Merge pull request Checkmarx#7138 from SevenEarth/feat/tke_tencent_ad…

…d_new_query_v3 feat(query): add new query for tencentcloud TKE resource
patrickjburke245 · Jun 18, 2024 · ea6c4d4 · ea6c4d4
2 parents 65e1e38 + 5a24043
commit ea6c4d4
Show file tree

Hide file tree

Showing 20 changed files with 1,230 additions and 0 deletions.
diff --git a/...s/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/metadata.json b/...s/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/metadata.json
@@ -0,0 +1,12 @@
+{
+  "id": "3ed47402-e322-465f-a0f0-8681135a17b0",
+  "queryName": "(Beta) TKE Cluster Encryption Protection Disabled",
+  "severity": "HIGH",
+  "category": "Encryption",
+  "descriptionText": "TKE Cluster should have encryption protection enabled",
+  "descriptionUrl": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/kubernetes_encryption_protection",
+  "platform": "Terraform",
+  "descriptionID": "1220fcb9",
+  "cloudProvider": "tencentcloud",
+  "cwe": ""
+}
diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego
@@ -0,0 +1,26 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+    not any_kubernetes_encryption_protection(name)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "tencentcloud_kubernetes_cluster",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_kubernetes_cluster[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s] should have 'tencentcloud_kubernetes_encryption_protection' enabled", [name]),
+		"keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s] does not have 'tencentcloud_kubernetes_encryption_protection' enabled or is undefined", [name]),
+        "searchLine":common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []),
+	}
+}
+
+any_kubernetes_encryption_protection(resource_name) {
+    encryption := input.document[_].resource.tencentcloud_kubernetes_encryption_protection[_]
+    split_name := split(encryption.cluster_id, ".")[1]
+    split_name == resource_name
+}
diff --git a/...eries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/negative1.tf b/...eries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/negative1.tf
@@ -0,0 +1,30 @@
+data "tencentcloud_vpc_subnets" "vpc" {
+  is_default        = true
+  availability_zone = "ap-guangzhou-3"
+}
+
+resource "tencentcloud_kubernetes_cluster" "has_encryption_protection" {
+  vpc_id                  = data.tencentcloud_vpc_subnets.vpc.instance_list.0.vpc_id
+  cluster_cidr            = "10.32.0.0/16"
+  cluster_max_pod_num     = 32
+  cluster_name            = "tf_example_cluster"
+  cluster_desc            = "a tf example cluster for the kms test"
+  cluster_max_service_num = 32
+  cluster_deploy_type     = "MANAGED_CLUSTER"
+}
+
+
+resource "tencentcloud_kms_key" "example" {
+  alias       = "tf-example-kms-key"
+  description = "example of kms key instance"
+  key_usage   = "ENCRYPT_DECRYPT"
+  is_enabled  = true
+}
+
+resource "tencentcloud_kubernetes_encryption_protection" "example" {
+  cluster_id = tencentcloud_kubernetes_cluster.has_encryption_protection.id
+  kms_configuration {
+    key_id     = tencentcloud_kms_key.example.id
+    kms_region = "ap-guangzhou"
+  }
+}
diff --git a/...eries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive1.tf b/...eries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive1.tf
@@ -0,0 +1,14 @@
+data "tencentcloud_vpc_subnets" "vpc" {
+  is_default        = true
+  availability_zone = "ap-guangzhou-3"
+}
+
+resource "tencentcloud_kubernetes_cluster" "none_encryption_protection" {
+  vpc_id                  = data.tencentcloud_vpc_subnets.vpc.instance_list.0.vpc_id
+  cluster_cidr            = "10.32.0.0/16"
+  cluster_max_pod_num     = 32
+  cluster_name            = "tf_example_cluster"
+  cluster_desc            = "a tf example cluster for the kms test"
+  cluster_max_service_num = 32
+  cluster_deploy_type     = "MANAGED_CLUSTER"
+}
diff --git a/...encentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json b/...encentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json
@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "(Beta) TKE Cluster Encryption Protection Disabled",
+    "severity": "HIGH",
+    "line": 6,
+    "fileName": "positive1.tf"
+  }
+]
diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/metadata.json b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/metadata.json
@@ -0,0 +1,12 @@
+{
+  "id": "df6928ed-02f4-421f-9a67-a529860dd7e7",
