Domain-Specific Language
This mapping configuration only applies to Terraform Processor.
Please refer to another mapping file configuration documentation if needed. You can locate each processor's documentation in the left menu under the "StartLeft Processors (SLP)" section.
There is an available Terraform Domain-Specific Language for easy mapping behavior configuration. This Terraform-DSL can be split into two sections: Special Mapping Fields and Mapping functions.
SPECIAL MAPPING FIELDS
These functions begin with a dollar sign ($) and do not directly contribute to the OTM output. Instead, they specify an action or behavior used to process the source files or generate the OTM output.
$functions | Description | Applies to |
---|---|---|
$default | Specifies the TrustZone as default | TrustZones |
$source | Specifies the source of the object type | Components, TrustZones & Dataflows |
$altsource | Specifies an alternative mapping when $source returns no object. | Components |
$children | Specifies whose components are their children | Components |
$default
This special mapping field default specifies a TrustZone as the default trustzone for the components in case those components don't define their parent.
Applies to: TrustZones
The components[].parent value is assigned by the attribute $default on the trustZones section.
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_internet_gateway-internetegateway
name: InterneteGateway
type: empty-component
parent:
trustZone: public-cloud-01
tags:
- aws_internet_gateway
dataflows: []
$source
This special mapping field source specifies the origin of the object type to be mapped. Its behavior is configured by the Terraform-DSL mapping functions to go through all the Terraform Resource files for returning the matching elements.
Applies to: Components, TrustZones & Dataflows
This mapping specifies the source for the empty-component with the resources of type
aws_internet_gateway
.
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_internet_gateway-internetegateway
name: InterneteGateway
type: empty-component
parent:
trustZone: public-cloud-01
tags:
- aws_internet_gateway
dataflows: []
$altsource
This special mapping field altsource specifies an alternative mapping when $source returns nothing.
Applies to: Components
Reference to Mapping an AltSource for deeper explanation
$children
This special mapping field children specifies whose components are their children on the OTM, it will set the parent attribute of those components on the OTM.
Applies to: Components
Reference to Mapping a Children for deeper explanation
MAPPING FUNCTIONS
These functions are used as parameters of the mapping attributes for configuring its behavior.
$functions | Type | Description |
---|---|---|
$type | filter | Finds a resource by its type |
$name | filter | Finds a resource by its name |
$props | filter | Finds a resource by its properties |
$regex | filter | Specifies a custom regex to be matched by the given argument |
$root | filter | JMESPath search through the entire source file data structure |
$path | accessor | JMESPath search through the object identified in the $source. A default value is optional by using the $searchParams structure |
$findFirst | selector | JMESPath search through the list of objects identified in the $source and returns the first successful match. A default value is optional by using the $searchParams structure |
$searchParams | selector | Specifies a default value for $path or $findFirst mapping functions |
$singleton | grouper | Specific objects to be unified under a single component or TrustZone |
$numberOfSources | selector | When using a $singleton , it allows you to set different values for output name or tags when the number of sources for the same mapping is single or multiple |
$format | formatter | A named format string based on the output of other $special fields. |
$module | filter | Search through the module section matching by source's attribute |
$skip | filter | A sub-field of $source , specifying specific objects to skip if not explicitly defined |
$catchall | filter | A sub-field of $source , including any matching resource unless it is already found (as a more specific one) or if it has been skipped |
$lookup | selector | Allows you to look up the output of a $special field against a key-value lookup table |
$hub | connector | Only for dataflow's "source" and "destination" fields. Specially created for building dataflows from Security Group structures without generating components from them. Allows defining abstract contact points for larger end-to-end final dataflows |
$ip | grouper | When defining a component's "name" field as $ip , will generate a singleton component for representing an external IP but without limitations of singleton for this case, so the "type" for the defined mapping definition with $ip (i.e. generic-terminal) will not be catalogued as singleton |
$type
This mapping function type returns resources by their resource_type
attribute on the
Terraform Source Dictionary.
