From 8237e59cc16b6362d573300ac30389d157cb9f7e Mon Sep 17 00:00:00 2001 From: seanyyan Date: Mon, 17 Jun 2024 11:01:00 +0800 Subject: [PATCH 01/11] feat/tke_tencent_add_new_query_v3 --- .../metadata.json | 12 ++ .../query.rego | 26 +++ .../test/negative1.tf | 30 +++ .../test/positive1.tf | 14 ++ .../test/positive_expected_result.json | 8 + .../metadata.json | 12 ++ .../tke_cluster_has_public_access/query.rego | 178 ++++++++++++++++++ .../test/negative1.tf | 95 ++++++++++ .../test/negative2.tf | 97 ++++++++++ .../test/positive1.tf | 101 ++++++++++ .../test/positive2.tf | 100 ++++++++++ .../test/positive3.tf | 143 ++++++++++++++ .../test/positive4.tf | 141 ++++++++++++++ .../test/positive_expected_result.json | 74 ++++++++ .../tke_cluster_log_disabled/metadata.json | 12 ++ .../tke_cluster_log_disabled/query.rego | 39 ++++ .../test/negative1.tf | 46 +++++ .../test/positive1.tf | 46 +++++ .../test/positive2.tf | 42 +++++ .../test/positive_expected_result.json | 14 ++ 20 files changed, 1230 insertions(+) create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/metadata.json create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/negative1.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive1.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/metadata.json create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative1.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative2.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive1.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive2.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive3.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive4.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/metadata.json create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/negative1.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive1.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive2.tf create mode 100644 assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/metadata.json b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/metadata.json new file mode 100644 index 00000000000..973e867f205 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "3ed47402-e322-465f-a0f0-8681135a17b0", + "queryName": "(Beta) TKE Cluster Encryption Protection Disabled", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "TKE Cluster should have encryption protection enabled", + "descriptionUrl": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/kubernetes_encryption_protection", + "platform": "Terraform", + "descriptionID": "1220fcb9", + "cloudProvider": "tencentcloud", + "cwe": "" +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego new file mode 100644 index 00000000000..35bcad028d9 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego @@ -0,0 +1,26 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + not any_kubernetes_encryption_protection(name) + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s] should has 'tencentcloud_kubernetes_encryption_protection'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s] does not have 'tencentcloud_kubernetes_encryption_protection'", [name]), + "searchLine":common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []), + } +} + +any_kubernetes_encryption_protection(resource_name) { + encryption := input.document[_].resource.tencentcloud_kubernetes_encryption_protection[_] + split_name := split(encryption.cluster_id, ".")[1] + split_name == resource_name +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/negative1.tf b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/negative1.tf new file mode 100644 index 00000000000..996b37adf80 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/negative1.tf @@ -0,0 +1,30 @@ +data "tencentcloud_vpc_subnets" "vpc" { + is_default = true + availability_zone = "ap-guangzhou-3" +} + +resource "tencentcloud_kubernetes_cluster" "has_encryption_protection" { + vpc_id = data.tencentcloud_vpc_subnets.vpc.instance_list.0.vpc_id + cluster_cidr = "10.32.0.0/16" + cluster_max_pod_num = 32 + cluster_name = "tf_example_cluster" + cluster_desc = "a tf example cluster for the kms test" + cluster_max_service_num = 32 + cluster_deploy_type = "MANAGED_CLUSTER" +} + + +resource "tencentcloud_kms_key" "example" { + alias = "tf-example-kms-key" + description = "example of kms key instance" + key_usage = "ENCRYPT_DECRYPT" + is_enabled = true +} + +resource "tencentcloud_kubernetes_encryption_protection" "example" { + cluster_id = tencentcloud_kubernetes_cluster.has_encryption_protection.id + kms_configuration { + key_id = tencentcloud_kms_key.example.id + kms_region = "ap-guangzhou" + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive1.tf b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive1.tf new file mode 100644 index 00000000000..2a1c7c21fab --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive1.tf @@ -0,0 +1,14 @@ +data "tencentcloud_vpc_subnets" "vpc" { + is_default = true + availability_zone = "ap-guangzhou-3" +} + +resource "tencentcloud_kubernetes_cluster" "none_encryption_protection" { + vpc_id = data.tencentcloud_vpc_subnets.vpc.instance_list.0.vpc_id + cluster_cidr = "10.32.0.0/16" + cluster_max_pod_num = 32 + cluster_name = "tf_example_cluster" + cluster_desc = "a tf example cluster for the kms test" + cluster_max_service_num = 32 + cluster_deploy_type = "MANAGED_CLUSTER" +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..c00cfc48973 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "(Beta) TKE Cluster Encryption Protection Disabled", + "severity": "HIGH", + "line": 6, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/metadata.json b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/metadata.json new file mode 100644 index 00000000000..fd7afc34bab --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "df6928ed-02f4-421f-9a67-a529860dd7e7", + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "TKE Cluster 'public_ip_assigned' should be set to false", + "descriptionUrl": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/kubernetes_cluster#public_ip_assigned", + "platform": "Terraform", + "descriptionID": "6570e731", + "cloudProvider": "tencentcloud", + "cwe": "" +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego new file mode 100644 index 00000000000..59f335a419f --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -0,0 +1,178 @@ +package Cx + +import data.generic.terraform as tf_lib +import data.generic.common as common_lib + +# master_config +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + masterConfig := resource.master_config + + common_lib.valid_key(masterConfig, "public_ip_assigned") + common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") + + masterConfig.public_ip_assigned == true + masterConfig.internet_max_bandwidth_out > 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", "public_ip_assigned"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should equal 'false'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned is equal 'true'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + masterConfig := resource.master_config[index] + + common_lib.valid_key(masterConfig, "public_ip_assigned") + common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") + + masterConfig.public_ip_assigned == true + masterConfig.internet_max_bandwidth_out > 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", index, "public_ip_assigned"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should equal 'false'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned is equal 'true'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + masterConfig := resource.master_config + + not common_lib.valid_key(masterConfig, "public_ip_assigned") + common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") + + masterConfig.internet_max_bandwidth_out > 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", "internet_max_bandwidth_out"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out should equal '0' or undefined", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out is not equal '0'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + masterConfig := resource.master_config[index] + + not common_lib.valid_key(masterConfig, "public_ip_assigned") + common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") + + masterConfig.internet_max_bandwidth_out > 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", index, "internet_max_bandwidth_out"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out should equal '0' or null", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out is not equal '0'", [name]), + } +} + +# worker_config +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + workerConfig := resource.worker_config + + common_lib.valid_key(workerConfig, "public_ip_assigned") + common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") + + workerConfig.public_ip_assigned == true + workerConfig.internet_max_bandwidth_out > 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", "public_ip_assigned"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned should equal 'false'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned is equal 'true'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + workerConfig := resource.worker_config[index] + + common_lib.valid_key(workerConfig, "public_ip_assigned") + common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") + + workerConfig.public_ip_assigned == true + workerConfig.internet_max_bandwidth_out > 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", index, "public_ip_assigned"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned should equal 'false'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned is equal 'true'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + workerConfig := resource.worker_config + + not common_lib.valid_key(workerConfig, "public_ip_assigned") + common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") + + workerConfig.internet_max_bandwidth_out > 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", "internet_max_bandwidth_out"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should equal '0' or undefined", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is not equal '0'", [name]), + } +} + +CxPolicy[result] { + resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + workerConfig := resource.worker_config[index] + + not common_lib.valid_key(workerConfig, "public_ip_assigned") + common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") + + workerConfig.internet_max_bandwidth_out > 0 + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", index, "internet_max_bandwidth_out"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should equal '0' or null", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is not equal '0'", [name]), + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative1.tf b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative1.tf new file mode 100644 index 00000000000..cc6d68d57d8 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative1.tf @@ -0,0 +1,95 @@ +locals { + first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id + first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id + second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id + second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id + sg_id = tencentcloud_security_group.sg.id + image_id = data.tencentcloud_images.default.image_id +} + +data "tencentcloud_vpc_subnets" "vpc_one" { + is_default = true + availability_zone = "ap-guangzhou-3" +} + +data "tencentcloud_vpc_subnets" "vpc_two" { + is_default = true + availability_zone = "ap-guangzhou-4" +} + +resource "tencentcloud_security_group" "sg" { + name = "tf-example-sg" +} + +resource "tencentcloud_security_group_lite_rule" "sg_rule" { + security_group_id = tencentcloud_security_group.sg.id + + ingress = [ + "ACCEPT#10.0.0.0/16#ALL#ALL", + "ACCEPT#172.16.0.0/22#ALL#ALL", + "DROP#0.0.0.0/0#ALL#ALL", + ] + + egress = [ + "ACCEPT#172.16.0.0/22#ALL#ALL", + ] +} + +data "tencentcloud_images" "default" { + image_type = ["PUBLIC_IMAGE"] + image_name_regex = "Final" +} + +resource "tencentcloud_kubernetes_cluster" "example" { + vpc_id = local.first_vpc_id + cluster_cidr = "10.31.0.0/16" + cluster_max_pod_num = 32 + cluster_name = "tf_example_cluster" + cluster_desc = "example for tke cluster" + cluster_max_service_num = 32 + cluster_internet = false + cluster_internet_security_group = local.sg_id + cluster_version = "1.22.5" + cluster_deploy_type = "MANAGED_CLUSTER" + + master_config { + count = 1 + availability_zone = "ap-guangzhou-3" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + subnet_id = local.first_subnet_id + img_id = local.image_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + } + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-4" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + subnet_id = local.second_subnet_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + cam_role_name = "CVM_QcsRole" + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative2.tf b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative2.tf new file mode 100644 index 00000000000..c49fb9eefce --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative2.tf @@ -0,0 +1,97 @@ +locals { + first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id + first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id + second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id + second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id + sg_id = tencentcloud_security_group.sg.id + image_id = data.tencentcloud_images.default.image_id +} + +data "tencentcloud_vpc_subnets" "vpc_one" { + is_default = true + availability_zone = "ap-guangzhou-3" +} + +data "tencentcloud_vpc_subnets" "vpc_two" { + is_default = true + availability_zone = "ap-guangzhou-4" +} + +resource "tencentcloud_security_group" "sg" { + name = "tf-example-sg" +} + +resource "tencentcloud_security_group_lite_rule" "sg_rule" { + security_group_id = tencentcloud_security_group.sg.id + + ingress = [ + "ACCEPT#10.0.0.0/16#ALL#ALL", + "ACCEPT#172.16.0.0/22#ALL#ALL", + "DROP#0.0.0.0/0#ALL#ALL", + ] + + egress = [ + "ACCEPT#172.16.0.0/22#ALL#ALL", + ] +} + +data "tencentcloud_images" "default" { + image_type = ["PUBLIC_IMAGE"] + image_name_regex = "Final" +} + +resource "tencentcloud_kubernetes_cluster" "example" { + vpc_id = local.first_vpc_id + cluster_cidr = "10.31.0.0/16" + cluster_max_pod_num = 32 + cluster_name = "tf_example_cluster" + cluster_desc = "example for tke cluster" + cluster_max_service_num = 32 + cluster_internet = false + cluster_internet_security_group = local.sg_id + cluster_version = "1.22.5" + cluster_deploy_type = "MANAGED_CLUSTER" + + master_config { + count = 1 + availability_zone = "ap-guangzhou-3" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + public_ip_assigned = false + subnet_id = local.first_subnet_id + img_id = local.image_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + } + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-4" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + public_ip_assigned = false + subnet_id = local.second_subnet_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + cam_role_name = "CVM_QcsRole" + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive1.tf b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive1.tf new file mode 100644 index 00000000000..dc8abbdbe8c --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive1.tf @@ -0,0 +1,101 @@ +locals { + first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id + first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id + second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id + second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id + sg_id = tencentcloud_security_group.sg.id + image_id = data.tencentcloud_images.default.image_id +} + +data "tencentcloud_vpc_subnets" "vpc_one" { + is_default = true + availability_zone = "ap-guangzhou-3" +} + +data "tencentcloud_vpc_subnets" "vpc_two" { + is_default = true + availability_zone = "ap-guangzhou-4" +} + +resource "tencentcloud_security_group" "sg" { + name = "tf-example-sg" +} + +resource "tencentcloud_security_group_lite_rule" "sg_rule" { + security_group_id = tencentcloud_security_group.sg.id + + ingress = [ + "ACCEPT#10.0.0.0/16#ALL#ALL", + "ACCEPT#172.16.0.0/22#ALL#ALL", + "DROP#0.0.0.0/0#ALL#ALL", + ] + + egress = [ + "ACCEPT#172.16.0.0/22#ALL#ALL", + ] +} + +data "tencentcloud_images" "default" { + image_type = ["PUBLIC_IMAGE"] + image_name_regex = "Final" +} + +resource "tencentcloud_kubernetes_cluster" "example" { + vpc_id = local.first_vpc_id + cluster_cidr = "10.31.0.0/16" + cluster_max_pod_num = 32 + cluster_name = "tf_example_cluster" + cluster_desc = "example for tke cluster" + cluster_max_service_num = 32 + cluster_internet = true + cluster_internet_security_group = local.sg_id + cluster_version = "1.22.5" + cluster_deploy_type = "MANAGED_CLUSTER" + + master_config { + count = 1 + availability_zone = "ap-guangzhou-3" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = local.first_subnet_id + img_id = local.image_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + } + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-4" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = local.second_subnet_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + cam_role_name = "CVM_QcsRole" + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive2.tf b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive2.tf new file mode 100644 index 00000000000..0e6df760865 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive2.tf @@ -0,0 +1,100 @@ +locals { + first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id + first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id + second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id + second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id + sg_id = tencentcloud_security_group.sg.id + image_id = data.tencentcloud_images.default.image_id +} + +data "tencentcloud_vpc_subnets" "vpc_one" { + is_default = true + availability_zone = "ap-guangzhou-3" +} + +data "tencentcloud_vpc_subnets" "vpc_two" { + is_default = true + availability_zone = "ap-guangzhou-4" +} + +resource "tencentcloud_security_group" "sg" { + name = "tf-example-sg" +} + +resource "tencentcloud_security_group_lite_rule" "sg_rule" { + security_group_id = tencentcloud_security_group.sg.id + + ingress = [ + "ACCEPT#10.0.0.0/16#ALL#ALL", + "ACCEPT#172.16.0.0/22#ALL#ALL", + "DROP#0.0.0.0/0#ALL#ALL", + ] + + egress = [ + "ACCEPT#172.16.0.0/22#ALL#ALL", + ] +} + +data "tencentcloud_images" "default" { + image_type = ["PUBLIC_IMAGE"] + image_name_regex = "Final" +} + +resource "tencentcloud_kubernetes_cluster" "example" { + vpc_id = local.first_vpc_id + cluster_cidr = "10.31.0.0/16" + cluster_max_pod_num = 32 + cluster_name = "tf_example_cluster" + cluster_desc = "example for tke cluster" + cluster_max_service_num = 32 + cluster_internet = true + cluster_internet_security_group = local.sg_id + cluster_version = "1.22.5" + cluster_deploy_type = "MANAGED_CLUSTER" + + master_config { + count = 1 + availability_zone = "ap-guangzhou-3" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + subnet_id = local.first_subnet_id + img_id = local.image_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + user_data = "dGVzdA==" + } + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-4" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + subnet_id = local.second_subnet_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + cam_role_name = "CVM_QcsRole" + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive3.tf b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive3.tf new file