-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(checks): migrate Google Compute to Rego (#196)
* refactor(checks): migrate Google Compute to Rego Signed-off-by: Nikita Pivkin <[email protected]> * test: add functional tests Signed-off-by: Nikita Pivkin <[email protected]> * refactor: migrate ip related checks Signed-off-by: Nikita Pivkin <[email protected]> * test: initialise tests in each test file Signed-off-by: Nikita Pivkin <[email protected]> * test(bundle): use only canary Trivy Signed-off-by: Nikita Pivkin <[email protected]> --------- Signed-off-by: Nikita Pivkin <[email protected]> Co-authored-by: simar7 <[email protected]>
- Loading branch information
Showing
87 changed files
with
1,875 additions
and
1,349 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
|
||
Use managed keys | ||
Use managed keys | ||
|
||
```hcl | ||
resource "google_service_account" "default" { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
checks/cloud/google/compute/disk_encryption_customer_key.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# METADATA | ||
# title: Disks should be encrypted with customer managed encryption keys | ||
# description: | | ||
# Using unmanaged keys makes rotation and general management difficult. | ||
# scope: package | ||
# schemas: | ||
# - input: schema["cloud"] | ||
# custom: | ||
# id: AVD-GCP-0034 | ||
# avd_id: AVD-GCP-0034 | ||
# provider: google | ||
# service: compute | ||
# severity: LOW | ||
# short_code: disk-encryption-customer-key | ||
# recommended_action: Use managed keys to encrypt disks. | ||
# input: | ||
# selector: | ||
# - type: cloud | ||
# subtypes: | ||
# - service: compute | ||
# provider: google | ||
# terraform: | ||
# links: | ||
# - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk#kms_key_self_link | ||
# good_examples: checks/cloud/google/compute/disk_encryption_customer_key.tf.go | ||
# bad_examples: checks/cloud/google/compute/disk_encryption_customer_key.tf.go | ||
package builtin.google.compute.google0034 | ||
|
||
import rego.v1 | ||
|
||
deny contains res if { | ||
some disk in input.google.compute.disks | ||
not is_disk_encrypted(disk) | ||
res := result.new( | ||
"Disk is not encrypted with a customer managed key.", | ||
object.get(disk, ["encryption", "kmskeylink"], disk), | ||
) | ||
} | ||
|
||
is_disk_encrypted(disk) := disk.encryption.kmskeylink.value != "" |
71 changes: 0 additions & 71 deletions
71
checks/cloud/google/compute/disk_encryption_customer_key_test.go
This file was deleted.
Oops, something went wrong.
24 changes: 24 additions & 0 deletions
24
checks/cloud/google/compute/disk_encryption_customer_key_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
package builtin.google.compute.google0034_test | ||
|
||
import rego.v1 | ||
|
||
import data.builtin.google.compute.google0034 as check | ||
import data.lib.test | ||
|
||
test_deny_disk_is_not_encrypted if { | ||
inp := {"google": {"compute": {"disks": [{"encryption": {"kmskeylink": {"value": ""}}}]}}} | ||
res := check.deny with input as inp | ||
count(res) == 1 | ||
} | ||
|
||
test_deny_disk_encryption_is_not_specified if { | ||
inp := {"google": {"compute": {"disks": [{}]}}} | ||
res := check.deny with input as inp | ||
count(res) == 1 | ||
} | ||
|
||
test_allow_disk_is_encrypted if { | ||
inp := {"google": {"compute": {"disks": [{"encryption": {"kmskeylink": {"value": "something"}}}]}}} | ||
res := check.deny with input as inp | ||
res == set() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.