refactor(checks): migrate Google IAM to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/google/iam/AVD-GCP-0003/docs.md

@@ -1,12 +1,13 @@
 
-Permissions should not be directly granted to users, you identify roles that contain the appropriate permissions, and then grant those roles to the user. 
+Permissions should not be directly granted to users, you identify roles that contain the appropriate permissions, and then grant those roles to the user.
 
 Granting permissions to users quickly become unwieldy and complex to make large scale changes to remove access to a particular resource.
 
 Permissions should be granted on roles, groups, services accounts instead.
 
+
 ### Impact
-Users shouldn't have permissions granted to them directly
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/iam/AVD-GCP-0004/Terraform.md

@@ -18,5 +18,3 @@ Use specialised service accounts for specific purposes.
 #### Remediation Links
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam
 
- - 
-

avd_docs/google/iam/AVD-GCP-0004/docs.md

@@ -1,13 +1,11 @@
 
 Default service accounts should not be used - consider creating specialised service accounts for individual purposes.
 
+
 ### Impact
-Violation of principal of least privilege
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
-### Links
-- 
-
 

avd_docs/google/iam/AVD-GCP-0005/docs.md

@@ -1,8 +1,9 @@
 
 Users with service account access at folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
 
+
 ### Impact
-Privilege escalation, impersonation of any/all services
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/iam/AVD-GCP-0006/Terraform.md

@@ -18,5 +18,3 @@ Use specialised service accounts for specific purposes.
 #### Remediation Links
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam
 
- - 
-

avd_docs/google/iam/AVD-GCP-0006/docs.md

@@ -1,13 +1,11 @@
 
 Default service accounts should not be used - consider creating specialised service accounts for individual purposes.
 
+
 ### Impact
-Violation of principal of least privilege
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
-### Links
-- 
-
 

avd_docs/google/iam/AVD-GCP-0007/docs.md

@@ -1,8 +1,9 @@
 
 Service accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account.
 
+
 ### Impact
-Cloud account takeover if a resource using a service account is compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/iam/AVD-GCP-0008/Terraform.md

@@ -18,5 +18,3 @@ Use specialised service accounts for specific purposes.
 #### Remediation Links
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam
 
- - 
-

avd_docs/google/iam/AVD-GCP-0008/docs.md

@@ -1,13 +1,11 @@
 
 Default service accounts should not be used - consider creating specialised service accounts for individual purposes.
 
+
 ### Impact
-Violation of principal of least privilege
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
-### Links
-- 
-
 

avd_docs/google/iam/AVD-GCP-0009/docs.md

@@ -1,8 +1,9 @@
 
 Users with service account access at organization level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
 
+
 ### Impact
-Privilege escalation, impersonation of any/all services
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/iam/AVD-GCP-0010/docs.md

@@ -1,8 +1,9 @@
 
 The default network which is provided for a project contains multiple insecure firewall rules which allow ingress to the project's infrastructure. Creation of this network should therefore be disabled.
 
+
 ### Impact
-Exposure of internal infrastructure/services to public internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/iam/AVD-GCP-0011/docs.md

@@ -1,8 +1,9 @@
 
 Users with service account access at project level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
 
+
 ### Impact
-Privilege escalation, impersonation of any/all services
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/iam/AVD-GCP-0068/docs.md

@@ -1,8 +1,9 @@
 
 In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don't specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account.
 
+
 ### Impact
-Allows an external attacker to authenticate as the attached service account and act with its permissions
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.go

@@ -27,7 +27,8 @@ var CheckNoConditionOnWorkloadIdentityPoolProvider = rules.Register(
 			Links:               terraformNoConditionOnWorkloadIdentityPoolProviderLinks,
 			RemediationMarkdown: terraformNoConditionOnWorkloadIdentityPoolProviderMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, provider := range s.Google.IAM.WorkloadIdentityPoolProviders {

checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.rego

@@ -0,0 +1,37 @@
+# METADATA
+# title: A configuration for an external workload identity pool provider should have conditions set
+# description: |
+#   In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don't specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://www.revblock.dev/exploiting-misconfigured-google-cloud-service-accounts-from-github-actions/
+# custom:
+#   id: AVD-GCP-0068
+#   avd_id: AVD-GCP-0068
+#   provider: google
+#   service: iam
+#   severity: HIGH
+#   short_code: no-conditions-workload-identity-pool-provider
+#   recommended_action: Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: iam
+#             provider: google
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition
+#     good_examples: checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.tf.go
+#     bad_examples: checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.tf.go
+package builtin.google.iam.google0068
+
+import rego.v1
+
+deny contains res if {
+	some provider in input.google.iam.workloadidentitypoolproviders
+	provider.attributecondition.value == ""
+	res := result.new("This workload identity pool provider configuration has no conditions set.", provider.attributecondition)
+}

checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider_test.rego

@@ -0,0 +1,21 @@
+package builtin.google.iam.google0068_test
+
+import rego.v1
+
+import data.builtin.google.iam.google0068 as check
+import data.lib.test
+
+test_deny_empty_attribute_condition if {
+	inp := build_input({"attributecondition": {"value": ""}})
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_with_attribute_condition if {
+	inp := build_input({"attributecondition": {"value": "assertion.repository_owner=='your-github-organization'"}})
+	res := check.deny with input as inp
+	count(res) == 0
+}
+
+build_input(provider) := {"google": {"iam": {"workloadidentitypoolproviders": [provider]}}}

checks/cloud/google/iam/no_default_network.go

@@ -25,7 +25,8 @@ var CheckNoDefaultNetwork = rules.Register(
 			Links:               terraformNoDefaultNetworkLinks,
 			RemediationMarkdown: terraformNoDefaultNetworkRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		// TODO: check constraints before auto_create_network

checks/cloud/google/iam/no_default_network.rego

@@ -0,0 +1,37 @@
+# METADATA
+# title: Default network should not be created at project level
+# description: |
+#   The default network which is provided for a project contains multiple insecure firewall rules which allow ingress to the project's infrastructure. Creation of this network should therefore be disabled.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-GCP-0010
+#   avd_id: AVD-GCP-0010
+#   provider: google
+#   service: iam
+#   severity: HIGH
+#   short_code: no-default-network
+#   recommended_action: Disable automatic default network creation
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: iam
+#             provider: google
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project#auto_create_network
+#     good_examples: checks/cloud/google/iam/no_default_network.tf.go
+#     bad_examples: checks/cloud/google/iam/no_default_network.tf.go
+package builtin.google.iam.google0010
+
+import rego.v1
+
+# TODO: check constraints before auto_create_network
+deny contains res if {
+	some project in input.google.iam.projects
+	isManaged(project)
+	project.autocreatenetwork.value == true
+	res := result.new("Project has automatic network creation enabled.", project.autocreatenetwork)
+}