nonfx · pranaySinghDev · Nov 11, 2024 · Nov 11, 2024 · Nov 11, 2024 · Nov 11, 2024
diff --git a/.github/workflows/manual-trigger.yml b/.github/workflows/manual-trigger.yml
@@ -0,0 +1,44 @@
+name: Regula testgen Workflow
+on:
+  workflow_dispatch:
+    inputs:
+      input_file_path:
+        description: 'Path to the input file'
+        required: true
+        type: string
+      output_file_path:
+        description: 'Path to the output file'
+        required: true
+        type: string
+      pipeline_token:
+        description: 'Pipeline token'
+        required: true
+        type: string
+      anthropic_api_key:
+        description: 'Cluade API key'
+        required: true
+        type: string
+      openai_api_key:
+        description: 'OpenAI API key'
+        required: true
+        type: string
+
+jobs:
+  run-testgen:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Run Non-functional Test Agent
+        uses: docker://docker.io/pranayc/codegen:github-action
+        env:
+          INPUT_FILE_PATH: ${{ inputs.input_file_path }}
+          OUTPUT_FILE_PATH: ${{ inputs.output_file_path }}
+          PIPELINE_TOKEN: ${{ inputs.pipeline_token }}
+          ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }}
+          OPENAI_API_KEY: ${{ inputs.openai_api_key }}
+          FORCE_COLOR: 1
+          MODEL: "sonnet"
+          NODE_OPTIONS: --no-warnings
+          OUTPUTDIR: ${{ inputs.output_file_path }}
diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml
@@ -0,0 +1,30 @@
+name: PR Review Mode
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  process-pr-comment:
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/review')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Run Non-functional Test Agent
+        uses: docker://docker.io/pranayc/codegen:github-action
+        env:
+          INPUT_FILE_PATH: ${{ github.workspace }}
+          OUTPUT_FILE_PATH: ${{ github.workspace }}/review-output
+          PIPELINE_TOKEN: ${{ secrets.PIPELINE_TOKEN }}
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          FORCE_COLOR: 1
+          MODEL: "sonnet"
+          NODE_OPTIONS: --no-warnings
+          PR_WORKFLOW: "true"
diff --git a/output/1731344141643_checkpoint.json b/output/1731344141643_checkpoint.json
diff --git a/output/aws_autoscaling_launch_config_public_ip.rego b/output/aws_autoscaling_launch_config_public_ip.rego
@@ -0,0 +1,44 @@
+package rules.autoscaling_launch_config_public_ip
+
+import data.fugue
+
+__rego__metadoc__ := {
+    "id": "Autoscaling.5",
+    "title": "Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses",
+    "description": "Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.",
+    "custom": {
+        "controls": {"AWS-Foundational-Security-Best-Practices_v1.0.0": ["AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5"]},
+        "severity": "High"
+    }
+}
+
+resource_type := "MULTIPLE"
+
+# Get all launch configurations
+launch_configs = fugue.resources("aws_launch_configuration")
+
+# Helper function to check if public IP is disabled
+is_public_ip_disabled(config) {
+    config.associate_public_ip_address == false
+}
+
+is_public_ip_disabled(config) {
+    not config.associate_public_ip_address
+}
+
+# Allow configurations with public IP disabled
+policy[p] {
+    config := launch_configs[_]
+    is_public_ip_disabled(config)
+    p = fugue.allow_resource(config)
+}
+
+# Deny configurations with public IP enabled
+policy[p] {
+    config := launch_configs[_]
+    not is_public_ip_disabled(config)
+    p = fugue.deny_resource_with_message(
+        config,
+        "Launch configuration should not assign public IP addresses to EC2 instances"
+    )
+}
diff --git a/output/aws_autoscaling_launch_config_public_ip_allow.tf b/output/aws_autoscaling_launch_config_public_ip_allow.tf
@@ -0,0 +1,44 @@
+provider "aws" {
+  alias  = "pass_aws"
+  region = "us-west-2"
+}
+
+# Create a compliant launch configuration with public IP disabled
+resource "aws_launch_configuration" "pass_config" {
+  provider = aws.pass_aws
+  name_prefix = "pass-launch-config"
+  image_id = "ami-0c55b159cbfafe1f0"
+  instance_type = "t2.micro"
+
+  # Compliant: Explicitly disabling public IP
+  associate_public_ip_address = false
+
+  security_groups = ["sg-12345678"]
+
+  root_block_device {
+    volume_size = 8
+    volume_type = "gp2"
+    encrypted   = true
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Create autoscaling group using the compliant launch configuration
+resource "aws_autoscaling_group" "pass_asg" {
+  provider = aws.pass_aws
+  name = "pass-asg"
+  max_size = 3
+  min_size = 1
+  desired_capacity = 1
+  launch_configuration = aws_launch_configuration.pass_config.name
+  vpc_zone_identifier = ["subnet-12345678"]
+
+  tag {
+    key = "Environment"
+    value = "Production"
+    propagate_at_launch = true
+  }
+}
diff --git a/output/aws_autoscaling_launch_config_public_ip_deny.tf b/output/aws_autoscaling_launch_config_public_ip_deny.tf
@@ -0,0 +1,37 @@
+provider "aws" {
+  alias  = "fail_aws"
+  region = "us-west-2"
+}
+
+# Create a non-compliant launch configuration with public IP enabled
+resource "aws_launch_configuration" "fail_config" {
+  provider = aws.fail_aws
+  name_prefix = "fail-launch-config"
+  image_id = "ami-0c55b159cbfafe1f0"
+  instance_type = "t2.micro"
+
+  # Non-compliant: Explicitly enabling public IP
+  associate_public_ip_address = true
+
+  security_groups = ["sg-12345678"]
+
+  root_block_device {
+    volume_size = 8
+    volume_type = "gp2"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Create autoscaling group using the non-compliant launch configuration
+resource "aws_autoscaling_group" "fail_asg" {
+  provider = aws.fail_aws
+  name = "fail-asg"
+  max_size = 3
+  min_size = 1
+  desired_capacity = 1
+  launch_configuration = aws_launch_configuration.fail_config.name
+  vpc_zone_identifier = ["subnet-12345678"]
+}
diff --git a/test-data/data.csv b/test-data/data.csv
@@ -0,0 +1,2 @@
+"title","urls","description","status"
+[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses,https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5,TODO
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		"title","urls","description","status"
		[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses,https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5,TODO