Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): Handle new resource type for CKV_GCP_73 #7023

Merged
merged 3 commits into from
Feb 25, 2025
Merged

fix(terraform): Handle new resource type for CKV_GCP_73 #7023

merged 3 commits into from
Feb 25, 2025
+148 −4

Conversation

tsmithv11
Copy link
Collaborator

@tsmithv11 tsmithv11 commented Feb 22, 2025
edited by baz-reviewer bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Handles google_compute_security_policy_rule

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Enhances the CloudArmorWAFACLCVE202144228 check to handle the new google_compute_security_policy_rule resource type. Modifies the check method to evaluate both inline rules and separate rule resources. Updates test cases to cover the new scenarios, including passing and failing cases for the new resource type.

TopicDetails
Check Enhancement Modifies the CloudArmorWAFACLCVE202144228 check to handle new resource type and improve rule evaluation logic
Modified files (1)
  • checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py
Latest Contributors(2)
UserCommitDate
naveednawazkhanfeat-terraform-Update-...May 01, 2024
ChanochShaynerfix-terraform-Terrafor...January 29, 2023
Test Updates Updates test cases to cover new scenarios with separate rule resources
Modified files (2)
  • tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf
  • tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py
Latest Contributors(2)
UserCommitDate
naveednawazkhanfeat-terraform-Update-...May 01, 2024
gruebeladd-CKV_GCP_73-to-chec...December 22, 2021
This pull request is reviewed by Baz. Join @tsmithv11 and the rest of your team on (Baz).

maxamel
maxamel reviewed Feb 23, 2025
View reviewed changes
checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py
if expr.get("expression") == "evaluatePreconfiguredExpr('cve-canary')":
if rule.get("action") == "allow":
return CheckResult.FAILED
if rule.get("preview"):
Copy link
Contributor

@maxamel maxamel Feb 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I saw if preview=True we do not enforce the action, so why are we failing here?
Also, perhaps before the action check we need to first check the preview since in case it's True the action won't kick in.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the docs, when preview is used, the action is not enforced, so essentially blocking for this WAF rule is not enforced is my understanding. Let me know if you read it differently.

Good call on preview first. I will update that.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_security_policy#preview-1

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know what would happen if preview=True and action=allow? Would that mean allow isn't enforced so we block? It's an edge case for which I haven't found a direct answer in the docs. In any case, if we cannot find a clear answer for it, just failing for preview=True sounds like a good enough solution.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs say preview mode just logs traffic without enforcing, so I think if preview=True it never blocks.

https://cloud.google.com/armor/docs/security-policy-overview?utm_source=chatgpt.com#preview_mode

@tsmithv11 tsmithv11 merged commit 00ff6eb into main Feb 25, 2025
43 of 44 checks passed
@tsmithv11 tsmithv11 deleted the update-ckv-gcp-73 branch February 25, 2025 10:39
Saarett pushed a commit that referenced this pull request Feb 25, 2025
@tsmithv11 @actions-user
fix(terraform): Handle new resource type for CKV_GCP_73 (#7023)
cfcc122 
* fix

* Fix flake8

* max feedback - preview first
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxamel maxamel maxamel approved these changes

@talazuri talazuri talazuri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tsmithv11 @maxamel @talazuri