Checkmarx · cx-andre-pereira · Dec 5, 2025 · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025
@@ -7,15 +7,15 @@
       "allowRules": [
         {
           "description": "Avoiding TF resource access",
-          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*(([a-zA-z_]+(.))?[a-zA-z_]+\\s*(.)\\s*[a-zA-z_]+(.)[a-zA-z_]+)?(\\s*:\\s*null|null)$"
+          "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
         },
         {
           "description": "Avoiding description field",
           "regex": "(?i)['\"]?description['\"]?\\s*=\\s*['\"].*['\"]"
         },
         {
           "description": "Avoiding Terraform 'optional' statement",
-          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"   
+          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"
         },
         {
           "description": "Avoiding Terraform 'try' statement",
@@ -29,14 +29,6 @@
           "description": "Avoiding Ansible playbook update_password",
           "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
         },
-        {
-          "description": "Allow passwords retrieved from Terraform data sources",
-          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.azurerm_key_vault_secret\\.[A-Za-z0-9_]+\\.value"
-        },
-        {
-          "description": "Allow passwords retrieved from AWS KMS Secrets",
-          "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.aws_kms_secrets\\.[A-Za-z0-9_]+\\.plaintext\\[\"[A-Za-z0-9_]+\"\\]"
-        },
         {
           "description": "Allow placeholders",
           "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"](\\$\\(|\\$?\\{\\{)\\s*\\w+\\s*(\\)|\\}\\})['\"]"
@@ -70,7 +62,7 @@
         },
         {
           "description": "Avoiding TF resource access",
-          "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+          "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)"
         },
         {
           "description": "Avoiding Secrets Manager arn",
@@ -83,11 +75,11 @@
         {
           "description": "Avoiding Secrets from Azure Key Vault",
           "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
-        }, 
+        },
         {
           "description": "Allow secret retrieved from ARM parameters",
           "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
-        }, 
+        },
         {
           "description": "Allow secrets retrieved from Bicep getSecret built in function",
           "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"

@@ -0,0 +1,32 @@
+resource "aws_secretsmanager_secret_version" "secret_version" {
+  for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_secret[each.key].id                                                                                              # use of indexes
+  secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password.client_password[each.key].result })
+}
+
+resource "aws_secretsmanager_secret_version" "secret_version_2" {
+  for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_secret[each.key].id                                                                                              # use of indexes
+  secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password[each.key].client_password.result })
+}
+
+resource "aws_secretsmanager_secret_version" "secret_version_3" {
+  for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
+
+  secret_id     = aws_secretsmanager_secret.client_secret[each.key].id                                                                                              # use of indexes
+  secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password["index"].client_password.result })
+}
+
+resource "aws_msk_scram_secret_association" "msk_secret_association" {
+  count           = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
+  cluster_arn     = aws_msk_cluster.kafka[0].arn
+  secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : secret.arn] # short reference
+}
+
+resource "aws_msk_scram_secret_association" "msk_secret_association_2" {
+  count           = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
+  cluster_arn     = aws_msk_cluster.kafka[0].arn
+  secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : null] # short reference
+}