diff --git a/scripts/index.py b/scripts/index.py index e2e05fa..8e36912 100644 --- a/scripts/index.py +++ b/scripts/index.py @@ -3,10 +3,9 @@ from pathlib import Path from typing import List -from lib.aws_config_rule import AwsConfigRule +from lib.aws_config_rule import AwsConfigRule, SeverityOverride from lib.aws_docs_reader import generate_config_rule_data, generate_security_hub_controls_data from lib.hcl_generator import generate_variables, generate_locals, load_source_file -from lib.hcl_reader import read_hcl_file ROOT_PAGE = 'https://docs.aws.amazon.com/config/latest/developerguide/' AWS_MANAGED_RULES_PAGE = ROOT_PAGE + 'managed-rules-by-aws-config.html' @@ -14,6 +13,7 @@ SECURITY_HUB_CONTROLS_REF_PAGE = "securityhub-controls-reference.html" CURRENT_DIR = Path(__file__).resolve().parent SOURCE_FILE_NAME = Path(CURRENT_DIR, 'config_rule_data.json') +SEVERITY_OVERRIDES_FILE_PATH = Path(CURRENT_DIR, '..', 'etc', 'severity_overrides.yaml').resolve() SECURITY_HUB_CONTROLS_FILE_PATH = Path(CURRENT_DIR, 'security_hub_controls.json') LOCALS_FILE_PATH = Path(CURRENT_DIR, '..', 'managed_rules_locals.tf').resolve() VARIABLES_FILE_PATH = Path(CURRENT_DIR, '..', 'managed_rules_variables.tf').resolve() @@ -29,18 +29,17 @@ # Scrape AWS documentation for the latest Config Rules. generate_config_rule_data( root_url=ROOT_PAGE, - managed_rules_page=AWS_MANAGED_RULES_PAGE) + managed_rules_page=AWS_MANAGED_RULES_PAGE, + output_file=SOURCE_FILE_NAME) # Scrape AWS documentation for the latest Security Hub controls. generate_security_hub_controls_data( root_url=SECURITY_HUB_ROOT_PAGE, controls_ref_page=SECURITY_HUB_CONTROLS_REF_PAGE, output_file=SECURITY_HUB_CONTROLS_FILE_PATH) - # Load the list of managed rules from the existing locals block. - data = read_hcl_file(LOCALS_FILE_PATH) - existing_rules_data = None - for _, local in enumerate(data['locals']): - existing_rules_data = local['managed_rules'] + # Load the manual severity overrides. + severity_overrides_data = load_source_file(SEVERITY_OVERRIDES_FILE_PATH) + severity_overrides = [SeverityOverride(rule_name=k, data=v) for k, v in severity_overrides_data['overrides'].items()] # Load source file with the latest Config Rule definitions. latest_config_rules_data = load_source_file(SOURCE_FILE_NAME) @@ -51,6 +50,11 @@ rules: List[AwsConfigRule] = [] for rule_data in latest_config_rules_data: rule = AwsConfigRule(data=rule_data) + for override in severity_overrides: + if override.rule_name == rule.name: + logging.info(f"Updating {rule.name} severity with override -> {override.severity}") + rule.set_severity_level(override.severity) + break for control in controls: if rule.name == control['rule']: logging.info(f"Updating {rule.name} severity -> {control['severity']}") diff --git a/scripts/lib/aws_config_rule.py b/scripts/lib/aws_config_rule.py index f514538..ebbb172 100644 --- a/scripts/lib/aws_config_rule.py +++ b/scripts/lib/aws_config_rule.py @@ -2,7 +2,7 @@ import re import yaml -from typing import Union, List +from typing import List, Optional, Union class AwsConfigRuleLocal: @@ -200,4 +200,10 @@ def tf_variable_default_value(self) -> str: raw_string = yaml.dump(result, default_flow_style=False, default_style='') fixed = self.replace_colons_with_equals(raw_string) return f"{{\n{fixed}}}" - return None \ No newline at end of file + return None + + +class SeverityOverride: + def __init__(self, rule_name: str, data: dict) -> None: + self.rule_name: str = rule_name + self.severity: Optional[str] = data.get('severity') \ No newline at end of file