refactor(checks): migrate Google Compute to Rego (#196)

* refactor(checks): migrate Google Compute to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

* test: add functional tests

Signed-off-by: Nikita Pivkin <[email protected]>

* refactor: migrate ip related checks

Signed-off-by: Nikita Pivkin <[email protected]>

* test: initialise tests in each test file

Signed-off-by: Nikita Pivkin <[email protected]>

* test(bundle): use only canary Trivy

Signed-off-by: Nikita Pivkin <[email protected]>

---------

Signed-off-by: Nikita Pivkin <[email protected]>
Co-authored-by: simar7 <[email protected]>

avd_docs/google/compute/AVD-GCP-0027/docs.md

@@ -1,10 +1,10 @@
 
 Network security rules should not use very broad subnets.
-
 Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
 
+
 ### Impact
-The port is exposed for ingress from the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0029/docs.md

@@ -1,8 +1,9 @@
 
 VPC flow logs record information about all traffic, which is a vital tool in reviewing anomalous traffic.
 
+
 ### Impact
-Limited auditing capability and awareness
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0030/docs.md

@@ -1,8 +1,9 @@
 
 Use of project-wide SSH keys means that a compromise of any one of these key pairs can result in all instances being compromised. It is recommended to use instance-level keys.
 
+
 ### Impact
-Compromise of a single key pair compromises all instances
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0031/docs.md

@@ -1,8 +1,9 @@
 
 Instances should not be publicly exposed to the internet
 
+
 ### Impact
-Direct exposure of an instance to the public internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0032/docs.md

@@ -1,8 +1,9 @@
 
 When serial port access is enabled, the access is not governed by network security rules meaning the port can be exposed publicly.
 
+
 ### Impact
-Unrestricted network access to the serial console of the instance
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0033/Terraform.md

@@ -1,5 +1,5 @@
 
-Use managed keys 
+Use managed keys
 
 ```hcl
  resource "google_service_account" "default" {

avd_docs/google/compute/AVD-GCP-0033/docs.md

@@ -1,8 +1,9 @@
 
 Using unmanaged keys makes rotation and general management difficult.
 
+
 ### Impact
-Using unmanaged keys does not allow for proper management
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0034/docs.md

@@ -1,8 +1,9 @@
 
 Using unmanaged keys makes rotation and general management difficult.
 
+
 ### Impact
-Using unmanaged keys does not allow for proper key management.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0035/docs.md

@@ -1,10 +1,10 @@
 
 Network security rules should not use very broad subnets.
-
 Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
 
+
 ### Impact
-The port is exposed for egress to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0036/docs.md

@@ -1,8 +1,9 @@
 
 OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.
 
+
 ### Impact
-Access via SSH key cannot be revoked automatically when an IAM user is removed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0037/docs.md

@@ -1,8 +1,9 @@
 
 Sensitive values such as raw encryption keys should not be included in your Terraform code, and should be stored securely by a secrets manager.
 
+
 ### Impact
-The encryption key should be considered compromised as it is not stored securely.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0039/docs.md

@@ -1,8 +1,9 @@
 
 TLS versions prior to 1.2 are outdated and insecure. You should use 1.2 as aminimum version.
 
+
 ### Impact
-Data in transit is not sufficiently secured
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0041/docs.md

@@ -1,8 +1,9 @@
 
 The virtual TPM provides numerous security measures to your VM.
 
+
 ### Impact
-Unable to prevent unwanted system state modification
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0042/docs.md

@@ -1,8 +1,9 @@
 
 OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.
 
+
 ### Impact
-Access via SSH key cannot be revoked automatically when an IAM user is removed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0043/docs.md

@@ -1,8 +1,9 @@
 
 Disabling IP forwarding ensures the instance can only receive packets addressed to the instance and can only send packets with a source address of the instance.
 
+
 ### Impact
-Instance can send/receive packets without the explicit instance address
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0044/docs.md

@@ -1,8 +1,9 @@
 
 The default service account has full project access. Instances should instead be assigned the minimal access they need.
 
+
 ### Impact
-Instance has full access to the project
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0045/docs.md

@@ -1,8 +1,9 @@
 
 Integrity monitoring helps you understand and make decisions about the state of your VM instances.
 
+
 ### Impact
-No visibility of VM instance boot state.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/compute/AVD-GCP-0067/docs.md

@@ -1,8 +1,9 @@
 
 Secure boot helps ensure that the system only runs authentic software.
 
+
 ### Impact
-Unable to verify digital signature of boot components, and unable to stop the boot process if verification fails.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/google/compute/disk_encryption_customer_key.go

@@ -25,7 +25,8 @@ var CheckDiskEncryptionCustomerKey = rules.Register(
 			Links:               terraformDiskEncryptionCustomerKeyLinks,
 			RemediationMarkdown: terraformDiskEncryptionCustomerKeyRemediationMarkdown,
 		},
-		Severity: severity.Low,
+		Severity:   severity.Low,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, disk := range s.Google.Compute.Disks {

checks/cloud/google/compute/disk_encryption_customer_key.rego

@@ -0,0 +1,40 @@
+# METADATA
+# title: Disks should be encrypted with customer managed encryption keys
+# description: |
+#   Using unmanaged keys makes rotation and general management difficult.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-GCP-0034
+#   avd_id: AVD-GCP-0034
+#   provider: google
+#   service: compute
+#   severity: LOW
+#   short_code: disk-encryption-customer-key
+#   recommended_action: Use managed keys to encrypt disks.
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: compute
+#             provider: google
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk#kms_key_self_link
+#     good_examples: checks/cloud/google/compute/disk_encryption_customer_key.tf.go
+#     bad_examples: checks/cloud/google/compute/disk_encryption_customer_key.tf.go
+package builtin.google.compute.google0034
+
+import rego.v1
+
+deny contains res if {
+	some disk in input.google.compute.disks
+	not is_disk_encrypted(disk)
+	res := result.new(
+		"Disk is not encrypted with a customer managed key.",
+		object.get(disk, ["encryption", "kmskeylink"], disk),
+	)
+}
+
+is_disk_encrypted(disk) := disk.encryption.kmskeylink.value != ""

checks/cloud/google/compute/disk_encryption_customer_key_test.rego

@@ -0,0 +1,24 @@
+package builtin.google.compute.google0034_test
+
+import rego.v1
+
+import data.builtin.google.compute.google0034 as check
+import data.lib.test
+
+test_deny_disk_is_not_encrypted if {
+	inp := {"google": {"compute": {"disks": [{"encryption": {"kmskeylink": {"value": ""}}}]}}}
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_disk_encryption_is_not_specified if {
+	inp := {"google": {"compute": {"disks": [{}]}}}
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_disk_is_encrypted if {
+	inp := {"google": {"compute": {"disks": [{"encryption": {"kmskeylink": {"value": "something"}}}]}}}
+	res := check.deny with input as inp
+	res == set()
+}

checks/cloud/google/compute/disk_encryption_no_plaintext_key.go

@@ -27,7 +27,8 @@ var CheckDiskEncryptionRequired = rules.Register(
 			Links:               terraformDiskEncryptionNoPlaintextKeyLinks,
 			RemediationMarkdown: terraformDiskEncryptionNoPlaintextKeyRemediationMarkdown,
 		},
-		Severity: severity.Critical,
+		Severity:   severity.Critical,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, instance := range s.Google.Compute.Instances {