fix(misconf): ecs include enhanced for container insights (#8326)

Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
aquasecurity · Jan 31, 2025 · 39789ff · 39789ff
1 parent bd5baaf
commit 39789ff
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 20 deletions.
diff --git a/pkg/iac/adapters/cloudformation/aws/ecs/cluster.go b/pkg/iac/adapters/cloudformation/aws/ecs/cluster.go
@@ -50,7 +50,7 @@ func checkProperty(setting *parser.Property, clusterSettings *ecs.ClusterSetting
 	name := settingMap["Name"]
 	if name.IsNotNil() && name.EqualTo("containerInsights") {
 		value := settingMap["Value"]
-		if value.IsNotNil() && value.EqualTo("enabled") {
+		if value.IsNotNil() && !value.EqualTo("disabled") {
 			clusterSettings.ContainerInsightsEnabled = types.Bool(true, value.Metadata())
 		}
 	}

diff --git a/pkg/iac/adapters/cloudformation/aws/ecs/ecs_test.go b/pkg/iac/adapters/cloudformation/aws/ecs/ecs_test.go
@@ -25,11 +25,11 @@ Resources:
       ClusterSettings:
         - Name: containerInsights
           Value: enabled
-  taskdefinition: 
+  taskdefinition:
     Type: AWS::ECS::TaskDefinition
-    Properties: 
-      ContainerDefinitions: 
-        - 
+    Properties:
+      ContainerDefinitions:
+        -
           Name: "busybox"
           Image: "busybox"
           Cpu: "256"
@@ -39,9 +39,9 @@ Resources:
           Environment:
             - Name: entryPoint
               Value: 'sh, -c'
-      Volumes: 
-        - 
-          Host: 
+      Volumes:
+        -
+          Host:
             SourcePath: "/var/lib/docker/vfs/dir/"
           Name: "my-vol"
           EFSVolumeConfiguration:
@@ -84,13 +84,35 @@ Resources:
 				},
 			},
 		},
+		{
+			name: "ecs Cluster Enhanced Container Insights",
+			source: `AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  ECSCluster:
+    Type: 'AWS::ECS::Cluster'
+    Properties:
+      ClusterName: MyFargateCluster
+      ClusterSettings:
+        - Name: containerInsights
+          Value: enhanced
+`,
+			expected: ecs.ECS{
+				Clusters: []ecs.Cluster{
+					{
+						Settings: ecs.ClusterSettings{
+							ContainerInsightsEnabled: types.BoolTest(true),
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "empty",
 			source: `AWSTemplateFormatVersion: 2010-09-09
 Resources:
   ECSCluster:
     Type: 'AWS::ECS::Cluster'
-  taskdefinition: 
+  taskdefinition:
     Type: AWS::ECS::TaskDefinition
   `,
 			expected: ecs.ECS{

diff --git a/pkg/iac/adapters/terraform/aws/ecs/adapt.go b/pkg/iac/adapters/terraform/aws/ecs/adapt.go
@@ -40,9 +40,9 @@ func adaptClusterSettings(resourceBlock *terraform.Block) ecs.ClusterSettings {
 		settings.Metadata = settingBlock.GetMetadata()
 		if settingBlock.GetAttribute("name").Equals("containerInsights") {
 			insightsAttr := settingBlock.GetAttribute("value")
-			settings.ContainerInsightsEnabled = types.Bool(insightsAttr.Equals("enabled"), settingBlock.GetMetadata())
+			settings.ContainerInsightsEnabled = types.Bool(!insightsAttr.Equals("disabled"), settingBlock.GetMetadata())
 			if insightsAttr.IsNotNil() {
-				settings.ContainerInsightsEnabled = types.Bool(insightsAttr.Equals("enabled"), insightsAttr.GetMetadata())
+				settings.ContainerInsightsEnabled = types.Bool(!insightsAttr.Equals("disabled"), insightsAttr.GetMetadata())
 			}
 		}
 	}

diff --git a/pkg/iac/adapters/terraform/aws/ecs/adapt_test.go b/pkg/iac/adapters/terraform/aws/ecs/adapt_test.go
@@ -23,12 +23,29 @@ func Test_adaptClusterSettings(t *testing.T) {
 			terraform: `
 			resource "aws_ecs_cluster" "example" {
 				name = "services-cluster"
-			  
+
 				setting {
 				  name  = "containerInsights"
 				  value = "enabled"
 				}
 			}
+`,
+			expected: ecs.ClusterSettings{
+				Metadata:                 iacTypes.NewTestMetadata(),
+				ContainerInsightsEnabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+			},
+		},
+		{
+			name: "container insights enhanced",
+			terraform: `
+			resource "aws_ecs_cluster" "example" {
+				name = "services-cluster"
+
+				setting {
+				  name  = "containerInsights"
+				  value = "enhanced"
+				}
+			}
 `,
 			expected: ecs.ClusterSettings{
 				Metadata:                 iacTypes.NewTestMetadata(),
@@ -40,7 +57,7 @@ func Test_adaptClusterSettings(t *testing.T) {
 			terraform: `
 			resource "aws_ecs_cluster" "example" {
 				name = "services-cluster"
-			  
+
 				setting {
 				  name  = "invalidName"
 				  value = "enabled"
@@ -55,7 +72,7 @@ func Test_adaptClusterSettings(t *testing.T) {
 		{
 			name: "defaults",
 			terraform: `
-			resource "aws_ecs_cluster" "example" {			
+			resource "aws_ecs_cluster" "example" {
 			}
 `,
 			expected: ecs.ClusterSettings{
@@ -99,10 +116,10 @@ func Test_adaptTaskDefinitionResource(t *testing.T) {
 	}
 ]
 				EOF
-			  
+
 				volume {
 				  name = "service-storage"
-			  
+
 				  efs_volume_configuration {
 					transit_encryption      = "ENABLED"
 				  }
@@ -145,7 +162,7 @@ func Test_adaptTaskDefinitionResource(t *testing.T) {
 			resource "aws_ecs_task_definition" "example" {
 				volume {
 					name = "service-storage"
-				
+
 					efs_volume_configuration {
 					}
 				  }
@@ -181,7 +198,7 @@ func TestLines(t *testing.T) {
 	src := `
 	resource "aws_ecs_cluster" "example" {
 		name = "services-cluster"
-	  
+
 		setting {
 		  name  = "containerInsights"
 		  value = "enabled"
@@ -202,10 +219,10 @@ func TestLines(t *testing.T) {
 		}
 	]
 		EOF
-	  
+
 		volume {
 		  name = "service-storage"
-	  
+
 		  efs_volume_configuration {
 			transit_encryption      = "ENABLED"
 		  }