diff --git a/checkov/terraform/plan_runner.py b/checkov/terraform/plan_runner.py index 566329efbff..e666ccc8ce7 100644 --- a/checkov/terraform/plan_runner.py +++ b/checkov/terraform/plan_runner.py @@ -8,6 +8,7 @@ from typing_extensions import TypeAlias # noqa[TC002] +from checkov.common.checks.base_check_registry import BaseCheckRegistry from checkov.common.graph.checks_infra.registry import BaseRegistry from checkov.common.typing import LibraryGraphConnector, TFDefinitionKeyType from checkov.common.graph.graph_builder.consts import GraphSource @@ -239,6 +240,7 @@ def run_block( entity_address = entity_context['address'] _, _, entity_config = registry.extract_entity_details(entity) + self._assign_graph_to_registry(registry) results = registry.scan(scanned_file, entity, [], runner_filter, report_type=CheckType.TERRAFORM_PLAN) for check, check_result in results.items(): if check.id in TF_LIFECYCLE_CHECK_IDS: @@ -270,6 +272,14 @@ def run_block( record.set_guideline(check.guideline) report.add_record(record=record) + def _assign_graph_to_registry(self, registry: BaseCheckRegistry) -> None: + try: + registry.graph = self.graph_manager.db_connector.graph # type: ignore + except Exception as e: + logging.debug(f'fail to assign graph to the registry, err: {e}') + registry.graph = None + return + def get_entity_context_and_evaluations(self, entity: dict[str, Any]) -> dict[str, Any] | None: if not self.context: return None diff --git a/tests/terraform/runner/py_check_tf_plan/__init__.py b/tests/terraform/runner/py_check_tf_plan/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/tests/terraform/runner/py_check_tf_plan/check_tf_plan.py b/tests/terraform/runner/py_check_tf_plan/check_tf_plan.py new file mode 100644 index 00000000000..5b47bb9f34e --- /dev/null +++ b/tests/terraform/runner/py_check_tf_plan/check_tf_plan.py @@ -0,0 +1,30 @@ +from __future__ import annotations +from typing import Any +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class JustForTest(BaseResourceValueCheck): + def __init__(self): + name = "Just for test (Like CKV2_GCP_18)" + id = "CKV_AWS_99999" + supported_resources = ['google_compute_network'] + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self): + return "storage_encrypted" + + def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: + result = super().scan_resource_conf(conf=conf) + # For IGraph framework - + resources = self.graph.vs.select(block_type__eq="resource")["attr"] + # For RustworkX Framework - [g[1] for g in self.graph.nodes() if g[1].get('block_type_') == 'resource'] + + # Do something here. + if resources: + return CheckResult.PASSED + return result + + +check = JustForTest() diff --git a/tests/terraform/runner/resources/py_graph_check_tf_plan/py_graph_check_paln.json b/tests/terraform/runner/resources/py_graph_check_tf_plan/py_graph_check_paln.json new file mode 100644 index 00000000000..e312fc322d3 --- /dev/null +++ b/tests/terraform/runner/resources/py_graph_check_tf_plan/py_graph_check_paln.json @@ -0,0 +1,1798 @@ +{ + "format_version": "0.1", + "terraform_version": "0.13.7", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "google_compute_network.achia_test_nonpeered_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_nonpeered_network", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "auto_create_subnetworks": true, + "delete_default_routes_on_create": false, + "description": null, + "name": "achia_test-nonpeered-network", + "timeouts": null + } + }, + { + "address": "google_compute_network.achia_test_peered_nonwss_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_peered_nonwss_network", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "auto_create_subnetworks": true, + "delete_default_routes_on_create": false, + "description": null, + "name": "achia_test-peered-nonwss-network", + "timeouts": null + } + }, + { + "address": "google_compute_network.achia_test_peered_wss_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_peered_wss_network", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "auto_create_subnetworks": true, + "delete_default_routes_on_create": false, + "description": null, + "name": "achia_test-peered-wss-network", + "timeouts": null + } + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_from_nonwss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_from_nonwss", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "export_custom_routes": false, + "export_subnet_routes_with_public_ip": true, + "import_custom_routes": false, + "import_subnet_routes_with_public_ip": null, + "name": "fake-network-peering-from-nonwss", + "network": "https://www.achia.com11111", + "timeouts": null + } + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_from_wss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_from_wss", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "export_custom_routes": false, + "export_subnet_routes_with_public_ip": true, + "import_custom_routes": false, + "import_subnet_routes_with_public_ip": null, + "name": "fake-network-peering-from-wss", + "network": "https://www.achia.com11111", + "timeouts": null + } + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_to_nonwss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_to_nonwss", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "export_custom_routes": false, + "export_subnet_routes_with_public_ip": true, + "import_custom_routes": false, + "import_subnet_routes_with_public_ip": null, + "name": "fake-network-peering-to-nonwss", + "peer_network": "https://www.achia.com11111", + "timeouts": null + } + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_to_wss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_to_wss", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "export_custom_routes": false, + "export_subnet_routes_with_public_ip": true, + "import_custom_routes": false, + "import_subnet_routes_with_public_ip": null, + "name": "fake-network-peering-to-wss", + "peer_network": "https://www.achia.com11111", + "timeouts": null + } + } + ], + "child_modules": [ + { + "resources": [ + { + "address": "module.achia_test_valid_443.google_compute_firewall.custom[0]", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "allow": [ + { + "ports": [ + "443" + ], + "protocol": "tcp" + } + ], + "deny": [], + "description": "gcp-wss-tcp-allow", + "destination_ranges": [ + "0.0.0.0/0" + ], + "direction": "EGRESS", + "disabled": false, + "log_config": [ + { + "metadata": "INCLUDE_ALL_METADATA" + } + ], + "name": "egress-wss-valid-port443-allow", + "network": "achia_test-peered-wss-network", + "priority": 1000, + "project": "fake-id", + "source_service_accounts": null, + "source_tags": null, + "target_service_accounts": null, + "target_tags": null, + "timeouts": null + } + } + ], + "address": "module.achia_test_valid_443" + }, + { + "resources": [ + { + "address": "module.achia_test_valid_ports.google_compute_firewall.custom[0]", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "allow": [ + { + "ports": [ + "80", + "443" + ], + "protocol": "tcp" + } + ], + "deny": [], + "description": "gcp-wss-tcp-allow", + "destination_ranges": [ + "0.0.0.0/0" + ], + "direction": "EGRESS", + "disabled": false, + "log_config": [ + { + "metadata": "INCLUDE_ALL_METADATA" + } + ], + "name": "egress-wss-valid-port80and443-allow", + "network": "achia_test-peered-wss-network", + "priority": 1000, + "project": "fake-id", + "source_service_accounts": null, + "source_tags": null, + "target_service_accounts": null, + "target_tags": null, + "timeouts": null + } + } + ], + "address": "module.achia_test_valid_ports" + }, + { + "resources": [ + { + "address": "module.achia_test_violating_no_ports.google_compute_firewall.custom[0]", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "allow": [ + { + "ports": [], + "protocol": "tcp" + } + ], + "deny": [], + "description": "gcp-wss-tcp-allow", + "destination_ranges": [ + "0.0.0.0/0" + ], + "direction": "EGRESS", + "disabled": false, + "log_config": [ + { + "metadata": "INCLUDE_ALL_METADATA" + } + ], + "name": "egress-wss-all-ports-allow", + "network": "achia_test-peered-wss-network", + "priority": 1000, + "project": "fake-id", + "source_service_accounts": null, + "source_tags": null, + "target_service_accounts": null, + "target_tags": null, + "timeouts": null + } + } + ], + "address": "module.achia_test_violating_no_ports" + }, + { + "resources": [ + { + "address": "module.achia_test_violating_port.google_compute_firewall.custom[0]", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "allow": [ + { + "ports": [ + "80", + "443", + "3600" + ], + "protocol": "tcp" + } + ], + "deny": [], + "description": "gcp-wss-tcp-allow", + "destination_ranges": [ + "0.0.0.0/0" + ], + "direction": "EGRESS", + "disabled": false, + "log_config": [ + { + "metadata": "INCLUDE_ALL_METADATA" + } + ], + "name": "egress-wss-violating-port3600-allow", + "network": "achia_test-peered-wss-network", + "priority": 1000, + "project": "fake-id", + "source_service_accounts": null, + "source_tags": null, + "target_service_accounts": null, + "target_tags": null, + "timeouts": null + } + } + ], + "address": "module.achia_test_violating_port" + } + ] + } + }, + "resource_changes": [ + { + "address": "google_compute_network.achia_test_nonpeered_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_nonpeered_network", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_subnetworks": true, + "delete_default_routes_on_create": false, + "description": null, + "name": "achia_test-nonpeered-network", + "timeouts": null + }, + "after_unknown": { + "gateway_ipv4": true, + "id": true, + "mtu": true, + "project": true, + "routing_mode": true, + "self_link": true + } + } + }, + { + "address": "google_compute_network.achia_test_peered_nonwss_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_peered_nonwss_network", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_subnetworks": true, + "delete_default_routes_on_create": false, + "description": null, + "name": "achia_test-peered-nonwss-network", + "timeouts": null + }, + "after_unknown": { + "gateway_ipv4": true, + "id": true, + "mtu": true, + "project": true, + "routing_mode": true, + "self_link": true + } + } + }, + { + "address": "google_compute_network.achia_test_peered_wss_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_peered_wss_network", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_subnetworks": true, + "delete_default_routes_on_create": false, + "description": null, + "name": "achia_test-peered-wss-network", + "timeouts": null + }, + "after_unknown": { + "gateway_ipv4": true, + "id": true, + "mtu": true, + "project": true, + "routing_mode": true, + "self_link": true + } + } + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_from_nonwss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_from_nonwss", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "export_custom_routes": false, + "export_subnet_routes_with_public_ip": true, + "import_custom_routes": false, + "import_subnet_routes_with_public_ip": null, + "name": "fake-network-peering-from-nonwss", + "network": "https://www.achia.com11111", + "timeouts": null + }, + "after_unknown": { + "id": true, + "peer_network": true, + "state": true, + "state_details": true + } + } + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_from_wss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_from_wss", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "export_custom_routes": false, + "export_subnet_routes_with_public_ip": true, + "import_custom_routes": false, + "import_subnet_routes_with_public_ip": null, + "name": "fake-network-peering-from-wss", + "network": "https://www.achia.com11111", + "timeouts": null + }, + "after_unknown": { + "id": true, + "peer_network": true, + "state": true, + "state_details": true + } + } + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_to_nonwss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_to_nonwss", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "export_custom_routes": false, + "export_subnet_routes_with_public_ip": true, + "import_custom_routes": false, + "import_subnet_routes_with_public_ip": null, + "name": "fake-network-peering-to-nonwss", + "peer_network": "https://www.achia.com11111", + "timeouts": null + }, + "after_unknown": { + "id": true, + "network": true, + "state": true, + "state_details": true + } + } + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_to_wss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_to_wss", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "export_custom_routes": false, + "export_subnet_routes_with_public_ip": true, + "import_custom_routes": false, + "import_subnet_routes_with_public_ip": null, + "name": "fake-network-peering-to-wss", + "peer_network": "https://www.achia.com11111", + "timeouts": null + }, + "after_unknown": { + "id": true, + "network": true, + "state": true, + "state_details": true + } + } + }, + { + "address": "module.achia_test_valid_443.google_compute_firewall.custom[0]", + "module_address": "module.achia_test_valid_443", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "allow": [ + { + "ports": [ + "443" + ], + "protocol": "tcp" + } + ], + "deny": [], + "description": "gcp-wss-tcp-allow", + "destination_ranges": [ + "0.0.0.0/0" + ], + "direction": "EGRESS", + "disabled": false, + "log_config": [ + { + "metadata": "INCLUDE_ALL_METADATA" + } + ], + "name": "egress-wss-valid-port443-allow", + "network": "achia_test-peered-wss-network", + "priority": 1000, + "project": "fake-id", + "source_service_accounts": null, + "source_tags": null, + "target_service_accounts": null, + "target_tags": null, + "timeouts": null + }, + "after_unknown": { + "allow": [ + { + "ports": [ + false + ] + } + ], + "creation_timestamp": true, + "deny": [], + "destination_ranges": [ + false + ], + "enable_logging": true, + "id": true, + "log_config": [ + {} + ], + "self_link": true, + "source_ranges": true + } + } + }, + { + "address": "module.achia_test_valid_ports.google_compute_firewall.custom[0]", + "module_address": "module.achia_test_valid_ports", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "allow": [ + { + "ports": [ + "80", + "443" + ], + "protocol": "tcp" + } + ], + "deny": [], + "description": "gcp-wss-tcp-allow", + "destination_ranges": [ + "0.0.0.0/0" + ], + "direction": "EGRESS", + "disabled": false, + "log_config": [ + { + "metadata": "INCLUDE_ALL_METADATA" + } + ], + "name": "egress-wss-valid-port80and443-allow", + "network": "achia_test-peered-wss-network", + "priority": 