API Gateway Deployment Without API Gateway UsagePlan Associated

  • Query id: b3a59b8e-94a3-403e-b6e2-527abaf12034
  • Query name: API Gateway Deployment Without API Gateway UsagePlan Associated
  • Platform: Terraform
  • Severity: Low
  • Category: Observability
  • CWE: 285
  • URL: Github

Description

API Gateway Deployment should have API Gateway UsagePlan defined and associated.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_api_gateway_deployment" "positive1" {
  rest_api_id   = "some rest api id"
  stage_name = "some name"
  tags {
    project = "ProjectName"
  }
}

resource "aws_api_gateway_deployment" "positive2" {
  rest_api_id   = "some rest api id"
  stage_name    = "development"
}

resource "aws_api_gateway_usage_plan" "positive3" {
  name         = "my-usage-plan"
  description  = "my description"
  product_code = "MYCODE"

  api_stages {
    api_id = "another id"
    stage  = "development"
  }
}
Positive test num. 2 - json file
{
  "format_version": "0.2",
  "terraform_version": "1.0.5",
  "planned_values": {
    "root_module": {
      "resources": [
        {
          "address": "aws_api_gateway_deployment.positive1",
          "mode": "managed",
          "type": "aws_api_gateway_deployment",
          "name": "positive1",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 0,
          "values": {
            "description": null,
            "rest_api_id": "some rest api id",
            "stage_description": null,
            "stage_name": "some name",
            "triggers": null,
            "variables": null
          },
          "sensitive_values": {}
        },
        {
          "address": "aws_api_gateway_deployment.positive2",
          "mode": "managed",
          "type": "aws_api_gateway_deployment",
          "name": "positive2",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 0,
          "values": {
            "description": null,
            "rest_api_id": "some rest api id",
            "stage_description": null,
            "stage_name": "development",
            "triggers": null,
            "variables": null
          },
          "sensitive_values": {}
        },
        {
          "address": "aws_api_gateway_usage_plan.positive3",
          "mode": "managed",
          "type": "aws_api_gateway_usage_plan",
          "name": "positive3",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 0,
          "values": {
            "api_stages": [
              {
                "api_id": "another id",
                "stage": "development"
              }
            ],
            "description": "my description",
            "name": "my-usage-plan",
            "product_code": "MYCODE",
            "quota_settings": [],
            "tags": null,
            "throttle_settings": []
          },
          "sensitive_values": {
            "api_stages": [
              {}
            ],
            "quota_settings": [],
            "tags_all": {},
            "throttle_settings": []
          }
        }
      ]
    }
  },
  "resource_changes": [
    {
      "address": "aws_api_gateway_deployment.positive1",
      "mode": "managed",
      "type": "aws_api_gateway_deployment",
      "name": "positive1",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": [
          "create"
        ],
        "before": null,
        "after": {
          "description": null,
          "rest_api_id": "some rest api id",
          "stage_description": null,
          "stage_name": "some name",
          "triggers": null,
          "variables": null
        },
        "after_unknown": {
          "created_date": true,
          "execution_arn": true,
          "id": true,
          "invoke_url": true
        },
        "before_sensitive": false,
        "after_sensitive": {}
      }
    },
    {
      "address": "aws_api_gateway_deployment.positive2",
      "mode": "managed",
      "type": "aws_api_gateway_deployment",
      "name": "positive2",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": [
          "create"
        ],
        "before": null,
        "after": {
          "description": null,
          "rest_api_id": "some rest api id",
          "stage_description": null,
          "stage_name": "development",
          "triggers": null,
          "variables": null
        },
        "after_unknown": {
          "created_date": true,
          "execution_arn": true,
          "id": true,
          "invoke_url": true
        },
        "before_sensitive": false,
        "after_sensitive": {}
      }
    },
    {
      "address": "aws_api_gateway_usage_plan.positive3",
      "mode": "managed",
      "type": "aws_api_gateway_usage_plan",
      "name": "positive3",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": [
          "create"
        ],
        "before": null,
        "after": {
          "api_stages": [
            {
              "api_id": "another id",
              "stage": "development"
            }
          ],
          "description": "my description",
          "name": "my-usage-plan",
          "product_code": "MYCODE",
          "quota_settings": [],
          "tags": null,
          "throttle_settings": []
        },
        "after_unknown": {
          "api_stages": [
            {}
          ],
          "arn": true,
          "id": true,
          "quota_settings": [],
          "tags_all": true,
          "throttle_settings": []
        },
        "before_sensitive": false,
        "after_sensitive": {
          "api_stages": [
            {}
          ],
          "quota_settings": [],
          "tags_all": {},
          "throttle_settings": []
        }
      }
    }
  ],
  "configuration": {
    "root_module": {
      "resources": [
        {
          "address": "aws_api_gateway_deployment.positive1",
          "mode": "managed",
          "type": "aws_api_gateway_deployment",
          "name": "positive1",
          "provider_config_key": "aws",
          "expressions": {
            "rest_api_id": {
              "constant_value": "some rest api id"
            },
            "stage_name": {
              "constant_value": "some name"
            }
          },
          "schema_version": 0
        },
        {
          "address": "aws_api_gateway_deployment.positive2",
          "mode": "managed",
          "type": "aws_api_gateway_deployment",
          "name": "positive2",
          "provider_config_key": "aws",
          "expressions": {
            "rest_api_id": {
              "constant_value": "some rest api id"
            },
            "stage_name": {
              "constant_value": "development"
            }
          },
          "schema_version": 0
        },
        {
          "address": "aws_api_gateway_usage_plan.positive3",
          "mode": "managed",
          "type": "aws_api_gateway_usage_plan",
          "name": "positive3",
          "provider_config_key": "aws",
          "expressions": {
            "api_stages": [
              {
                "api_id": {
                  "constant_value": "another id"
                },
                "stage": {
                  "constant_value": "development"
                }
              }
            ],
            "description": {
              "constant_value": "my description"
            },
            "name": {
              "constant_value": "my-usage-plan"
            },
            "product_code": {
              "constant_value": "MYCODE"
            }
          },
          "schema_version": 0
        }
      ]
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_api_gateway_deployment" "negative1" {
  rest_api_id   = "rest_api_1"
  stage_name    = "development"
}

