Use files, branches, or tags for mod dependencies →
Powerpipe Hub 
Hub
Mods
turbot/terraform_aws_compliance
Overview
69Dashboards
357Controls
357Queries
2Variables
GitHub

Query: cloudfront_distribution_origin_access_identity_enabled

Usage

powerpipe query terraform_aws_compliance.query.cloudfront_distribution_origin_access_identity_enabled

Steampipe Tables

terraform_resource
Terraform plugin

SQL

with cloudfront_distribution as (
  select
    *
  from
    terraform_resource
  where
    type = 'aws_cloudfront_distribution'
), origin_type as (
    select
      distinct address
    from
      cloudfront_distribution,
      jsonb_array_elements(
        case jsonb_typeof(attributes_std -> 'origin')
        when 'array' then (attributes_std -> 'origin')
        else null end
        ) as o
    where
      (o ->> 'domain_name' ) like '%aws_s3_bucket%'
    group by address
),origins as (
    select
      count(*),
      address
    from
      cloudfront_distribution,
      jsonb_array_elements(
        case jsonb_typeof(attributes_std -> 'origin')
        when 'array' then (attributes_std -> 'origin')
        else null end
        ) as o
    where
      (o ->> 'domain_name' ) like '%aws_s3_bucket%'
      and(
      (o -> 's3_origin_config' ->> 'origin_access_identity') = ''
      or (o -> 's3_origin_config' ) is null
      )
    group by address
)
select
  a.address as resource,
  case
    when (attributes_std -> 'origin') is null then 'alarm'
    when (attributes_std -> 'origin' ->> 'domain_name' ) like '%aws_s3_bucket%' and (( not((attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity') = '')) and (attributes_std -> 'origin' -> 's3_origin_config' -> 'origin_access_identity') is not null) then 'ok'
    when (attributes_std -> 'origin' ->> 'domain_name' ) like '%aws_s3_bucket%' and (((attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity') = '') or ((attributes_std -> 'origin' -> 's3_origin_config') is null)) then 'alarm'
    when b.address is not null then 'alarm'
    when (t.address is null ) and ((attributes_std -> 'origin' ->> 'domain_name') not like '%aws_s3_bucket%') then 'skip'
    else 'ok'
  end as status,
  split_part(a.address, '.', 2) || case
    when (attributes_std -> 'origin') is null then ' origins not defined'
    when (attributes_std -> 'origin' ->> 'domain_name' ) like '%aws_s3_bucket%' and (( not((attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity') = '')) and (attributes_std -> 'origin' -> 's3_origin_config' -> 'origin_access_identity') is not null) then ' origin access identity configured'
    when (attributes_std -> 'origin' ->> 'domain_name' ) like '%aws_s3_bucket%' and (((attributes_std -> 'origin' -> 's3_origin_config' ->> 'origin_access_identity') = '') or ((attributes_std -> 'origin' -> 's3_origin_config') is null)) then ' origin access identity not configured'
    when b.address is not null then ' origin access identity not configured'
    when (t.address is null ) and ((attributes_std -> 'origin' ->> 'domain_name') not like '%aws_s3_bucket%') then ' origin type is not S3'
    else ' origin access identity configured'
  end || '.' reason
  
  , path || ':' || start_line
from
  cloudfront_distribution as a
  left join origin_type as t on a.address = t.address
  left join origins as b on a.address = b.address;

Controls

The query is being used by the following controls: