diff --git a/avd_docs/oracle/compute/AVD-OCI-0001/docs.md b/avd_docs/oracle/compute/AVD-OCI-0001/docs.md index da437962..923abdfe 100644 --- a/avd_docs/oracle/compute/AVD-OCI-0001/docs.md +++ b/avd_docs/oracle/compute/AVD-OCI-0001/docs.md @@ -3,8 +3,9 @@ Compute instance requests an IP reservation from a public pool The compute instance has the ability to be reached from outside, you might want to sonder the use of a non public IP. + ### Impact -The compute instance has the ability to be reached from outside + {{ remediationActions }} diff --git a/checks/cloud/oracle/compute/no_public_ip.go b/checks/cloud/oracle/compute/no_public_ip.go index 2b055b61..628fdc59 100755 --- a/checks/cloud/oracle/compute/no_public_ip.go +++ b/checks/cloud/oracle/compute/no_public_ip.go @@ -27,7 +27,8 @@ The compute instance has the ability to be reached from outside, you might want Links: terraformNoPublicIpLinks, RemediationMarkdown: terraformNoPublicIpRemediationMarkdown, }, - Severity: severity.Critical, + Severity: severity.Critical, + Deprecated: true, }, func(s *state.State) (results scan.Results) { for _, reservation := range s.Oracle.Compute.AddressReservations { diff --git a/checks/cloud/oracle/compute/no_public_ip.rego b/checks/cloud/oracle/compute/no_public_ip.rego new file mode 100644 index 00000000..9e741fd6 --- /dev/null +++ b/checks/cloud/oracle/compute/no_public_ip.rego @@ -0,0 +1,41 @@ +# METADATA +# title: Compute instance requests an IP reservation from a public pool +# description: | +# Compute instance requests an IP reservation from a public pool +# +# The compute instance has the ability to be reached from outside, you might want to sonder the use of a non public IP. +# scope: package +# schemas: +# - input: schema["cloud"] +# custom: +# id: AVD-OCI-0001 +# avd_id: AVD-OCI-0001 +# provider: oracle +# service: compute +# severity: CRITICAL +# short_code: no-public-ip +# recommended_action: Reconsider the use of an public IP +# input: +# selector: +# - type: cloud +# subtypes: +# - service: compute +# provider: oracle +# terraform: +# links: +# - https://registry.terraform.io/providers/hashicorp/opc/latest/docs/resources/opc_compute_ip_address_reservation +# - https://registry.terraform.io/providers/hashicorp/opc/latest/docs/resources/opc_compute_instance +# good_examples: checks/cloud/oracle/compute/no_public_ip.tf.go +# bad_examples: checks/cloud/oracle/compute/no_public_ip.tf.go +package builtin.oracle.compute.oracle0001 + +import rego.v1 + +deny contains res if { + some reservation in input.oracle.compute.addressreservations + + # TODO: future improvement: we need to see what this IP is used for before flagging + reservation.pool.value == "public-ippool" + + res := result.new("Reservation made for public IP address.", reservation.pool) +} diff --git a/checks/cloud/oracle/compute/no_public_ip_test.go b/checks/cloud/oracle/compute/no_public_ip_test.go deleted file mode 100644 index 29c84399..00000000 --- a/checks/cloud/oracle/compute/no_public_ip_test.go +++ /dev/null @@ -1,65 +0,0 @@ -package compute - -import ( - "testing" - - trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" - - "github.com/aquasecurity/trivy/pkg/iac/state" - - "github.com/aquasecurity/trivy/pkg/iac/providers/oracle" - "github.com/aquasecurity/trivy/pkg/iac/scan" - - "github.com/stretchr/testify/assert" -) - -func TestCheckNoPublicIp(t *testing.T) { - tests := []struct { - name string - input oracle.Compute - expected bool - }{ - { - name: "Compute instance public reservation pool", - input: oracle.Compute{ - AddressReservations: []oracle.AddressReservation{ - { - Metadata: trivyTypes.NewTestMetadata(), - Pool: trivyTypes.String("public-ippool", trivyTypes.NewTestMetadata()), - }, - }, - }, - expected: true, - }, - { - name: "Compute instance cloud reservation pool", - input: oracle.Compute{ - AddressReservations: []oracle.AddressReservation{ - { - Metadata: trivyTypes.NewTestMetadata(), - Pool: trivyTypes.String("cloud-ippool", trivyTypes.NewTestMetadata()), - }, - }, - }, - expected: false, - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - var testState state.State - testState.Oracle.Compute = test.input - results := CheckNoPublicIp.Evaluate(&testState) - var found bool - for _, result := range results { - if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicIp.LongID() { - found = true - } - } - if test.expected { - assert.True(t, found, "Rule should have been found") - } else { - assert.False(t, found, "Rule should not have been found") - } - }) - } -} diff --git a/checks/cloud/oracle/compute/no_public_ip_test.rego b/checks/cloud/oracle/compute/no_public_ip_test.rego new file mode 100644 index 00000000..3d79116c --- /dev/null +++ b/checks/cloud/oracle/compute/no_public_ip_test.rego @@ -0,0 +1,20 @@ +package builtin.oracle.compute.oracle0001_test + +import rego.v1 + +import data.builtin.oracle.compute.oracle0001 as check +import data.lib.test + +test_deny_pool_is_public if { + inp := {"oracle": {"compute": {"addressreservations": [{"pool": {"value": "public-ippool"}}]}}} + + res := check.deny with input as inp + count(res) == 1 +} + +test_allow_pool_is_cloud if { + inp := {"oracle": {"compute": {"addressreservations": [{"pool": {"value": "cloud-ippool"}}]}}} + + res := check.deny with input as inp + res == set() +}