mode 100644 index 00000000000..89358439d90 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive3.tf @@ -0,0 +1,143 @@ +locals { + first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id + first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id + second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id + second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id + sg_id = tencentcloud_security_group.sg.id + image_id = data.tencentcloud_images.default.image_id +} + +data "tencentcloud_vpc_subnets" "vpc_one" { + is_default = true + availability_zone = "ap-guangzhou-3" +} + +data "tencentcloud_vpc_subnets" "vpc_two" { + is_default = true + availability_zone = "ap-guangzhou-4" +} + +resource "tencentcloud_security_group" "sg" { + name = "tf-example-sg" +} + +resource "tencentcloud_security_group_lite_rule" "sg_rule" { + security_group_id = tencentcloud_security_group.sg.id + + ingress = [ + "ACCEPT#10.0.0.0/16#ALL#ALL", + "ACCEPT#172.16.0.0/22#ALL#ALL", + "DROP#0.0.0.0/0#ALL#ALL", + ] + + egress = [ + "ACCEPT#172.16.0.0/22#ALL#ALL", + ] +} + +data "tencentcloud_images" "default" { + image_type = ["PUBLIC_IMAGE"] + image_name_regex = "Final" +} + +resource "tencentcloud_kubernetes_cluster" "example" { + vpc_id = local.first_vpc_id + cluster_cidr = "10.31.0.0/16" + cluster_max_pod_num = 32 + cluster_name = "tf_example_cluster" + cluster_desc = "example for tke cluster" + cluster_max_service_num = 32 + cluster_internet = true + cluster_internet_security_group = local.sg_id + cluster_version = "1.22.5" + cluster_deploy_type = "MANAGED_CLUSTER" + + master_config { + count = 1 + availability_zone = "ap-guangzhou-3" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = local.first_subnet_id + img_id = local.image_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + } + + master_config { + count = 1 + availability_zone = "ap-guangzhou-3" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = local.first_subnet_id + img_id = local.image_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + } + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-4" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = local.second_subnet_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + cam_role_name = "CVM_QcsRole" + } + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-4" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = local.second_subnet_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + cam_role_name = "CVM_QcsRole" + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive4.tf b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive4.tf new file mode 100644 index 00000000000..e0661eeb3e5 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive4.tf @@ -0,0 +1,141 @@ +locals { + first_vpc_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id + first_subnet_id = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id + second_vpc_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id + second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id + sg_id = tencentcloud_security_group.sg.id + image_id = data.tencentcloud_images.default.image_id +} + +data "tencentcloud_vpc_subnets" "vpc_one" { + is_default = true + availability_zone = "ap-guangzhou-3" +} + +data "tencentcloud_vpc_subnets" "vpc_two" { + is_default = true + availability_zone = "ap-guangzhou-4" +} + +resource "tencentcloud_security_group" "sg" { + name = "tf-example-sg" +} + +resource "tencentcloud_security_group_lite_rule" "sg_rule" { + security_group_id = tencentcloud_security_group.sg.id + + ingress = [ + "ACCEPT#10.0.0.0/16#ALL#ALL", + "ACCEPT#172.16.0.0/22#ALL#ALL", + "DROP#0.0.0.0/0#ALL#ALL", + ] + + egress = [ + "ACCEPT#172.16.0.0/22#ALL#ALL", + ] +} + +data "tencentcloud_images" "default" { + image_type = ["PUBLIC_IMAGE"] + image_name_regex = "Final" +} + +resource "tencentcloud_kubernetes_cluster" "example" { + vpc_id = local.first_vpc_id + cluster_cidr = "10.31.0.0/16" + cluster_max_pod_num = 32 + cluster_name = "tf_example_cluster" + cluster_desc = "example for tke cluster" + cluster_max_service_num = 32 + cluster_internet = true + cluster_internet_security_group = local.sg_id + cluster_version = "1.22.5" + cluster_deploy_type = "MANAGED_CLUSTER" + + master_config { + count = 1 + availability_zone = "ap-guangzhou-3" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + subnet_id = local.first_subnet_id + img_id = local.image_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + user_data = "dGVzdA==" + } + + master_config { + count = 1 + availability_zone = "ap-guangzhou-3" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + subnet_id = local.first_subnet_id + img_id = local.image_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + user_data = "dGVzdA==" + } + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-4" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + subnet_id = local.second_subnet_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + cam_role_name = "CVM_QcsRole" + } + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-4" + instance_type = "SA2.2XLARGE16" + system_disk_type = "CLOUD_SSD" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + subnet_id = local.second_subnet_id + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + cam_role_name = "CVM_QcsRole" + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json new file mode 100644 index 00000000000..7e2b7298290 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json @@ -0,0 +1,74 @@ +[ + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 63, + "fileName": "positive1.