resource "aws_api_gateway_usage_plan" "negative2" {
  name         = "my-usage-plan"
  description  = "my description"
  product_code = "MYCODE"

  api_stages {
    api_id = "rest_api_1"
    stage  = "development"
  }

  api_stages {
    api_id = "rest_api_2"
    stage  = "development_2"
  }
}
Negative test num. 2 - json file
{
  "format_version": "0.2",
  "terraform_version": "1.0.5",
  "planned_values": {
    "root_module": {
      "resources": [
        {
          "address": "aws_api_gateway_deployment.negative1",
          "mode": "managed",
          "type": "aws_api_gateway_deployment",
          "name": "negative1",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 0,
          "values": {
            "description": null,
            "rest_api_id": "rest_api_1",
            "stage_description": null,
            "stage_name": "development",
            "triggers": null,
            "variables": null
          },
          "sensitive_values": {}
        },
        {
          "address": "aws_api_gateway_usage_plan.negative2",
          "mode": "managed",
          "type": "aws_api_gateway_usage_plan",
          "name": "negative2",
          "provider_name": "registry.terraform.io/hashicorp/aws",
          "schema_version": 0,
          "values": {
            "api_stages": [
              {
                "api_id": "rest_api_1",
                "stage": "development"
              }
            ],
            "description": "my description",
            "name": "my-usage-plan",
            "product_code": "MYCODE",
            "quota_settings": [],
            "tags": null,
            "throttle_settings": []
          },
          "sensitive_values": {
            "api_stages": [
              {}
            ],
            "quota_settings": [],
            "tags_all": {},
            "throttle_settings": []
          }
        }
      ]
    }
  },
  "resource_changes": [
    {
      "address": "aws_api_gateway_deployment.negative1",
      "mode": "managed",
      "type": "aws_api_gateway_deployment",
      "name": "negative1",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": [
          "create"
        ],
        "before": null,
        "after": {
          "description": null,
          "rest_api_id": "rest_api_1",
          "stage_description": null,
          "stage_name": "development",
          "triggers": null,
          "variables": null
        },
        "after_unknown": {
          "created_date": true,
          "execution_arn": true,
          "id": true,
          "invoke_url": true
        },
        "before_sensitive": false,
        "after_sensitive": {}
      }
    },
    {
      "address": "aws_api_gateway_usage_plan.negative2",
      "mode": "managed",
      "type": "aws_api_gateway_usage_plan",
      "name": "negative2",
      "provider_name": "registry.terraform.io/hashicorp/aws",
      "change": {
        "actions": [
          "create"
        ],
        "before": null,
        "after": {
          "api_stages": [
            {
              "api_id": "rest_api_1",
              "stage": "development"
            }
          ],
          "description": "my description",
          "name": "my-usage-plan",
          "product_code": "MYCODE",
          "quota_settings": [],
          "tags": null,
          "throttle_settings": []
        },
        "after_unknown": {
          "api_stages": [
            {}
          ],
          "arn": true,
          "id": true,
          "quota_settings": [],
          "tags_all": true,
          "throttle_settings": []
        },
        "before_sensitive": false,
        "after_sensitive": {
          "api_stages": [
            {}
          ],
          "quota_settings": [],
          "tags_all": {},
          "throttle_settings": []
        }
      }
    }
  ],
  "configuration": {
    "root_module": {
      "resources": [
        {
          "address": "aws_api_gateway_deployment.negative1",
          "mode": "managed",
          "type": "aws_api_gateway_deployment",
          "name": "negative1",
          "provider_config_key": "aws",
          "expressions": {
            "rest_api_id": {
              "constant_value": "rest_api_1"
            },
            "stage_name": {
              "constant_value": "development"
            }
          },
          "schema_version": 0
        },
        {
          "address": "aws_api_gateway_usage_plan.negative2",
          "mode": "managed",
          "type": "aws_api_gateway_usage_plan",
          "name": "negative2",
          "provider_config_key": "aws",
          "expressions": {
            "api_stages": [
              {
                "api_id": {
                  "constant_value": "rest_api_1"
                },
                "stage": {
                  "constant_value": "development"
                }
              }
            ],
            "description": {
              "constant_value": "my description"
            },
            "name": {
              "constant_value": "my-usage-plan"
            },
            "product_code": {
              "constant_value": "MYCODE"
            }
          },
          "schema_version": 0
        }
      ]
    }
  }
}