This function can be used combined with $name
and $props
to create a more complete query.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | A list of resources | A resources list filtered by type | Can be configured with a string, a list of strings or using the $regex mapping function |
This mapping specifies the component rds by the resources of type in (
aws_db_instance
,aws_rds_cluster
)
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_db_instance-mysql
name: mysql
type: rds
parent:
trustZone: public-cloud-01
tags:
- aws_db_instance
- id: public-cloud-01.aws_rds_cluster-aurora_cluster_demo
name: aurora-cluster-demo
type: rds
parent:
trustZone: public-cloud-01
tags:
- aws_rds_cluster
dataflows: []
$name
This mapping function name returns resources by their resource_name
attribute on the
Terraform Source Dictionary.
This function can be used combined with $type
and $props
to create a more complete query.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | A list of resources | A resources list filtered by name | Can be configured with a string, a list of strings or using the $regex mapping function |
This mapping specifies the component
rds
by the resources with namemysql
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_db_instance-mysql
name: mysql
type: rds
parent:
trustZone: public-cloud-01
tags:
- aws_db_instance
dataflows: []
$props
This mapping function props returns resources by their resource_properties
attribute on the
Terraform Source Dictionary.
This function can be used combined with $type and $name to create a more complete query.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | A list of resources | A resources list filtered by its properties | Can be configured with a string, a list of strings or using the $regex mapping function |
This mapping specifies the component
generic-client
by the resources with typeaws_security_group
having the propertyegress[0].cidr_blocks
present in theirresource_properties
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_security_group-webserver
name: webserver
type: generic-client
parent:
trustZone: public-cloud-01
tags:
- aws_security_group
dataflows: []
$regex
This mapping function regex allows configuring a custom regex to be matched against the resource attribute.
This function can be used as a parameter for $type
, $name
and $props
.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | A list of resources | A resources list which attribute matches the regex | A valid regex |
This mapping specifies the component
api-gateway
by the resources with type matching the regex^aws_api_gateway_\w*$
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_api_gateway_rest_api-rest_api
name: rest_api
type: api-gateway
parent:
trustZone: public-cloud-01
tags:
- aws_api_gateway_rest_api
- id: public-cloud-01.aws_api_gateway_authorizer-api_authorizer
name: api_authorizer
type: api-gateway
parent:
trustZone: public-cloud-01
tags:
- aws_api_gateway_authorizer
dataflows: []
$root
This mapping function root allows to search through the entire source file data structure by using JMESPath.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | The entire source file | A resources list filtered by the JMESpath query | A JMESpath query |
When using
$root
, it may be useful to use Additional JMESPath functions. This map specifies the componentvpc
by using the get JMESPath functions
---
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_vpc-customvpc
name: CustomVPC
type: vpc
parent:
trustZone: public-cloud-01
tags:
- aws_vpc
dataflows: []
$path
This mapping function path allows getting the values from the object identified in the $source
by using
JMESPath. A default value is optional by using the
$searchParams
structure.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
accessor | The $source object | An attribute list filtered by the query | A JMESpath query or $searchParams structure |
This mapping specifies the component
empty-component
which name is retrieved by the $source attributeresouce_properties.cidr_block
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_subnet-privatesubnet1
name: 10.0.2.0/24
type: empty-component
parent:
trustZone: public-cloud-01
tags:
- aws_subnet
dataflows: []
$findFirst
This mapping function findFirst searchs through the list of objects identified in the $source
and returns the first successful match. A default value is optional by using the $searchParams
structure.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | The $source object | A string attribute | A list of objects identified in the $source or $searchParams structure |
This mapping specifies a component rds whose name is configured by a list of attributes
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_subnet-privatesubnet1
name: PrivateSubnet1
type: empty-component
parent:
trustZone: public-cloud-01
tags:
- aws_subnet
dataflows: []
$searchParams
This mapping function searchParams specifies a default value for $path
or $findFirst
mapping functions.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
selector | The $path or $findFirst functions | A string attribute | A searchPath and/or a defaultValue |
This mapping specifies a component rds whose tag is retrieved from
resource_properties. engine
withrds
as default value.
trustzones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
$default: true
components:
- type: rds
$source: {$type: ["aws_db_instance", "aws_rds_cluster"]}
tags:
- {$path: {$searchParams: {
searchPath: "resource_properties.engine",
defaultValue: "rds"}}}
dataflows: []
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_db_instance-mysql
name: mysql
type: rds
parent:
trustZone: public-cloud-01
tags:
- mysql
- id: public-cloud-01.aws_rds_cluster-aurora_cluster_demo
name: aurora-cluster-demo
type: rds
parent:
trustZone: public-cloud-01
tags:
- rds
dataflows: []
$singleton
This mapping function singleton unifies TF resources under a single component or TrustZone.