1000, + "project": "fake-id", + "source_service_accounts": null, + "source_tags": null, + "target_service_accounts": null, + "target_tags": null, + "timeouts": null + }, + "after_unknown": { + "allow": [ + { + "ports": [ + false, + false + ] + } + ], + "creation_timestamp": true, + "deny": [], + "destination_ranges": [ + false + ], + "enable_logging": true, + "id": true, + "log_config": [ + {} + ], + "self_link": true, + "source_ranges": true + } + } + }, + { + "address": "module.achia_test_violating_no_ports.google_compute_firewall.custom[0]", + "module_address": "module.achia_test_violating_no_ports", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "allow": [ + { + "ports": [], + "protocol": "tcp" + } + ], + "deny": [], + "description": "gcp-wss-tcp-allow", + "destination_ranges": [ + "0.0.0.0/0" + ], + "direction": "EGRESS", + "disabled": false, + "log_config": [ + { + "metadata": "INCLUDE_ALL_METADATA" + } + ], + "name": "egress-wss-all-ports-allow", + "network": "achia_test-peered-wss-network", + "priority": 1000, + "project": "fake-id", + "source_service_accounts": null, + "source_tags": null, + "target_service_accounts": null, + "target_tags": null, + "timeouts": null + }, + "after_unknown": { + "allow": [ + { + "ports": [] + } + ], + "creation_timestamp": true, + "deny": [], + "destination_ranges": [ + false + ], + "enable_logging": true, + "id": true, + "log_config": [ + {} + ], + "self_link": true, + "source_ranges": true + } + } + }, + { + "address": "module.achia_test_violating_port.google_compute_firewall.custom[0]", + "module_address": "module.achia_test_violating_port", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "allow": [ + { + "ports": [ + "80", + "443", + "3600" + ], + "protocol": "tcp" + } + ], + "deny": [], + "description": "gcp-wss-tcp-allow", + "destination_ranges": [ + "0.0.0.0/0" + ], + "direction": "EGRESS", + "disabled": false, + "log_config": [ + { + "metadata": "INCLUDE_ALL_METADATA" + } + ], + "name": "egress-wss-violating-port3600-allow", + "network": "achia_test-peered-wss-network", + "priority": 1000, + "project": "fake-id", + "source_service_accounts": null, + "source_tags": null, + "target_service_accounts": null, + "target_tags": null, + "timeouts": null + }, + "after_unknown": { + "allow": [ + { + "ports": [ + false, + false, + false + ] + } + ], + "creation_timestamp": true, + "deny": [], + "destination_ranges": [ + false + ], + "enable_logging": true, + "id": true, + "log_config": [ + {} + ], + "self_link": true, + "source_ranges": true + } + } + } + ], + "configuration": { + "root_module": { + "resources": [ + { + "address": "google_compute_network.achia_test_nonpeered_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_nonpeered_network", + "provider_config_key": "google", + "expressions": { + "name": { + "constant_value": "achia_test-nonpeered-network" + } + }, + "schema_version": 0 + }, + { + "address": "google_compute_network.achia_test_peered_nonwss_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_peered_nonwss_network", + "provider_config_key": "google", + "expressions": { + "name": { + "constant_value": "achia_test-peered-nonwss-network" + } + }, + "schema_version": 0 + }, + { + "address": "google_compute_network.achia_test_peered_wss_network", + "mode": "managed", + "type": "google_compute_network", + "name": "achia_test_peered_wss_network", + "provider_config_key": "google", + "expressions": { + "name": { + "constant_value": "achia_test-peered-wss-network" + } + }, + "schema_version": 0 + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_from_nonwss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_from_nonwss", + "provider_config_key": "google", + "expressions": { + "name": { + "constant_value": "fake-network-peering-from-nonwss" + }, + "network": { + "constant_value": "https://www.achia.com11111" + }, + "peer_network": { + "references": [ + "google_compute_network.achia_test_peered_nonwss_network" + ] + } + }, + "schema_version": 0 + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_from_wss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_from_wss", + "provider_config_key": "google", + "expressions": { + "name": { + "constant_value": "fake-network-peering-from-wss" + }, + "network": { + "constant_value": "https://www.achia.com11111" + }, + "peer_network": { + "references": [ + "google_compute_network.achia_test_peered_wss_network" + ] + } + }, + "schema_version": 0 + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_to_nonwss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_to_nonwss", + "provider_config_key": "google", + "expressions": { + "name": { + "constant_value": "fake-network-peering-to-nonwss" + }, + "network": { + "references": [ + "google_compute_network.achia_test_peered_nonwss_network" + ] + }, + "peer_network": { + "constant_value": "https://www.achia.com11111" + } + }, + "schema_version": 