Merge branch 'bridgecrewio:main' into fix/ckv_azure_5-default-value

bridgecrewio · Jan 13, 2023 · 8f98f5b · 8f98f5b
2 parents b637df0 + d529479
commit 8f98f5b
Show file tree

Hide file tree

Showing 21 changed files with 1,969 additions and 1,623 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,12 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.2.257...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.2.258...HEAD)
+
+## [2.2.258](https://github.com/bridgecrewio/checkov/compare/2.2.257...2.2.258) - 2023-01-12
+
+### Feature
+
+- **terraform:** PC-Policy-Team - GCP PostgreSQL Instance Database Policies - [#4090](https://github.com/bridgecrewio/checkov/pull/4090)
 
 ## [2.2.257](https://github.com/bridgecrewio/checkov/compare/2.2.254...2.2.257) - 2023-01-11
 

diff --git a/...kov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml b/...kov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml
@@ -0,0 +1,17 @@
+metadata:
+  name: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
+  id: "CKV2_GCP_13"
+  category: "LOGGING"
+definition:
+  or:
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "database_version"
+      operator: "not_contains"
+      value: "POSTGRES"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[?(@.name == log_duration & @.value == on)]"
+      operator: "jsonpath_exists"
diff --git a/...raform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml b/...raform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml
@@ -0,0 +1,22 @@
+metadata:
+  name: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
+  id: "CKV2_GCP_14"
+  category: "LOGGING"
+definition:
+  or:
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "database_version"
+      operator: "not_contains"
+      value: "POSTGRES"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[*]"
+      operator: "jsonpath_not_exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[?(@.name == log_executor_stats & @.value == on)]"
+      operator: "jsonpath_not_exists"
diff --git a/...erraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml b/...erraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml
@@ -0,0 +1,22 @@
+metadata:
+  name: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
+  id: "CKV2_GCP_15"
+  category: "LOGGING"
+definition:
+  or:
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "database_version"
+      operator: "not_contains"
+      value: "POSTGRES"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[*]"
+      operator: "jsonpath_not_exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[?(@.name == log_parser_stats & @.value == on)]"
+      operator: "jsonpath_not_exists"
diff --git a/...rraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml b/...rraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml
@@ -0,0 +1,22 @@
+metadata:
+  name: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
+  id: "CKV2_GCP_16"
+  category: "LOGGING"
+definition:
+  or:
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "database_version"
+      operator: "not_contains"
+      value: "POSTGRES"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[*]"
+      operator: "jsonpath_not_exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[?(@.name == log_planner_stats & @.value == on)]"
+      operator: "jsonpath_not_exists"
diff --git a/...aform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml b/...aform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml
@@ -0,0 +1,22 @@
+metadata:
+  name: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
+  id: "CKV2_GCP_17"
+  category: "LOGGING"
+definition:
+  or:
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "database_version"
+      operator: "not_contains"
+      value: "POSTGRES"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[*]"
+      operator: "jsonpath_not_exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "google_sql_database_instance"
+      attribute: "settings.database_flags[?(@.name == log_statement_stats & @.value == on)]"
+      operator: "jsonpath_not_exists"
diff --git a/checkov/version.py b/checkov/version.py
@@ -1 +1 @@
-version = '2.2.257'
+version = '2.2.258'
diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md
diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md
diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt
@@ -1 +1 @@
-checkov==2.2.257
+checkov==2.2.258
diff --git a/...aform/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON/expected.yaml b/...aform/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "google_sql_database_instance.postgresql-instance-ok-1"
+fail:
+  - "google_sql_database_instance.postgresql-instance-not-ok-1"
+  - "google_sql_database_instance.postgresql-instance-not-ok-2"
diff --git a/...s/terraform/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON/main.tf b/...s/terraform/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON/main.tf
@@ -0,0 +1,37 @@
+#case1 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-1" {
+  name    = "postgresql-instance-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_duration"
+      value = "on"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case2 - FAIL
+resource "google_sql_database_instance" "postgresql-instance-not-ok-1" {
+  name    = "postgresql-instance-not-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_duration"
+      value = "off"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case3 - FAIL
+resource "google_sql_database_instance" "postgresql-instance-not-ok-2" {
+  name    = "postgresql-instance-not-ok-2"
+  database_version = "POSTGRES_14"
+  settings {
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
diff --git a/...raph/checks/resources/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF/expected.yaml b/...raph/checks/resources/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "google_sql_database_instance.postgresql-instance-ok-1"
+  - "google_sql_database_instance.postgresql-instance-ok-2"