This function is frequently combined with $numberOfSources
for generating text fields like the name or the tags.
So is done, for example, in the default configuration described in the
Component Template Pattern.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
group | A list of resources | A list of resources grouped by the given params | Mapping Function configuration |
This mapping specifies a unique component
CD-SYSTEMS-MANAGER
for any number of resources whose name starts withaws_ssm_
.
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_ssm_parameter-ssm_parameter
name: CD-SYSTEMS-MANAGER (grouped)
type: CD-SYSTEMS-MANAGER
parent:
trustZone: public-cloud-01
tags:
- ssm_parameter (aws_ssm_parameter)
- ssm_document (aws_ssm_document)
dataflows: []
$numberOfSources
This mapping function numberOfSources allows you to set different values for output name or tags when the number of sources for the same mapping is single or multiple.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
group | The $source object | A string attribute | oneSource and multipleSource configuration attributes |
The result of this function may be expressed as:
This mapping specifies a unique component
CD-SYSTEMS-MANAGER
and set its name byCD-SYSTEMS-MANAGER (grouped)
when found more than one resource.
trustzones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
$default: true
components:
- type: CD-SYSTEMS-MANAGER
name: {$numberOfSources: {
oneSource: {$path: "resource_name"},
multipleSource: {$format: "{type} (grouped)"}}}
$source: {$singleton: {$type: {$regex: ^aws_ssm_\w*$}}}
dataflows: []
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_ssm_parameter-ssm_parameter
name: CD-SYSTEMS-MANAGER (grouped)
type: CD-SYSTEMS-MANAGER
parent:
trustZone: public-cloud-01
tags:
- ssm_parameter (aws_ssm_parameter)
- ssm_document (aws_ssm_document)
dataflows: []
$format
This mapping function format returns a formatted version of the string, using values from $source
and the name
or type
mapper attributes. These substitutions are identified by braces ('{' and '}')
Type | Consumes | Produces | Configuration params |
---|---|---|---|
formatter | The $source object and name and type mapper attributes |
A string attribute | The string formatter configuration |
This mapping specifies a component
rds
whose name is configured by a complex string
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_db_instance-mysql
name: rds created by resource mysql of type aws_db_instance
type: rds
parent:
trustZone: public-cloud-01
tags:
- aws_db_instance
dataflows: []
$module
This mapping function module searches for
modules in the TF configuration
matching by the source
's attribute.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | A list of resources | A modules list filtered by source's attribute | The source's attribute value |
This mapping specifies a component
rds
for the moduleterraform-aws-modules/rds/aws
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.db
name: db
type: rds
parent:
trustZone: public-cloud-01
tags:
- terraform-aws-modules/rds/aws
dataflows: []
$skip
This mapping function skip specifying specific objects to skip if not explicitly defined.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | A list of resources | A resources list of resources to skip | Mapping Function configuration |
This mapping specifies the component
rds
for the resources of type in (aws_db_instance
,aws_rds_cluster
) but skipping the resource with namemysql-secret
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: public-cloud-01
name: Public Cloud
type: b61d6911-338d-46a8-9f39-8dcd24abfe91
risk:
trustRating: 10
components:
- id: public-cloud-01.aws_db_instance-mysql
name: mysql
type: rds
parent:
trustZone: public-cloud-01
tags:
- aws_db_instance
- id: public-cloud-01.aws_rds_cluster-aurora_cluster_demo
name: aurora-cluster-demo
type: rds
parent:
trustZone: public-cloud-01
tags:
- aws_rds_cluster
dataflows: []
$catchall
This mapping function catchall is used to create a component for each resource that matches a certain query. It will include any matching resource unless it is already found as a more specific resource or if it has been skipped.
