🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/terraform_aws_compliance
Overview
69Dashboards
357Controls
357Queries
2Variables
GitHub

Query: cloudfront_distribution_origin_access_identity_enabled

Usage

powerpipe query terraform_aws_compliance.query.cloudfront_distribution_origin_access_identity_enabled

Steampipe Tables

terraform_resource
Terraform plugin

SQL

with cloudfront_distribution as (
  select
    *
  from
    terraform_resource
  where
    type = 'aws_cloudfront_distribution'
),
origin_type as (
  select
    distinct address
  from
    cloudfront_distribution,
    jsonb_array_elements(
      case
        jsonb_typeof(attributes_std -> 'origin')
        when 'array' then (attributes_std -> 'origin')
        else null
      end
    ) as o
  where
    (o ->> 'domain_name') like '%aws_s3_bucket%'
  group by
    address
),
origins as (
  select
    count(*),
    address
  from
    cloudfront_distribution,
    jsonb_array_elements(
      case
        jsonb_typeof(attributes_std -> 'origin')
        when 'array' then (attributes_std -> 'origin')
        else null
      end
    ) as o
  where
    (o ->> 'domain_name') like '%aws_s3_bucket%'
    and(
      (o -> 's3_origin_config' ->> 'origin_access_identity') = ''
      or (o -> 's3_origin_config') is null
    )
  group by
    address
)
select
  a.address as resource,
  case
    when (attributes_std -> 'origin') is null then 'alarm'
    when (attributes_std -> 'origin' ->> 'domain_name') like '%aws_s3_bucket%'
    and (
      (
        not(
          (
            attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity'
          ) = ''
        )
      )
      and (
        attributes_std -> 'origin' -> 's3_origin_config' -> 'origin_access_identity'
      ) is not null
    ) then 'ok'
    when (attributes_std -> 'origin' ->> 'domain_name') like '%aws_s3_bucket%'
    and (
      (
        (
          attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity'
        ) = ''
      )
      or (
        (attributes_std -> 'origin' -> 's3_origin_config') is null
      )
    ) then 'alarm'
    when b.address is not null then 'alarm'
    when (t.address is null)
    and (
      (attributes_std -> 'origin' ->> 'domain_name') not like '%aws_s3_bucket%'
    ) then 'skip'
    else 'ok'
  end as status,
  split_part(a.address, '.', 2) || case
    when (attributes_std -> 'origin') is null then ' origins not defined'
    when (attributes_std -> 'origin' ->> 'domain_name') like '%aws_s3_bucket%'
    and (
      (
        not(
          (
            attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity'
          ) = ''
        )
      )
      and (
        attributes_std -> 'origin' -> 's3_origin_config' -> 'origin_access_identity'
      ) is not null
    ) then ' origin access identity configured'
    when (attributes_std -> 'origin' ->> 'domain_name') like '%aws_s3_bucket%'
    and (
      (
        (
          attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity'
        ) = ''
      )
      or (
        (attributes_std -> 'origin' -> 's3_origin_config') is null
      )
    ) then ' origin access identity not configured'
    when b.address is not null then ' origin access identity not configured'
    when (t.address is null)
    and (
      (attributes_std -> 'origin' ->> 'domain_name') not like '%aws_s3_bucket%'
    ) then ' origin type is not S3'
    else ' origin access identity configured'
  end || '.' reason,
  path || ':' || start_line
from
  cloudfront_distribution as a
  left join origin_type as t on a.address = t.address
  left join origins as b on a.address = b.address;

Controls

The query is being used by the following controls: