From 4a2abc741583884dd38ca3b9bf2ff5a4d205a609 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Tue, 20 Jun 2023 14:48:59 -0300 Subject: [PATCH] fix: add VPC Flow logs exceptions for REGIONAL_MANAGED_PROXY and INTERNAL_HTTPS_LOAD_BALANCER (#436) --- .../gcp_network_enable_flow_logs_v1.yaml | 3 + validator/network_enable_flow_logs.rego | 3 + validator/network_enable_flow_logs_test.rego | 8 +++ .../network_enable_flow_logs/assets/data.json | 57 +++++++++++++++++++ 4 files changed, 71 insertions(+) diff --git a/policies/templates/gcp_network_enable_flow_logs_v1.yaml b/policies/templates/gcp_network_enable_flow_logs_v1.yaml index dfacd68d..b7ff0677 100644 --- a/policies/templates/gcp_network_enable_flow_logs_v1.yaml +++ b/policies/templates/gcp_network_enable_flow_logs_v1.yaml @@ -62,9 +62,12 @@ spec: legacy_enable_flow_logs := lib.get_default(network, "enableFlowLogs", false) log_config := lib.get_default(network, "logConfig", {}) log_config_enable_flow_logs := lib.get_default(log_config, "enable", false) + purpose := lib.get_default(network, "purpose", "PRIVATE") log_config_enable_flow_logs != true legacy_enable_flow_logs != true + purpose != "REGIONAL_MANAGED_PROXY" + purpose != "INTERNAL_HTTPS_LOAD_BALANCER" message := sprintf("Flow logs are disabled in subnetwork %v.", [asset.name]) metadata := {"resource": asset.name} diff --git a/validator/network_enable_flow_logs.rego b/validator/network_enable_flow_logs.rego index 3346a936..4af29545 100644 --- a/validator/network_enable_flow_logs.rego +++ b/validator/network_enable_flow_logs.rego @@ -30,9 +30,12 @@ deny[{ legacy_enable_flow_logs := lib.get_default(network, "enableFlowLogs", false) log_config := lib.get_default(network, "logConfig", {}) log_config_enable_flow_logs := lib.get_default(log_config, "enable", false) + purpose := lib.get_default(network, "purpose", "PRIVATE") log_config_enable_flow_logs != true legacy_enable_flow_logs != true + purpose != "REGIONAL_MANAGED_PROXY" + purpose != "INTERNAL_HTTPS_LOAD_BALANCER" message := sprintf("Flow logs are disabled in subnetwork %v.", [asset.name]) metadata := {"resource": asset.name} diff --git a/validator/network_enable_flow_logs_test.rego b/validator/network_enable_flow_logs_test.rego index 7ab65cdb..c42e9994 100644 --- a/validator/network_enable_flow_logs_test.rego +++ b/validator/network_enable_flow_logs_test.rego @@ -39,6 +39,14 @@ test_flow_logs_disabled_for_both { resources_in_violation["//compute.googleapis.com/projects/pso-cicd8/regions/us-west1/subnetworks/both_false"] } +test_flow_logs_regional_managed_proxy { + not resources_in_violation["//compute.googleapis.com/projects/pso-cicd8/regions/us-west1/subnetworks/regional_managed_proxy"] +} + +test_flow_logs_internal_https_load_balancer { + not resources_in_violation["//compute.googleapis.com/projects/pso-cicd8/regions/us-west1/subnetworks/internal_https_load_balancer"] +} + test_flow_logs_enabled_for_both { not resources_in_violation["//compute.googleapis.com/projects/pso-cicd8/regions/us-west1/subnetworks/both_correct"] } diff --git a/validator/test/fixtures/network_enable_flow_logs/assets/data.json b/validator/test/fixtures/network_enable_flow_logs/assets/data.json index a9070e83..668bb071 100644 --- a/validator/test/fixtures/network_enable_flow_logs/assets/data.json +++ b/validator/test/fixtures/network_enable_flow_logs/assets/data.json @@ -71,6 +71,63 @@ } } }, + { + "name": "//compute.googleapis.com/projects/pso-cicd8/regions/us-west1/subnetworks/regional_managed_proxy", + "asset_type": "compute.googleapis.com/Subnetwork", + "resource": { + "version": "v1", + "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest", + "discovery_name": "Subnetwork", + "parent": "//cloudresourcemanager.googleapis.com/projects/13428609260", + "data": { + "creationTimestamp": "2019-03-13T12:20:27.884-07:00", + "fingerprint": "gHOs7GmZw+Q=", + "gatewayAddress": "10.140.0.1", + "id": "7589039100605557012", + "ipCidrRange": "10.140.0.0/20", + "name": "default", + "network": "https://www.googleapis.com/compute/v1/projects/pso-cicd8/global/networks/default", + "purpose": "REGIONAL_MANAGED_PROXY", + "privateIpGoogleAccess": true, + "enableFlowLogs": false, + "logConfig": { + "enable": false + }, + "region": "https://www.googleapis.com/compute/v1/projects/pso-cicd8/regions/us-west1-b", + "selfLink": "https://www.googleapis.com/compute/v1/projects/pso-cicd8/regions/us-west1-b/subnetworks/default" + } + } + }, + + { + "name": "//compute.googleapis.com/projects/pso-cicd8/regions/us-west1/subnetworks/internal_https_load_balancer", + "asset_type": "compute.googleapis.com/Subnetwork", + "resource": { + "version": "v1", + "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest", + "discovery_name": "Subnetwork", + "parent": "//cloudresourcemanager.googleapis.com/projects/13428609260", + "data": { + "creationTimestamp": "2019-03-13T12:20:27.884-07:00", + "fingerprint": "gHOs7GmZw+Q=", + "gatewayAddress": "10.140.0.1", + "id": "7589039100605557012", + "ipCidrRange": "10.140.0.0/20", + "name": "default", + "network": "https://www.googleapis.com/compute/v1/projects/pso-cicd8/global/networks/default", + "purpose": "INTERNAL_HTTPS_LOAD_BALANCER", + "privateIpGoogleAccess": true, + "enableFlowLogs": false, + "logConfig": { + "enable": false + }, + "region": "https://www.googleapis.com/compute/v1/projects/pso-cicd8/regions/us-west1-b", + "selfLink": "https://www.googleapis.com/compute/v1/projects/pso-cicd8/regions/us-west1-b/subnetworks/default" + } + } + }, + + { "name": "//compute.googleapis.com/projects/pso-cicd8/regions/us-west1/subnetworks/both_correct", "asset_type": "compute.googleapis.com/Subnetwork",