0 + }, + { + "address": "google_compute_network_peering.achia_test_network_peering_to_wss", + "mode": "managed", + "type": "google_compute_network_peering", + "name": "achia_test_network_peering_to_wss", + "provider_config_key": "google", + "expressions": { + "name": { + "constant_value": "fake-network-peering-to-wss" + }, + "network": { + "references": [ + "google_compute_network.achia_test_peered_wss_network" + ] + }, + "peer_network": { + "constant_value": "https://www.achia.com11111" + } + }, + "schema_version": 0 + } + ], + "module_calls": { + "achia_test_valid_443": { + "source": "tfe.mayo.edu/mcc/m-network-firewall/google", + "expressions": { + "action": { + "constant_value": "allow" + }, + "description": { + "constant_value": "gcp-wss-tcp-allow" + }, + "direction": { + "constant_value": "EGRESS" + }, + "extra_attributes": { + "constant_value": { + "enable_logging": true, + "priority": 1000 + } + }, + "fw_destination": { + "constant_value": "wss" + }, + "fw_purpose": { + "constant_value": "valid-port443" + }, + "fw_source": { + "constant_value": "egress" + }, + "network": { + "references": [ + "google_compute_network.achia_test_peered_wss_network" + ] + }, + "project_id": { + "constant_value": "fake-id" + }, + "ranges": { + "constant_value": [ + "0.0.0.0/0" + ] + }, + "rules": { + "constant_value": [ + { + "ports": [ + 443 + ], + "protocol": "tcp" + } + ] + }, + "sources": { + "references": [ + "local.source_sa" + ] + }, + "use_service_accounts": { + "constant_value": true + } + }, + "module": { + "outputs": { + "firewall_rules": { + "expression": { + "references": [ + "google_compute_firewall.custom" + ] + }, + "description": "The firewall rules created" + } + }, + "resources": [ + { + "address": "google_compute_firewall.custom", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "provider_config_key": "achia_test_valid_443:google", + "expressions": { + "description": { + "references": [ + "var.description" + ] + }, + "destination_ranges": { + "references": [ + "var.direction", + "var.ranges" + ] + }, + "direction": { + "references": [ + "var.direction" + ] + }, + "disabled": { + "references": [ + "var.extra_attributes" + ] + }, + "name": { + "references": [ + "local.firewall_name" + ] + }, + "network": { + "references": [ + "var.network" + ] + }, + "priority": { + "references": [ + "var.extra_attributes" + ] + }, + "project": { + "references": [ + "var.project_id" + ] + }, + "source_ranges": { + "references": [ + "var.direction", + "var.ranges" + ] + }, + "source_service_accounts": { + "references": [ + "var.use_service_accounts", + "var.direction", + "var.sources" + ] + }, + "source_tags": { + "references": [ + "var.use_service_accounts", + "var.direction", + "var.sources" + ] + }, + "target_service_accounts": { + "references": [ + "var.use_service_accounts", + "var.targets" + ] + }, + "target_tags": { + "references": [ + "var.use_service_accounts", + "var.targets" + ] + } + }, + "schema_version": 1, + "count_expression": { + "references": [ + "var.enabled" + ] + } + } + ], + "variables": { + "action": { + "description": "must be one of the following : allow/ deny" + }, + "description": { + "default": null, + "description": "Description for the firewall rule" + }, + "direction": { + "default": null, + "description": "Direction of traffic to which this firewall applies" + }, + "enabled": { + "default": true, + "description": "Whether to enable this module or not." + }, + "extra_attributes": { + "default": null, + "description": "Map(string) that includes extra arguments like disabled, priority and enabled_logging" + }, + "fw_destination": { + "description": "Project id of the project that holds the network." + }, + "fw_purpose": { + "description": "Project id of the project that holds the network." + }, + "fw_source": { + "description": "Project id of the project that holds the network." + }, + "log_config": { + "default": { + "metadata": "INCLUDE_ALL_METADATA" + }, + "description": "The key in the map currently supported is metadata. Structure is documented at: https://www.terraform.io/docs/providers/google/r/compute_firewall.html#log_config" + }, + "network": { + "description": "Name of the network this set of firewall rules applies to." + }, + "project_id": { + "description": "Project id of the project that holds the network." + }, + "ranges": { + "default": null, + "description": "Source/ Destination IP range" + }, + "rules": { + "description": "A list of object that includes protocol type and the corresponding ports" + }, + "sources": { + "default": null, + "description": "Source tags/ Service Account" + }, + "targets": { + "default": null, + "description": "Target tags/ Service Account" + }, + "use_service_accounts": { + "default": true, + "description": "Boolean