feat(terraform): PC Policy Team Yaml Policies Check-in

checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml

@@ -0,0 +1,13 @@
+metadata:
+  id: "CKV2_AWS_41"
+  name: "Ensure an IAM role is attached to EC2 instance"
+  guidelines: "AWS provides Identity Access Management (IAM) roles to securely access AWS services and resources. The role is an identity with permission policies that define what the identity can and cannot do in AWS. As a best practice, create IAM roles and attach the role to manage EC2 instance permissions securely instead of distributing or sharing keys or passwords."
+  category: "IAM"
+scope:
+  provider: "aws"
+definition:
+  cond_type: "attribute"
+  resource_types:
+  - "aws_instance"
+  attribute: "iam_instance_profile"
+  operator: "exists"

checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml

@@ -0,0 +1,14 @@
+metadata:
+  id: "CKV2_GCP_10"
+  name: "GCP Cloud Function HTTP trigger is secured"
+  guidelines: "This policy identifies GCP Cloud Functions for which the HTTP trigger is not secured. When you configure HTTP functions to be triggered only with HTTPS, user requests will be redirected to use the HTTPS protocol, which is more secure. It is recommended to set the 'Trigger Security level' to 'SECURE_ALWAYS' for configuring HTTP triggers while deploying your function"
+  category: "NETWORKING"
+scope:
+  provider: "gcp"
+definition:
+  cond_type: "attribute"
+  resource_types:
+  - "google_cloudfunctions_function"
+  attribute: "https_trigger_security_level"
+  operator: "equals"
+  value: "SECURE_ALWAYS"

checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml

@@ -0,0 +1,27 @@
+metadata:
+  id: "CKV2_GCP_11"
+  name: "GCP GCR Container Vulnerability Scanning is enabled"
+  guidelines: "This policy identifies GCP accounts where GCR Container Vulnerability Scanning is not enabled. GCR Container Analysis and other third party products allow images stored in GCR to be scanned for known vulnerabilities. Vulnerabilities in software packages can be exploited by hackers or malicious users to obtain unauthorized access to local cloud resources. It is recommended to enable vulnerability scanning for images stored in Google Container Registry."
+  category: "SECURITY"
+scope:
+  provider: "gcp"
+definition:
+  cond_type: "attribute"
+  resource_types:
+  - "google_project_services"
+  - "google_project_service"
+  attribute: "iam_instance_profile"
+  operator: "exists"
+  or:
+    - cond_type: "attribute"
+      resource_types:
+      - "google_project_services"
+      attribute: "services"
+      operator: "contains"
+      value: "containerscanning.googleapis.com"
+    - cond_type: "attribute"
+      resource_types:
+      - "google_project_service"
+      attribute: "service"
+      operator: "contains"
+      value: "containerscanning.googleapis.com"

tests/terraform/graph/checks/resources/CloudFunctionSecureHTTPTrigger/expected.yaml

@@ -0,0 +1,5 @@
+pass:
+  - "google_cloudfunctions_function.pass"
+fail:
+  - "google_cloudfunctions_function.fail_1"
+  - "google_cloudfunctions_function.fail_2"

tests/terraform/graph/checks/resources/CloudFunctionSecureHTTPTrigger/main.tf

@@ -0,0 +1,49 @@
+resource "google_cloudfunctions_function" "pass" {
+  name        = "function-test"
+  description = "My function"
+  runtime     = "nodejs16"
+
+  available_memory_mb          = 128
+  source_archive_bucket        = google_storage_bucket.bucket.name
+  source_archive_object        = google_storage_bucket_object.archive.name
+  trigger_http                 = true
+  https_trigger_security_level = "SECURE_ALWAYS"
+  timeout                      = 60
+  entry_point                  = "helloGET"
+  labels = {
+    my-label = "my-label-value"
+  }
+}
+
+resource "google_cloudfunctions_function" "fail_1" {
+  name        = "function-test"
+  description = "My function"
+  runtime     = "nodejs16"
+
+  available_memory_mb          = 128
+  source_archive_bucket        = google_storage_bucket.bucket.name
+  source_archive_object        = google_storage_bucket_object.archive.name
+  trigger_http                 = true
+  https_trigger_security_level = "SECURE_OPTIONAL"
+  timeout                      = 60
+  entry_point                  = "helloGET"
+  labels = {
+    my-label = "my-label-value"
+  }
+}
+
+resource "google_cloudfunctions_function" "fail_2" {
+  name        = "function-test"
+  description = "My function"
+  runtime     = "nodejs16"
+
+  available_memory_mb          = 128
+  source_archive_bucket        = google_storage_bucket.bucket.name
+  source_archive_object        = google_storage_bucket_object.archive.name
+  trigger_http                 = true
+  timeout                      = 60
+  entry_point                  = "helloGET"
+  labels = {
+    my-label = "my-label-value"
+  }
+}

tests/terraform/graph/checks/resources/EC2InstanceHasIAMRoleAttached/expected.yaml