+fail:
+  - "google_sql_database_instance.postgresql-instance-not-ok-1"
diff --git a/...form/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF/main.tf b/...form/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF/main.tf
@@ -0,0 +1,37 @@
+#case1 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-1" {
+  name    = "postgresql-instance-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_executor_stats"
+      value = "off"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case2 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-2" {
+  name    = "postgresql-instance-ok-2"
+  database_version = "POSTGRES_14"
+  settings {
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case3 - FAIL
+resource "google_sql_database_instance" "postgresql-instance-not-ok-1" {
+  name    = "postgresql-instance-not-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_executor_stats"
+      value = "on"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
diff --git a/.../graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF/expected.yaml b/.../graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "google_sql_database_instance.postgresql-instance-ok-1"
+  - "google_sql_database_instance.postgresql-instance-ok-2"
+fail:
+  - "google_sql_database_instance.postgresql-instance-not-ok-1"
diff --git a/...raform/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF/main.tf b/...raform/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF/main.tf
@@ -0,0 +1,37 @@
+#case1 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-1" {
+  name    = "postgresql-instance-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_parser_stats"
+      value = "off"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case2 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-2" {
+  name    = "postgresql-instance-ok-2"
+  database_version = "POSTGRES_14"
+  settings {
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case3 - FAIL
+resource "google_sql_database_instance" "postgresql-instance-not-ok-1" {
+  name    = "postgresql-instance-not-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_parser_stats"
+      value = "on"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
diff --git a/...graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF/expected.yaml b/...graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "google_sql_database_instance.postgresql-instance-ok-1"
+  - "google_sql_database_instance.postgresql-instance-ok-2"
+fail:
+  - "google_sql_database_instance.postgresql-instance-not-ok-1"
diff --git a/...aform/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF/main.tf b/...aform/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF/main.tf
@@ -0,0 +1,37 @@
+#case1 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-1" {
+  name    = "postgresql-instance-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_planner_stats"
+      value = "off"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case2 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-2" {
+  name    = "postgresql-instance-ok-2"
+  database_version = "POSTGRES_14"
+  settings {
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case3 - FAIL
+resource "google_sql_database_instance" "postgresql-instance-not-ok-1" {
+  name    = "postgresql-instance-not-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_planner_stats"
+      value = "on"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
diff --git a/...aph/checks/resources/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF/expected.yaml b/...aph/checks/resources/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "google_sql_database_instance.postgresql-instance-ok-1"
+  - "google_sql_database_instance.postgresql-instance-ok-2"
+fail:
+  - "google_sql_database_instance.postgresql-instance-not-ok-1"
diff --git a/...orm/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF/main.tf b/...orm/graph/checks/resources/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF/main.tf
@@ -0,0 +1,37 @@
+#case1 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-1" {
+  name    = "postgresql-instance-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_statement_stats"
+      value = "off"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case2 - PASS
+resource "google_sql_database_instance" "postgresql-instance-ok-2" {
+  name    = "postgresql-instance-ok-2"
+  database_version = "POSTGRES_14"
+  settings {
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
+
+#case3 - FAIL
+resource "google_sql_database_instance" "postgresql-instance-not-ok-1" {
+  name    = "postgresql-instance-not-ok-1"
+  database_version = "POSTGRES_14"
+  settings {
+    database_flags {
+      name  = "log_statement_stats"
+      value = "on"
+    }
+    tier = "db-f1-micro"
+  }
+  deletion_protection = false
+}
diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py
@@ -320,6 +320,21 @@ def test_S3BucketReplicationConfiguration(self):
     def test_AppLoadBalancerTLS12(self):
         self.go("AppLoadBalancerTLS12")
 
+    def test_GCPPostgreSQLDatabaseFlaglog_durationIsSetToON(self):
+        self.go("GCPPostgreSQLDatabaseFlaglog_durationIsSetToON")
+
+    def test_GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF(self):
+        self.go("GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF")
+
+    def test_GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF(self):
+        self.go("GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF")
+
+    def test_GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF(self):
+        self.go("GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF")
+
+    def test_GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF(self):
+        self.go("GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF")
+
     def test_GCPComputeFirewallOverlyPermissiveToAllTraffic(self):
         self.go("GCPComputeFirewallOverlyPermissiveToAllTraffic")