feat(terraform): bigtable deletion protection [depends on #5625] (#5626)

* feat(terraform): bigtable deletion protection

* Missed a bit

---------

Co-authored-by: Anton Grübel <[email protected]>

checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py

@@ -0,0 +1,21 @@
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class BigQueryTableDeletionProtection(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure BigQuery tables have deletion protection enabled"
+        id = "CKV_GCP_121"
+        supported_resources = ['google_bigquery_table']
+        categories = [CheckCategories.GENERAL_SECURITY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
+
+    def get_inspected_key(self) -> str:
+        return 'deletion_protection'
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = BigQueryTableDeletionProtection()

checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py

@@ -0,0 +1,21 @@
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class BigTableInstanceDeletionProtection(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Big Table Instances have deletion protection enabled"
+        id = "CKV_GCP_122"
+        supported_resources = ['google_bigtable_instance']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
+
+    def get_inspected_key(self):
+        return 'deletion_protection'
+
+    def get_expected_value(self):
+        return True
+
+
+check = BigTableInstanceDeletionProtection()

tests/terraform/checks/resource/gcp/example_BigQueryTableDeletionProtection/main.tf

@@ -0,0 +1,93 @@
+resource "google_bigquery_table" "fail" {
+  dataset_id = google_bigquery_dataset.default.dataset_id
+  table_id   = "bar"
+
+  time_partitioning {
+    type = "DAY"
+  }
+
+  labels = {
+    env = "default"
+  }
+
+  schema = <<EOF
+[
+  {
+    "name": "permalink",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "The Permalink"
+  },
+  {
+    "name": "state",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "State where the head office is located"
+  }
+]
+EOF
+
+}
+
+
+resource "google_bigquery_table" "fail2" {
+  dataset_id = google_bigquery_dataset.default.dataset_id
+  table_id   = "bar"
+  deletion_protection = false
+  time_partitioning {
+    type = "DAY"
+  }
+
+  labels = {
+    env = "default"
+  }
+
+  schema = <<EOF
+[
+  {
+    "name": "permalink",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "The Permalink"
+  },
+  {
+    "name": "state",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "State where the head office is located"
+  }
+]
+EOF
+
+}
+
+resource "google_bigquery_table" "pass" {
+  dataset_id = google_bigquery_dataset.default.dataset_id
+  table_id   = "bar"
+  deletion_protection = true
+  time_partitioning {
+    type = "DAY"
+  }
+
+  labels = {
+    env = "default"
+  }
+
+  schema = <<EOF
+[
+  {
+    "name": "permalink",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "The Permalink"
+  },
+  {
+    "name": "state",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "State where the head office is located"
+  }
+]
+EOF
+
+}

tests/terraform/checks/resource/gcp/example_BigTableInstanceDeletionProtection/main.tf

@@ -0,0 +1,44 @@
+resource "google_bigtable_instance" "fail" {
+  name = "tf-instance"
+
+  cluster {
+    cluster_id   = "tf-instance-cluster"
+    num_nodes    = 1
+    storage_type = "HDD"
+    # kms_key_name = "some value"
+  }
+
+  labels = {
+    my-label = "prod-label"
+  }
+}
+
+resource "google_bigtable_instance" "fail2" {
+  name = "tf-instance"
+  deletion_protection = false
+  cluster {
+    cluster_id   = "tf-instance-cluster"
+    num_nodes    = 1
+    storage_type = "HDD"
+    # kms_key_name = "some value"
+  }
+
+  labels = {
+    my-label = "prod-label"
+  }
+}
+
+resource "google_bigtable_instance" "pass" {
+  name = "tf-instance"
+  deletion_protection = true
+  cluster {
+    cluster_id   = "tf-instance-cluster"
+    num_nodes    = 1
+    storage_type = "HDD"
+    kms_key_name = google_kms_crypto_key.example.name
+  }
+
+  labels = {
+    my-label = "prod-label"
+  }
+}

tests/terraform/checks/resource/gcp/test_BigQueryTableDeletionProtection.py

@@ -0,0 +1,40 @@
+import unittest
+import os
+
+from checkov.terraform.checks.resource.gcp.BigQueryTableDeletionProtection import check
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+
+
+class TestBigQueryTableDeletionProtection(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_BigQueryTableDeletionProtection"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "google_bigquery_table.pass",
+        }
+        failing_resources = {
+            "google_bigquery_table.fail",
+            "google_bigquery_table.fail2"
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()

tests/terraform/checks/resource/gcp/test_BigTableInstanceDeletionProtection.py

@@ -0,0 +1,40 @@
+import unittest
+import os
+
+from checkov.terraform.checks.resource.gcp.BigTableInstanceDeletionProtection import check
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+
+
+class TestBigQueryTableDeletionProtection(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_BigTableInstanceDeletionProtection"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "google_bigtable_instance.pass",
+        }
+        failing_resources = {
+            "google_bigtable_instance.fail",
+            "google_bigtable_instance.fail2"
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()