feat(misconf): adapt AWS::DynamoDB::Table (#8529)

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

pkg/iac/adapters/cloudformation/aws/dynamodb/dynamodb.go

@@ -9,5 +9,6 @@ import (
 func Adapt(cfFile parser.FileContext) dynamodb.DynamoDB {
 	return dynamodb.DynamoDB{
 		DAXClusters: getClusters(cfFile),
+		Tables:      getTables(cfFile),
 	}
 }

pkg/iac/adapters/cloudformation/aws/dynamodb/dynamodb_test.go

@@ -23,6 +23,15 @@ Resources:
     Properties:
       SSESpecification:
         SSEEnabled: true
+  DDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      SSESpecification:
+        SSEEnabled: true
+        KMSMasterKeyId: "test"
+      PointInTimeRecoverySpecification:
+        PointInTimeRecoveryEnabled: true
+
 `,
 			expected: dynamodb.DynamoDB{
 				DAXClusters: []dynamodb.DAXCluster{
@@ -32,6 +41,15 @@ Resources:
 						},
 					},
 				},
+				Tables: []dynamodb.Table{
+					{
+						ServerSideEncryption: dynamodb.ServerSideEncryption{
+							Enabled:  types.BoolTest(true),
+							KMSKeyID: types.StringTest("test"),
+						},
+						PointInTimeRecovery: types.BoolTest(true),
+					},
+				},
 			},
 		},
 		{
@@ -40,9 +58,18 @@ Resources:
 Resources:
   daxCluster:
     Type: AWS::DAX::Cluster
+  DDBTable:
+    Type: AWS::DynamoDB::Table
   `,
 			expected: dynamodb.DynamoDB{
 				DAXClusters: []dynamodb.DAXCluster{{}},
+				Tables: []dynamodb.Table{
+					{
+						ServerSideEncryption: dynamodb.ServerSideEncryption{
+							KMSKeyID: types.StringTest(dynamodb.DefaultKMSKeyID),
+						},
+					},
+				},
 			},
 		},
 	}

pkg/iac/adapters/cloudformation/aws/dynamodb/table.go

@@ -0,0 +1,25 @@
+package dynamodb
+
+import (
+	"github.com/samber/lo"
+
+	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/dynamodb"
+	"github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser"
+)
+
+func getTables(fctx parser.FileContext) []dynamodb.Table {
+	return lo.Map(fctx.GetResourcesByType("AWS::DynamoDB::Table"), func(
+		resource *parser.Resource, _ int,
+	) dynamodb.Table {
+		sseSpec := resource.GetProperty("SSESpecification")
+		return dynamodb.Table{
+			Metadata: resource.Metadata(),
+			ServerSideEncryption: dynamodb.ServerSideEncryption{
+				Metadata: sseSpec.Metadata(),
+				Enabled:  sseSpec.GetBoolProperty("SSEEnabled"),
+				KMSKeyID: sseSpec.GetStringProperty("KMSMasterKeyId", dynamodb.DefaultKMSKeyID),
+			},
+			PointInTimeRecovery: resource.GetBoolProperty("PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled"),
+		}
+	})
+}

pkg/iac/adapters/terraform/aws/dynamodb/adapt.go

@@ -77,7 +77,7 @@ func adaptTable(resource *terraform.Block, module *terraform.Module) dynamodb.Ta
 		table.ServerSideEncryption.Enabled = enabledAttr.AsBoolValueOrDefault(false, ssEncryptionBlock)
 
 		kmsKeyIdAttr := ssEncryptionBlock.GetAttribute("kms_key_arn")
-		table.ServerSideEncryption.KMSKeyID = kmsKeyIdAttr.AsStringValueOrDefault("alias/aws/dynamodb", ssEncryptionBlock)
+		table.ServerSideEncryption.KMSKeyID = kmsKeyIdAttr.AsStringValueOrDefault(dynamodb.DefaultKMSKeyID, ssEncryptionBlock)
 
 		kmsBlock, err := module.GetReferencedBlock(kmsKeyIdAttr, resource)
 		if err == nil && kmsBlock.IsNotNil() {

pkg/iac/adapters/terraform/aws/dynamodb/adapt_test.go

@@ -94,7 +94,7 @@ func Test_adaptTable(t *testing.T) {
 				ServerSideEncryption: dynamodb.ServerSideEncryption{
 					Metadata: iacTypes.NewTestMetadata(),
 					Enabled:  iacTypes.Bool(true, iacTypes.NewTestMetadata()),
-					KMSKeyID: iacTypes.String("alias/aws/dynamodb", iacTypes.NewTestMetadata()),
+					KMSKeyID: iacTypes.String(dynamodb.DefaultKMSKeyID, iacTypes.NewTestMetadata()),
 				},
 				PointInTimeRecovery: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
 			},