compute_allowed_networks not working as expected

[mittalsharad]

Hi team,

i just started using terraform-validator for scanning my tf plan files.

While trying to secure the network for compute engine, it is not throwing any error even though teh network in not the one mentioned in the allowed section.

Here are the tf scripts:

main.tf

Creating the compute instance resource

resource "google_compute_instance" "compute-service" {
name = var.instance_name
project = var.project_name
machine_type = var.instance_machine_type
zone = var.instance_zone
tags = var.instance_tags
can_ip_forward = var.can_ip_forward

service_account {
scopes = var.scope
# no-scope
}

Boot disk configuration

boot_disk {
kms_key_self_link = "${google_kms_crypto_key.gkck.self_link}"
initialize_params {
image = var.instance_boot_image
}
}

sheilding the vm

shielded_instance_config {
enable_secure_boot = var.enable_secure_boot
enable_vtpm = var.enable_vtpm
enable_integrity_monitoring = var.enable_integrity_monitoring
}

network interface configuration

network_interface {
network = var.instance_network
subnetwork = var.instance_subnetwork
subnetwork_project = var.project_name
}

configuration using metadata

metadata = {
block-project-ssh-keys = var.block-project-ssh-keys
enable-oslogin = var.enable-oslogin
serial-port-enable = var.serial_port_enable
}

}

Creating kms key ring

resource "google_kms_key_ring" "gkkr" {
name = var.kms_key_ring_name
location = var.kms_key_ring_location
}

Creating kms crypto key

resource "google_kms_crypto_key" "gkck" {
name = var.kms_crypto_key_name
key_ring = "${google_kms_key_ring.gkkr.self_link}"
rotation_period = var.kms_crypto_key_rotation
}

Creating IAM role and member

resource "google_project_iam_member" "grant-google-compute-service-encrypt-decrypt" {
role = var.role_to_compute
member = var.member_to_compute
}

variables.tf

variable "project_name" {
description = "The ID of the Google Cloud project"
type = string
}

#############--------------- Instance---------###############

variable "instance_name" {
description = "Name of VM"
type = string
}

variable "instance_zone" {
description = "GC zone"
type = string
}

variable "instance_tags" {
description = "tags to be given to VM"
type = list(string)
#type = "list"
}

variable "instance_machine_type" {
description = "List of VM sizes: https://github.com/Eimert/terraform-google-compute-engine-instance#machine_type"
type = string
}

variable "scope" {
description = "grant specific API's access to VM"
type = list(string)
}

variable "instance_boot_image" {
description = "List of VM sizes: https://github.com/Eimert/terraform-google-compute-engine-instance#machine_type"
type = string
}

variable "enable_secure_boot" {
description = "enabling the secure boot of VM"
type = bool
}

variable "enable_vtpm" {
description = "enabling the vtpm in VM"
type = bool
}

variable "enable_integrity_monitoring" {
description = "enable_integrity_monitoring in VM"
type = bool
}

variable "instance_network" {
description = "network where VM belong"
type = string
}

variable "instance_subnetwork" {
description = "Subnetwork where VM belong"
type = string
}

variable "can_ip_forward" {
description = "restriction on ip forwarding"
type = bool
}

variable "block-project-ssh-keys" {
description = "block-project-ssh-keys in VM"
type = bool
}

variable "enable-oslogin" {
description = "enable-oslogin in VM"
type = bool
}

variable "serial_port_enable" {
description = "serial-port-enabling or not in VM"
type = bool
}

#######----google_kms_key_ring---#########

variable "kms_key_ring_name" {
description = "Name of the kms key ring"
type = string
}

variable "kms_key_ring_location" {
description = "location of the kms key ring"
type = string
}

#####------kms_crypto_key----#############

variable "kms_crypto_key_name" {
description = "Name of the kms_crypto_key"
type = string
}

variable "kms_crypto_key_rotation" {
description = "rotation of the kms_crypto_key"
type = string
}

###----- IAM role to compute service------#####
variable "role_to_compute" {
description = "IAM role to compute serivce"
type = string
}

variable "member_to_compute" {
description = "IAM member to compute service"
type = string
}

tfvars

project_name = "PROJECT_NAME"
instance_name = "abc-instance"
instance_zone = "us-central1-a"
instance_tags = ["node-server1"]
instance_machine_type = "n1-standard-1"
scope = ["bigquery"]
enable_secure_boot = "true"
enable_vtpm = "true"
enable_integrity_monitoring = "true"
instance_boot_image = "ubuntu-1804-bionic-v20200317"
instance_network = "myvpc1"
instance_subnetwork = "myvpc1"
can_ip_forward = "true"
block-project-ssh-keys = "true"
enable-oslogin = "true"
serial_port_enable = "false"

kms_key_ring_name = "gci-key"
kms_key_ring_location = "us-central1"
kms_crypto_key_name = "gce-key"
kms_crypto_key_rotation = "86401s"

role_to_compute = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member_to_compute = "serviceAccount:[email protected]"

constraints file (compute_allowed_network.yaml)

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPComputeAllowedNetworksConstraintV2
metadata:
name: allowed-networks
spec:
severity: high
match:
gcp:
target: ["organizations/*"]
parameters:
allowed:
- https://www.googleapis.com/compute/v1/projects/project_name/global/networks/default

Issue:

I am running these commands:
terraform init
terraform plan -out tfplan.plan
terraform show -json tfplan.plan > tfplan.json
./terraform-validator-linux-amd64 validate ./tfplan.json --policy-path POLICY_PATH

(i tested using terraform 0.13 as well as 0.12)
while scanning the plan, it is not throwing that no violations found. But is should throw an error for network name.
Also, for other constraints also, it is not throwing violation error.

Templates used:
compute_allowed_networks.yaml
compute_zone.yaml
compute_disk_resource_policies.yaml
compute_forbid_ip_forward.yaml

Out of these, only IP forward voilation is coming wherea all 4 should come

[melinath]

compute_zone is covered by #134. We can scope this issue to just compute_allowed_networks.

[melinath]

b/211495350