value to indicate if either Service Accounts or Tags are to be used" + } + } + } + }, + "achia_test_valid_ports": { + "source": "tfe.mayo.edu/mcc/m-network-firewall/google", + "expressions": { + "action": { + "constant_value": "allow" + }, + "description": { + "constant_value": "gcp-wss-tcp-allow" + }, + "direction": { + "constant_value": "EGRESS" + }, + "extra_attributes": { + "constant_value": { + "enable_logging": true, + "priority": 1000 + } + }, + "fw_destination": { + "constant_value": "wss" + }, + "fw_purpose": { + "constant_value": "valid-port80and443" + }, + "fw_source": { + "constant_value": "egress" + }, + "network": { + "references": [ + "google_compute_network.achia_test_peered_wss_network" + ] + }, + "project_id": { + "constant_value": "fake-id" + }, + "ranges": { + "constant_value": [ + "0.0.0.0/0" + ] + }, + "rules": { + "constant_value": [ + { + "ports": [ + 80, + 443 + ], + "protocol": "tcp" + } + ] + }, + "sources": { + "references": [ + "local.source_sa" + ] + }, + "use_service_accounts": { + "constant_value": true + } + }, + "module": { + "outputs": { + "firewall_rules": { + "expression": { + "references": [ + "google_compute_firewall.custom" + ] + }, + "description": "The firewall rules created" + } + }, + "resources": [ + { + "address": "google_compute_firewall.custom", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "provider_config_key": "achia_test_valid_ports:google", + "expressions": { + "description": { + "references": [ + "var.description" + ] + }, + "destination_ranges": { + "references": [ + "var.direction", + "var.ranges" + ] + }, + "direction": { + "references": [ + "var.direction" + ] + }, + "disabled": { + "references": [ + "var.extra_attributes" + ] + }, + "name": { + "references": [ + "local.firewall_name" + ] + }, + "network": { + "references": [ + "var.network" + ] + }, + "priority": { + "references": [ + "var.extra_attributes" + ] + }, + "project": { + "references": [ + "var.project_id" + ] + }, + "source_ranges": { + "references": [ + "var.direction", + "var.ranges" + ] + }, + "source_service_accounts": { + "references": [ + "var.use_service_accounts", + "var.direction", + "var.sources" + ] + }, + "source_tags": { + "references": [ + "var.use_service_accounts", + "var.direction", + "var.sources" + ] + }, + "target_service_accounts": { + "references": [ + "var.use_service_accounts", + "var.targets" + ] + }, + "target_tags": { + "references": [ + "var.use_service_accounts", + "var.targets" + ] + } + }, + "schema_version": 1, + "count_expression": { + "references": [ + "var.enabled" + ] + } + } + ], + "variables": { + "action": { + "description": "must be one of the following : allow/ deny" + }, + "description": { + "default": null, + "description": "Description for the firewall rule" + }, + "direction": { + "default": null, + "description": "Direction of traffic to which this firewall applies" + }, + "enabled": { + "default": true, + "description": "Whether to enable this module or not." + }, + "extra_attributes": { + "default": null, + "description": "Map(string) that includes extra arguments like disabled, priority and enabled_logging" + }, + "fw_destination": { + "description": "Project id of the project that holds the network." + }, + "fw_purpose": { + "description": "Project id of the project that holds the network." + }, + "fw_source": { + "description": "Project id of the project that holds the network." + }, + "log_config": { + "default": { + "metadata": "INCLUDE_ALL_METADATA" + }, + "description": "The key in the map currently supported is metadata. Structure is documented at: https://www.terraform.io/docs/providers/google/r/compute_firewall.html#log_config" + }, + "network": { + "description": "Name of the network this set of firewall rules applies to." + }, + "project_id": { + "description": "Project id of the project that holds the network." + }, + "ranges": { + "default": null, + "description": "Source/ Destination IP range" + }, + "rules": { + "description": "A list of object that includes protocol type and the corresponding ports" + }, + "sources": { + "default": null, + "description": "Source tags/ Service Account" + }, + "targets": { + "default": null, + "description": "Target tags/ Service Account" + }, + "use_service_accounts": { + "default": true, + "description": "Boolean value to indicate if either Service Accounts or Tags are to be used" + } + } + } + }, + "achia_test_violating_no_ports": { + "source": "tfe.mayo.edu/mcc/m-network-firewall/google", + "expressions": { + "action": { + "constant_value": "allow" + }, + "description": { + "constant_value": "gcp-wss-tcp-allow" + }, + "direction": { + "constant_value": "EGRESS" + }, + "extra_attributes": { + "constant_value": { + "enable_logging": true, + "priority": 1000 + } + }, + "fw_destination": { + "constant_value": "wss" + }, + "fw_purpose": { + "constant_value": "all-ports" + }, + "fw_source": { + "constant_value": "egress" + }, + "network": { + "references": [ + "google_compute_network.achia_test_peered_wss_network" + ] + }, + "project_id": { + "constant_value": "fake-id" + }, + "ranges": { + "constant_value": [ + "0.0.0.0/0" + ] + }, + "rules": { + "constant_value": [ + { + "ports": [], + "protocol": "tcp" + } + ] + }, + "sources": { + "references": [ + "local.source_sa" + ] + }, + "use_service_accounts": { + "constant_value": true + } + }, + "module": { + "outputs": { + "firewall_rules": { + "expression": { + "references": [ + "google_compute_firewall.custom" + ] + }, + "description": "The firewall rules created" + } + }, + "resources": [ + { + "address": "google_compute_firewall.custom", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "provider_config_key": "achia_test_violating_no_ports:google", + "expressions": { + "description": { + "references": [ + "var.description" + ] + }, + "destination_ranges": { + "references": [ + "var.direction", + "var.ranges" + ] + }, + "direction": { + "references": [ + "var.direction" + ] + }, + "disabled": { + "references": [ + "var.extra_attributes" + ] + }, + "name": { + "references": [ + "local.firewall_name" + ] + }, + "network": { + "references": [ + "var.network" + ] + }, + "priority": { + "references": [ + "var.extra_attributes" + ] + }, + "project": { + "references": [ + "var.project_id" + ] + }, + "source_ranges": { + "references": [ + "var.direction", + "var.ranges" + ] + }, + "source_service_accounts": { + "references": [ + "var.use_service_accounts", + "var.direction", + "var.sources" + ] + }, + "source_tags": { + "references": [ + "var.use_service_accounts", + "var.direction", + "var.sources" + ] + }, + "target_service_accounts": { + "references": [ + "var.use_service_accounts", + "var.targets" + ] + }, + "target_tags": { + "references": [ + "var.use_service_accounts", + "var.targets" + ] + } + }, + "schema_version": 1, + "count_expression": { + "references": [ + "var.enabled" + ] + } + } + ], + "variables": { + "action": { + "description": "must be one of the following : allow/ deny" + }, + "description": { + "default": null, + "description": "Description for the firewall rule" + }, + "direction": { + "default": null, + "description": "Direction of traffic to which this firewall applies" + }, + "enabled": { + "default": true, + "description": "Whether to enable this module or not." + }, + "extra_attributes": { + "default": null, + "description": "Map(string) that includes extra arguments like disabled, priority and enabled_logging" + }, + "fw_destination": { + "description": "Project id of the project that holds the network." + }, + "fw_purpose": { + "description": "Project id of the project that holds the network." + }, + "fw_source": { + "description": "Project id of the project that holds the network." + }, + "log_config": { + "default": { + "metadata": "INCLUDE_ALL_METADATA" + }, + "description": "The key in the map currently supported is metadata. Structure is documented at: https://www.terraform.io/docs/providers/google/r/compute_firewall.html#log_config" + }, + "network": { + "description": "Name of the network this set of firewall rules applies to." + }, + "project_id": { + "description": "Project id of the project that holds the network." + }, + "ranges": { + "default": null, + "description": "Source/ Destination IP range" + }, + "rules": { + "description": "A list of object that includes protocol type and the corresponding ports" + }, + "sources": { + "default": null, + "description": "Source tags/ Service Account" + }, + "targets": { + "default": null, + "description": "Target tags/ Service Account" + }, + "use_service_accounts": { + "default": true, + "description": "Boolean value to indicate if either Service Accounts or Tags are to be used" + } + } + } + }, + "achia_test_violating_port": { + "source": "tfe.mayo.edu/mcc/m-network-firewall/google", + "expressions": { + "action": { + "constant_value": "allow" + }, + "description": { + "constant_value": "gcp-wss-tcp-allow" + }, + "direction": { + "constant_value": "EGRESS" + }, + "extra_attributes": { + "constant_value": { + "enable_logging": true, + "priority": 1000 + } + }, + "fw_destination": { + "constant_value": "wss" + }, + "fw_purpose": { + "constant_value": "violating-port3600" + }, + "fw_source": { + "constant_value": "egress" + }, + "network": { + "references": [ + "google_compute_network.achia_test_peered_wss_network" + ] + }, + "project_id": { + "constant_value": "fake-id" + }, + "ranges": { + "constant_value": [ + "0.0.0.0/0" + ] + }, + "rules": { + "constant_value": [ + { + "ports": [ + 80, + 443, + 3600 + ], + "protocol": "tcp" + } + ] + }, + "sources": { + "references": [ + "local.source_sa" + ] + }, + "use_service_accounts": { + "constant_value": true + } + }, + "module": { + "outputs": { + "firewall_rules": { + "expression": { + "references": [ + "google_compute_firewall.custom" + ] + }, + "description": "The firewall rules created" + } + }, + "resources": [ + { + "address": "google_compute_firewall.custom", + "mode": "managed", + "type": "google_compute_firewall", + "name": "custom", + "provider_config_key": "achia_test_violating_port:google", + "expressions": { + "description": { + "references": [ + "var.description" + ] + }, + "destination_ranges": { + "references": [ + "var.direction", + "var.ranges" + ] + }, + "direction": { + "references": [ + "var.direction" + ] + }, + "disabled": { + "references": [ + "var.extra_attributes" + ] + }, + "name": { + "references": [ + "local.firewall_name" + ] + }, + "network": { + "references": [ + "var.network" + ] + }, + "priority": { + "references": [ + "var.extra_attributes" + ] + }, + "project": { + "references": [ + "var.project_id" + ] + }, + "source_ranges": { + "references": [ + "var.direction", + "var.ranges" + ] + }, + "source_service_accounts": { + "references": [ + "var.use_service_accounts", + "var.direction", + "var.sources" + ] + }, + "source_tags": { + "references": [ + "var.use_service_accounts", + "var.direction", + "var.sources" + ] + }, + "target_service_accounts": { + "references": [ + "var.use_service_accounts", + "var.targets" + ] + }, + "target_tags": { + "references": [ + "var.use_service_accounts", + "var.targets" + ] + } + }, + "schema_version": 1, + "count_expression": { + "references": [ + "var.enabled" + ] + } + } + ], + "variables": { + "action": { + "description": "must be one of the following : allow/ deny" + }, + "description": { + "default": null, + "description": "Description for the firewall rule" + }, + "direction": { + "default": null, + "description": "Direction of traffic to which this firewall applies" + }, + "enabled": { + "default": true, + "description": "Whether to enable this module or not." + }, + "extra_attributes": { + "default": null, + "description": "Map(string) that includes extra arguments like disabled, priority and enabled_logging" + }, + "fw_destination": { + "description": "Project id of the project that holds the network." + }, + "fw_purpose": { + "description": "Project id of the project that holds the network." + }, + "fw_source": { + "description": "Project id of the project that holds the network." + }, + "log_config": { + "default": { + "metadata": "INCLUDE_ALL_METADATA" + }, + "description": "The key in the map currently supported is metadata. Structure is documented at: https://www.terraform.io/docs/providers/google/r/compute_firewall.html#log_config" + }, + "network": { + "description": "Name of the network this set of firewall rules applies to." + }, + "project_id": { + "description": "Project id of the project that holds the network." + }, + "ranges": { + "default": null, + "description": "Source/ Destination IP range" + }, + "rules": { + "description": "A list of object that includes protocol type and the corresponding ports" + }, + "sources": { + "default": null, + "description": "Source tags/ Service Account" + }, + "targets": { + "default": null, + "description": "Target tags/ Service Account" + }, + "use_service_accounts": { + "default": true, + "description": "Boolean value to indicate if either Service Accounts or Tags are to be used" + } + } + } + } + } + } + } +} diff --git a/tests/terraform/runner/test_plan_runner.py b/tests/terraform/runner/test_plan_runner.py index 71588be2820..74fb1b204fa 100644 --- a/tests/terraform/runner/test_plan_runner.py +++ b/tests/terraform/runner/test_plan_runner.py @@ -25,7 +25,7 @@ @parameterized_class([ {"db_connector": NetworkxConnector}, {"db_connector": IgraphConnector}, - {"db_connector": RustworkxConnector}, + {"db_connector": RustworkxConnector}, ]) class TestRunnerValid(unittest.TestCase): @classmethod @@ -33,6 +33,18 @@ def setUpClass(cls) -> None: cls.orig_checks = deepcopy(resource_registry.checks) cls.db_connector = cls.db_connector + def test_py_graph_check(self): + if not self.db_connector == IgraphConnector: + return + current_dir = os.path.dirname(os.path.realpath(__file__)) + valid_dir_path = current_dir + "/resources/py_graph_check_tf_plan" + valid_dir_path_for_external_check = current_dir + '/py_check_tf_plan' + runner = Runner(db_connector=self.db_connector()) + checks_allowlist = ['CKV_AWS_99999'] + report = runner.run(root_folder=valid_dir_path, external_checks_dir=[valid_dir_path_for_external_check], + runner_filter=RunnerFilter(framework=["terraform_plan"], checks=checks_allowlist)) + assert len(report.passed_checks) == 3 + def test_runner_two_checks_only(self): current_dir = os.path.dirname(os.path.realpath(__file__)) valid_plan_path = current_dir + "/resources/plan/tfplan.json"