Type | Consumes | Produces | Configuration params |
---|---|---|---|
filter | A list of resources | A list of resources matching the provided query | Mapping Function configuration |
Example #1: only catchall
This mapping matches all previously not matched components, regardless theirs specific types or names. It is used along with $root mapping function seen before, and with $squash_terraform explained in the next section
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91
name: Public Cloud
risk:
trustRating: 10
components:
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91.aws_db_instance-mysql
name: mysql
type: empty-component
parent:
trustZone: b61d6911-338d-46a8-9f39-8dcd24abfe91
tags:
- aws_db_instance
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91.aws_db_instance-mysql_secret
name: mysql-secret
type: empty-component
parent:
trustZone: b61d6911-338d-46a8-9f39-8dcd24abfe91
tags:
- aws_db_instance
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91.aws_db_instance-aurora_cluster_demo
name: aurora-cluster-demo
type: empty-component
parent:
trustZone: b61d6911-338d-46a8-9f39-8dcd24abfe91
tags:
- aws_rds_cluster
dataflows: []
Example #2: explicit mapping and catchall
This mapping matches all resources, except for those ones already mapped by a more specific case
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91
name: Public Cloud
risk:
trustRating: 10
components:
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91.aws_db_instance-mysql
name: mysql
type: rds
parent:
trustZone: b61d6911-338d-46a8-9f39-8dcd24abfe91
tags:
- aws_db_instance
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91.aws_db_instance-mysql_secret
name: mysql-secret
type: rds
parent:
trustZone: b61d6911-338d-46a8-9f39-8dcd24abfe91
tags:
- aws_db_instance
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91.aws_db_instance-aurora_cluster_demo
name: aurora-cluster-demo
type: empty-component
parent:
trustZone: b61d6911-338d-46a8-9f39-8dcd24abfe91
tags:
- aws_rds_cluster
dataflows: []
Example #3: skip and catchall
This mapping matches all resources, except for those explicitly skipped
otmVersion: 0.1.0
project:
name: name
id: id
representations:
- name: Terraform
id: Terraform
type: code
trustZones:
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91
name: Public Cloud
risk:
trustRating: 10
components:
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91.aws_db_instance-mysql
name: mysql
type: empty-component
parent:
trustZone: b61d6911-338d-46a8-9f39-8dcd24abfe91
tags:
- aws_db_instance
- id: b61d6911-338d-46a8-9f39-8dcd24abfe91.aws_db_instance-aurora_cluster_demo
name: aurora-cluster-demo
type: empty-component
parent:
trustZone: b61d6911-338d-46a8-9f39-8dcd24abfe91
tags:
- aws_rds_cluster
dataflows: []
$lookup
This mapping function lookup allows you to look up the output of a special field against a key-value lookup table.
Example for lookup
Just in case there are some inconsistencies in naming conventions used, and you need to be able to translate one name into another, a simple lookup key-value table section can be added to the mapping file. For example, if we have a situation where a subnet name is written using a short naming convention, but is actually referred to via a longer name elsewhere, we can use the $lookup action.
parent:
$lookup: {$path: "Properties.Subnets[]|map(&values(@), @)[]|map(&re_sub('[:]', '-', @), @)"}
If the above query returns a subnet called shortnameA
, then it will be looked up in the below table:
To give a final value of amuchlongernameA
.
$hub
This special mapping field hub allows defining abstract contact points for larger end-to-end final dataflows. Only for dataflow's "source" and "destination" fields. Specially created for building dataflows from Security Group structures without generating components from them.
Reference to Security Groups as dataflows for usage examples.
$ip
When defining a component's "name" field as $ip
, will generate a singleton component for representing an external
IP but without limitations of singleton for this case, so the "type" for the defined mapping definition with $ip
(i.e. generic-terminal
) will not be catalogued as singleton.
Reference to Security Groups as dataflows for usage examples.