+  "queryName": "(Beta) TKE Cluster Has Public Access",
+  "severity": "MEDIUM",
+  "category": "Insecure Configurations",
+  "descriptionText": "TKE Cluster 'public_ip_assigned' should be set to false",
+  "descriptionUrl": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/kubernetes_cluster#public_ip_assigned",
+  "platform": "Terraform",
+  "descriptionID": "6570e731",
+  "cloudProvider": "tencentcloud",
+  "cwe": ""
+}
diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego
@@ -0,0 +1,178 @@
+package Cx
+
+import data.generic.terraform as tf_lib
+import data.generic.common as common_lib
+
+# master_config
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+	masterConfig := resource.master_config
+
+    common_lib.valid_key(masterConfig, "public_ip_assigned")
+    common_lib.valid_key(masterConfig, "internet_max_bandwidth_out")
+
+	masterConfig.public_ip_assigned == true
+	masterConfig.internet_max_bandwidth_out > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "tencentcloud_kubernetes_cluster",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", "public_ip_assigned"], []),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should be equal to 'false'", [name]),
+		"keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned is equal to 'true'", [name]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+	masterConfig := resource.master_config[index]
+
+    common_lib.valid_key(masterConfig, "public_ip_assigned")
+    common_lib.valid_key(masterConfig, "internet_max_bandwidth_out")
+
+	masterConfig.public_ip_assigned == true
+	masterConfig.internet_max_bandwidth_out > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "tencentcloud_kubernetes_cluster",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", index, "public_ip_assigned"], []),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned should be equal to 'false'", [name]),
+		"keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.public_ip_assigned is equal 'true'", [name]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+	masterConfig := resource.master_config
+
+    not common_lib.valid_key(masterConfig, "public_ip_assigned")
+    common_lib.valid_key(masterConfig, "internet_max_bandwidth_out")
+
+    masterConfig.internet_max_bandwidth_out > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "tencentcloud_kubernetes_cluster",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", "internet_max_bandwidth_out"], []),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out should equal '0' or undefined", [name]),
+		"keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out is not equal '0'", [name]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+	masterConfig := resource.master_config[index]
+
+	not common_lib.valid_key(masterConfig, "public_ip_assigned")
+    common_lib.valid_key(masterConfig, "internet_max_bandwidth_out")
+
+	masterConfig.internet_max_bandwidth_out > 0
+
+	result := {
+        "documentId": input.document[i].id,
+        "resourceType": "tencentcloud_kubernetes_cluster",
+        "resourceName": tf_lib.get_resource_name(resource, name),
+        "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", index, "internet_max_bandwidth_out"], []),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out should equal '0' or null", [name]),
+        "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out is not equal '0'", [name]),
+    }
+}
+
+# worker_config
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+	workerConfig := resource.worker_config
+
+    common_lib.valid_key(workerConfig, "public_ip_assigned")
+    common_lib.valid_key(workerConfig, "internet_max_bandwidth_out")
+
+	workerConfig.public_ip_assigned == true
+	workerConfig.internet_max_bandwidth_out > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "tencentcloud_kubernetes_cluster",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", "public_ip_assigned"], []),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned should equal 'false'", [name]),
+		"keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned is equal 'true'", [name]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+	workerConfig := resource.worker_config[index]
+
+    common_lib.valid_key(workerConfig, "public_ip_assigned")
+    common_lib.valid_key(workerConfig, "internet_max_bandwidth_out")
+
+	workerConfig.public_ip_assigned == true