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 84, + "fileName": "positive1.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 62, + "fileName": "positive2.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 83, + "fileName": "positive2.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 63, + "fileName": "positive3.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 84, + "fileName": "positive3.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 105, + "fileName": "positive3.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 126, + "fileName": "positive3.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 62, + "fileName": "positive4.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 83, + "fileName": "positive4.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 104, + "fileName": "positive4.tf" + }, + { + "queryName": "(Beta) TKE Cluster Has Public Access", + "severity": "MEDIUM", + "line": 124, + "fileName": "positive4.tf" + } +] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/metadata.json b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/metadata.json new file mode 100644 index 00000000000..b6930bc5509 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "fe405074-7e18-40f9-9aef-024aa1d0a889", + "queryName": "(Beta) TKE Cluster Log Agent Is Not Enabled", + "severity": "LOW", + "category": "Observability", + "descriptionText": "TKE cluster log agent should be enabled", + "descriptionUrl": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/kubernetes_cluster#log_agent", + "platform": "Terraform", + "descriptionID": "86b32da4", + "cloudProvider": "tencentcloud", + "cwe": "" +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego new file mode 100644 index 00000000000..b382ebcbc66 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego @@ -0,0 +1,39 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + cluster := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + not common_lib.valid_key(cluster, "log_agent") + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(cluster, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'log_agent' should be defined and not null", + "keyActualValue": "'log_agent' is undefined or null", + "searchLine":common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []), + } +} + +CxPolicy[result] { + cluster := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + common_lib.valid_key(cluster, "log_agent") + + log_agent := cluster.log_agent + log_agent.enabled == false + + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(cluster, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled should be 'true'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled is not 'true'", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "log_agent", "enabled"], []), + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/negative1.tf b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/negative1.tf new file mode 100644 index 00000000000..a7ac85e251d --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/negative1.tf @@ -0,0 +1,46 @@ +resource "tencentcloud_vpc" "vpc" { + name = "vpc" + cidr_block = "10.0.0.0/16" +} + +resource "tencentcloud_kubernetes_cluster" "managed_cluster" { + vpc_id = tencentcloud_vpc.vpc.id + cluster_max_pod_num = 32 + cluster_name = "test" + cluster_desc = "test cluster desc" + cluster_max_service_num = 256 + cluster_internet = true + cluster_deploy_type = "MANAGED_CLUSTER" + network_type = "VPC-CNI" + eni_subnet_ids = ["subnet-bk1etlyu"] + service_cidr = "10.1.0.0/24" + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-7" + instance_type = "S2.LARGE16" + system_disk_type = "CLOUD_PREMIUM" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = "subnet-t5dv27rs" + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + } + + log_agent { + enabled = true + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive1.tf b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive1.tf new file mode 100644 index 00000000000..0c3c0642790 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive1.tf @@ -0,0 +1,46 @@ +resource "tencentcloud_vpc" "vpc" { + name = "vpc" + cidr_block = "10.0.0.0/16" +} + +resource "tencentcloud_kubernetes_cluster" "managed_cluster" { + vpc_id = tencentcloud_vpc.vpc.id + cluster_max_pod_num = 32 + cluster_name = "test" + cluster_desc = "test cluster desc" + cluster_max_service_num = 256 + cluster_internet = true + cluster_deploy_type = "MANAGED_CLUSTER" + network_type = "VPC-CNI" + eni_subnet_ids = ["subnet-bk1etlyu"] + service_cidr = "10.1.0.0/24" + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-7" + instance_type = "S2.LARGE16" + system_disk_type = "CLOUD_PREMIUM" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = "subnet-t5dv27rs" + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + } + + log_agent { + enabled = false + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive2.tf b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive2.tf new file mode 100644 index 00000000000..679ce2215de --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive2.tf @@ -0,0 +1,42 @@ +resource "tencentcloud_vpc" "vpc" { + name = "vpc" + cidr_block = "10.0.0.0/16" +} + +resource "tencentcloud_kubernetes_cluster" "managed_cluster" { + vpc_id = tencentcloud_vpc.vpc.id + cluster_max_pod_num = 32 + cluster_name = "test" + cluster_desc = "test cluster desc" + cluster_max_service_num = 256 + cluster_internet = true + cluster_deploy_type = "MANAGED_CLUSTER" + network_type = "VPC-CNI" + eni_subnet_ids = ["subnet-bk1etlyu"] + service_cidr = "10.1.0.0/24" + + worker_config { + count = 1 + availability_zone = "ap-guangzhou-7" + instance_type = "S2.LARGE16" + system_disk_type = "CLOUD_PREMIUM" + system_disk_size = 60 + internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" + internet_max_bandwidth_out = 100 + public_ip_assigned = true + subnet_id = "subnet-t5dv27rs" + + data_disk { + disk_type = "CLOUD_PREMIUM" + disk_size = 50 + } + + enhanced_security_service = false + enhanced_monitor_service = false + } + + labels = { + "test1" = "test1", + "test2" = "test2", + } +} diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..1355b149e38 --- /dev/null +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "(Beta) TKE Cluster Log Agent Is Not Enabled", + "severity": "LOW", + "line": 39, + "filename": "positive1.tf" + }, + { + "queryName": "(Beta) TKE Cluster Log Agent Is Not Enabled", + "severity": "LOW", + "line": 6, + "filename": "positive2.tf" + } +] From 3fc94c184e981a762d1bdbc0e043ee4822c91470 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:30:03 +0100 Subject: [PATCH 02/11] update tke_cluster_encryption_protection_disabled expected value --- .../tke_cluster_encryption_protection_disabled/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego index 35bcad028d9..7772b97561b 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s] should has 'tencentcloud_kubernetes_encryption_protection'", [name]), + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s] should have 'tencentcloud_kubernetes_encryption_protection' enabled", [name]), "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s] does not have 'tencentcloud_kubernetes_encryption_protection'", [name]), "searchLine":common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []), } From 9fb3ead49863f148e806ca9b96eb171a2214ab69 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:30:42 +0100 Subject: [PATCH 03/11] update tke_cluster_encryption_protection_disabled actual value --- .../tke_cluster_encryption_protection_disabled/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego index 7772b97561b..c8cb4adf142 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s]", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s] should have 'tencentcloud_kubernetes_encryption_protection' enabled", [name]), - "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s] does not have 'tencentcloud_kubernetes_encryption_protection'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s] does not have 'tencentcloud_kubernetes_encryption_protection' enabled or is undefined", [name]), "searchLine":common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []), } } From 707466e15ce6ff992733bd0634423f65565b1a74 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:31:43 +0100 Subject: [PATCH 04/11] update tke_cluster_has_public_access actual value --- .../tencentcloud/tke_cluster_has_public_access/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego index 59f335a419f..e8801a22fea 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", "public_ip_assigned"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should equal 'false'", [name]), - "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned is equal 'true'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned is equal to 'true'", [name]), } } From 16f086e7e9971dc5627416c4779f84ccf45a300e Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:33:26 +0100 Subject: [PATCH 05/11] update tke_cluster_has_public_access expected value --- .../tencentcloud/tke_cluster_has_public_access/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego index e8801a22fea..f63dd346d81 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -21,7 +21,7 @@ CxPolicy[result] { "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned", [name]), "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", "public_ip_assigned"], []), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should equal 'false'", [name]), + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should be equal to 'false'", [name]), "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned is equal to 'true'", [name]), } } From 38e02d84297112dab3b667fce4c5963b0c80157e Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:33:59 +0100 Subject: [PATCH 06/11] update tke_cluster_has_public_access expected value --- .../tencentcloud/tke_cluster_has_public_access/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego index f63dd346d81..fe81a41c66b 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -43,7 +43,7 @@ CxPolicy[result] { "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned", [name]), "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", index, "public_ip_assigned"], []), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should equal 'false'", [name]), + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should be equal to 'false'", [name]), "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned is equal 'true'", [name]), } } From 742e292e6a2b280bb76564f437500c184695e0a1 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:34:30 +0100 Subject: [PATCH 07/11] update tke_cluster_has_public_access actual value --- .../tencentcloud/tke_cluster_has_public_access/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego index fe81a41c66b..5436b44a4e1 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -152,7 +152,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", "internet_max_bandwidth_out"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should equal '0' or undefined", [name]), - "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is not equal '0'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", [name]), } } From 2d2cfa06ac4a54f0bad51b9ac85a57739f905ecb Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:35:17 +0100 Subject: [PATCH 08/11] update tke_cluster_has_public_access actual value --- .../tencentcloud/tke_cluster_has_public_access/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego index 5436b44a4e1..2f80291d067 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -173,6 +173,6 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", index, "internet_max_bandwidth_out"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should equal '0' or null", [name]), - "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is not equal '0'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", [name]), } } From 09d214b68089b17285262c6bbe8cf0d557dd6c9c Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:35:43 +0100 Subject: [PATCH 09/11] update tke_cluster_has_public_access expected value --- .../tencentcloud/tke_cluster_has_public_access/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego index 2f80291d067..5b7c03e5096 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -172,7 +172,7 @@ CxPolicy[result] { "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]), "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", index, "internet_max_bandwidth_out"], []), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should equal '0' or null", [name]), + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should be equal to '0' or null", [name]), "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", [name]), } } From eacc82e9d927e5d6de386dd987d23fb9a7ab8ce0 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:36:03 +0100 Subject: [PATCH 10/11] update tke_cluster_log_disabled expected value --- .../terraform/tencentcloud/tke_cluster_log_disabled/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego index b382ebcbc66..a243341346c 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego @@ -32,7 +32,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled should be 'true'", [name]), + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled should be set to 'true'", [name]), "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled is not 'true'", [name]), "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "log_agent", "enabled"], []), } From 06eecba0a811086339caee1ba63dac0e4d272a30 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Tue, 18 Jun 2024 09:36:20 +0100 Subject: [PATCH 11/11] update tke_cluster_log_disabled actual value --- .../terraform/tencentcloud/tke_cluster_log_disabled/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego index a243341346c..cf6ecb08826 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled should be set to 'true'", [name]), - "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled is not 'true'", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled is not set to 'true'", [name]), "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "log_agent", "enabled"], []), } }