiclyAccessible: true

assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "RDS DB Instance Publicly Accessible",
+    "severity": "HIGH",
+    "line": 17,
+    "fileName": "positive1.yaml"
+  }
+]