+	workerConfig.internet_max_bandwidth_out > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "tencentcloud_kubernetes_cluster",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", index, "public_ip_assigned"], []),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned should equal 'false'", [name]),
+		"keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.public_ip_assigned is equal 'true'", [name]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+	workerConfig := resource.worker_config
+
+    not common_lib.valid_key(workerConfig, "public_ip_assigned")
+    common_lib.valid_key(workerConfig, "internet_max_bandwidth_out")
+
+    workerConfig.internet_max_bandwidth_out > 0
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "tencentcloud_kubernetes_cluster",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", "internet_max_bandwidth_out"], []),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should equal '0' or undefined", [name]),
+		"keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", [name]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name]
+	workerConfig := resource.worker_config[index]
+
+	not common_lib.valid_key(workerConfig, "public_ip_assigned")
+    common_lib.valid_key(workerConfig, "internet_max_bandwidth_out")
+
+	workerConfig.internet_max_bandwidth_out > 0
+
+	result := {
+        "documentId": input.document[i].id,
+        "resourceType": "tencentcloud_kubernetes_cluster",
+        "resourceName": tf_lib.get_resource_name(resource, name),
+        "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", index, "internet_max_bandwidth_out"], []),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should be equal to '0' or null", [name]),
+        "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", [name]),
+    }
+}
diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative1.tf b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/negative1.tf
@@ -0,0 +1,95 @@
+locals {
+  first_vpc_id     = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.vpc_id
+  first_subnet_id  = data.tencentcloud_vpc_subnets.vpc_one.instance_list.0.subnet_id
+  second_vpc_id    = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.vpc_id
+  second_subnet_id = data.tencentcloud_vpc_subnets.vpc_two.instance_list.0.subnet_id
+  sg_id            = tencentcloud_security_group.sg.id
+  image_id         = data.tencentcloud_images.default.image_id
+}
+
+data "tencentcloud_vpc_subnets" "vpc_one" {
+  is_default        = true
+  availability_zone = "ap-guangzhou-3"
+}
+
+data "tencentcloud_vpc_subnets" "vpc_two" {
+  is_default        = true
+  availability_zone = "ap-guangzhou-4"
+}
+
+resource "tencentcloud_security_group" "sg" {
+  name = "tf-example-sg"
+}
+
+resource "tencentcloud_security_group_lite_rule" "sg_rule" {
+  security_group_id = tencentcloud_security_group.sg.id
+
+  ingress = [
+    "ACCEPT#10.0.0.0/16#ALL#ALL",
+    "ACCEPT#172.16.0.0/22#ALL#ALL",
+    "DROP#0.0.0.0/0#ALL#ALL",
+  ]
+
+  egress = [
+    "ACCEPT#172.16.0.0/22#ALL#ALL",
+  ]
+}
+
+data "tencentcloud_images" "default" {
+  image_type       = ["PUBLIC_IMAGE"]
+  image_name_regex = "Final"
+}
+
+resource "tencentcloud_kubernetes_cluster" "example" {
+  vpc_id                          = local.first_vpc_id
+  cluster_cidr                    = "10.31.0.0/16"
+  cluster_max_pod_num             = 32
+  cluster_name                    = "tf_example_cluster"
+  cluster_desc                    = "example for tke cluster"
+  cluster_max_service_num         = 32
+  cluster_internet                = false
+  cluster_internet_security_group = local.sg_id
+  cluster_version                 = "1.22.5"
+  cluster_deploy_type             = "MANAGED_CLUSTER"
+
+  master_config {
+    count             = 1
+    availability_zone = "ap-guangzhou-3"
+    instance_type     = "SA2.2XLARGE16"
+    system_disk_type  = "CLOUD_SSD"
+    system_disk_size  = 60
+    subnet_id         = local.first_subnet_id
+    img_id            = local.image_id
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+  }
+
+  worker_config {
+    count             = 1
+    availability_zone = "ap-guangzhou-4"
+    instance_type     = "SA2.2XLARGE16"
+    system_disk_type  = "CLOUD_SSD"
+    system_disk_size  = 60
+    subnet_id         = local.second_subnet_id
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+    cam_role_name             = "CVM_QcsRole"
+  }
+
+  labels = {
+    "test1" = "test1",
+    "test2" = "test2",
+  }
+}