-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(checks): migrate Google IAM to Rego
Signed-off-by: Nikita Pivkin <[email protected]>
- Loading branch information
Showing
53 changed files
with
1,007 additions
and
1,101 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,11 @@ | ||
|
||
Default service accounts should not be used - consider creating specialised service accounts for individual purposes. | ||
|
||
|
||
### Impact | ||
Violation of principal of least privilege | ||
<!-- Add Impact here --> | ||
|
||
<!-- DO NOT CHANGE --> | ||
{{ remediationActions }} | ||
|
||
### Links | ||
- | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,11 @@ | ||
|
||
Default service accounts should not be used - consider creating specialised service accounts for individual purposes. | ||
|
||
|
||
### Impact | ||
Violation of principal of least privilege | ||
<!-- Add Impact here --> | ||
|
||
<!-- DO NOT CHANGE --> | ||
{{ remediationActions }} | ||
|
||
### Links | ||
- | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,11 @@ | ||
|
||
Default service accounts should not be used - consider creating specialised service accounts for individual purposes. | ||
|
||
|
||
### Impact | ||
Violation of principal of least privilege | ||
<!-- Add Impact here --> | ||
|
||
<!-- DO NOT CHANGE --> | ||
{{ remediationActions }} | ||
|
||
### Links | ||
- | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# METADATA | ||
# title: A configuration for an external workload identity pool provider should have conditions set | ||
# description: | | ||
# In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don't specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account. | ||
# scope: package | ||
# schemas: | ||
# - input: schema["cloud"] | ||
# related_resources: | ||
# - https://www.revblock.dev/exploiting-misconfigured-google-cloud-service-accounts-from-github-actions/ | ||
# custom: | ||
# id: AVD-GCP-0068 | ||
# avd_id: AVD-GCP-0068 | ||
# provider: google | ||
# service: iam | ||
# severity: HIGH | ||
# short_code: no-conditions-workload-identity-pool-provider | ||
# recommended_action: Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization | ||
# input: | ||
# selector: | ||
# - type: cloud | ||
# subtypes: | ||
# - service: iam | ||
# provider: google | ||
# terraform: | ||
# links: | ||
# - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition | ||
# good_examples: checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.tf.go | ||
# bad_examples: checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.tf.go | ||
package builtin.google.iam.google0068 | ||
|
||
import rego.v1 | ||
|
||
deny contains res if { | ||
some provider in input.google.iam.workloadidentitypoolproviders | ||
provider.attributecondition.value == "" | ||
res := result.new("This workload identity pool provider configuration has no conditions set.", provider.attributecondition) | ||
} |
82 changes: 0 additions & 82 deletions
82
checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider_test.go
This file was deleted.
Oops, something went wrong.
21 changes: 21 additions & 0 deletions
21
checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package builtin.google.iam.google0068_test | ||
|
||
import rego.v1 | ||
|
||
import data.builtin.google.iam.google0068 as check | ||
import data.lib.test | ||
|
||
test_deny_empty_attribute_condition if { | ||
inp := build_input({"attributecondition": {"value": ""}}) | ||
|
||
res := check.deny with input as inp | ||
count(res) == 1 | ||
} | ||
|
||
test_allow_with_attribute_condition if { | ||
inp := build_input({"attributecondition": {"value": "assertion.repository_owner=='your-github-organization'"}}) | ||
res := check.deny with input as inp | ||
count(res) == 0 | ||
} | ||
|
||
build_input(provider) := {"google": {"iam": {"workloadidentitypoolproviders": [provider]}}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# METADATA | ||
# title: Default network should not be created at project level | ||
# description: | | ||
# The default network which is provided for a project contains multiple insecure firewall rules which allow ingress to the project's infrastructure. Creation of this network should therefore be disabled. | ||
# scope: package | ||
# schemas: | ||
# - input: schema["cloud"] | ||
# custom: | ||
# id: AVD-GCP-0010 | ||
# avd_id: AVD-GCP-0010 | ||
# provider: google | ||
# service: iam | ||
# severity: HIGH | ||
# short_code: no-default-network | ||
# recommended_action: Disable automatic default network creation | ||
# input: | ||
# selector: | ||
# - type: cloud | ||
# subtypes: | ||
# - service: iam | ||
# provider: google | ||
# terraform: | ||
# links: | ||
# - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project#auto_create_network | ||
# good_examples: checks/cloud/google/iam/no_default_network.tf.go | ||
# bad_examples: checks/cloud/google/iam/no_default_network.tf.go | ||
package builtin.google.iam.google0010 | ||
|
||
import rego.v1 | ||
|
||
# TODO: check constraints before auto_create_network | ||
deny contains res if { | ||
some project in input.google.iam.projects | ||
isManaged(project) | ||
project.autocreatenetwork.value == true | ||
res := result.new("Project has automatic network creation enabled.", project.autocreatenetwork) | ||
} |
Oops, something went wrong.