@@ -0,0 +1,4 @@
+pass:
+  - "aws_instance.pass"
+fail:
+  - "aws_instance.fail"

tests/terraform/graph/checks/resources/EC2InstanceHasIAMRoleAttached/main.tf

@@ -0,0 +1,28 @@
+resource "aws_instance" "pass" {
+  ami           = "ami-005e54dee72cc1d00" # us-west-2
+  instance_type = "t2.micro"
+  iam_instance_profile = "test"
+
+  network_interface {
+    network_interface_id = aws_network_interface.foo.id
+    device_index         = 0
+  }
+
+  credit_specification {
+    cpu_credits = "unlimited"
+  }
+}
+
+resource "aws_instance" "fail" {
+  ami           = "ami-005e54dee72cc1d00"
+  instance_type = "t2.micro"
+
+  network_interface {
+    network_interface_id = aws_network_interface.foo.id
+    device_index         = 0
+  }
+
+  credit_specification {
+    cpu_credits = "unlimited"
+  }
+}

tests/terraform/graph/checks/resources/GCRContainerVulnerabilityScanningEnabled/expected.yaml

@@ -0,0 +1,6 @@
+pass:
+  - "google_project_services.pass_1"
+  - "google_project_service.pass_2"
+fail:
+  - "google_project_services.fail_1"
+  - "google_project_service.fail_2"

tests/terraform/graph/checks/resources/GCRContainerVulnerabilityScanningEnabled/main.tf

@@ -0,0 +1,33 @@
+resource "google_project_services" "pass_1" {
+  project = "your-project-id"
+  services   = ["iam.googleapis.com", "cloudresourcemanager.googleapis.com", "containerscanning.googleapis.com"]
+}
+
+resource "google_project_service" "pass_2" {
+  project = "your-project-id"
+  service = "containerscanning.googleapis.com"
+
+  timeouts {
+    create = "30m"
+    update = "40m"
+  }
+
+  disable_dependent_services = true
+}
+
+resource "google_project_services" "fail_1" {
+  project = "your-project-id"
+  services   = ["iam.googleapis.com", "cloudresourcemanager.googleapis.com"]
+}
+
+resource "google_project_service" "fail_2" {
+  project = "your-project-id"
+  service = "cloudresourcemanager.googleapis.com"
+
+  timeouts {
+    create = "30m"
+    update = "40m"
+  }
+
+  disable_dependent_services = true
+}

tests/terraform/graph/checks/test_yaml_policies.py

@@ -47,6 +47,9 @@ def test_GuardDutyIsEnabled(self):
     def test_SGAttachedToResource(self):
         self.go("SGAttachedToResource")
 
+    def test_EC2InstanceHasIAMRoleAttached(self):
+        self.go("EC2InstanceHasIAMRoleAttached") 
+
     def test_StorageContainerActivityLogsNotPublic(self):
         self.go("StorageContainerActivityLogsNotPublic")
 
@@ -86,6 +89,9 @@ def test_DisableAccessToSqlDBInstanceForRootUsersWithoutPassword(self):
     def test_GCPProjectHasNoLegacyNetworks(self):
         self.go("GCPProjectHasNoLegacyNetworks")
 
+    def test_GCRContainerVulnerabilityScanningEnabled(self):
+        self.go("GCRContainerVulnerabilityScanningEnabled")    
+
     def test_AzureDataFactoriesEncryptedWithCustomerManagedKey(self):
         self.go("AzureDataFactoriesEncryptedWithCustomerManagedKey")
 
@@ -104,6 +110,9 @@ def test_ALBRedirectsHTTPToHTTPS(self):
     def test_GCPLogBucketsConfiguredUsingLock(self):
         self.go("GCPLogBucketsConfiguredUsingLock")
 
+    def test_CloudFunctionSecureHTTPTrigger(self):
+        self.go("CloudFunctionSecureHTTPTrigger")    
+
     def test_GCPAuditLogsConfiguredForAllServicesAndUsers(self):
         self.go("GCPAuditLogsConfiguredForAllServicesAndUsers")