feat(terraform): Add GCP policy (#6177)

Add GCP policy

Aligns to 02b159ed-59df-4924-8b96-868ea6eacf93

checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py

@@ -0,0 +1,25 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class CloudFunctionPermissiveIngress(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure GCP Cloud Function is not configured with overly permissive Ingress setting"
+        id = "CKV_GCP_124"
+        supported_resources = ("google_cloudfunctions_function", "google_cloudfunctions2_function")
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        if self.entity_type == "google_cloudfunctions_function":
+            return "ingress_settings"
+        else:
+            return "service_config/[0]/ingress_settings/[0]"
+
+    def get_expected_values(self) -> List[Any]:
+        return ["ALLOW_INTERNAL_AND_GCLB", "ALLOW_INTERNAL_ONLY"]
+
+
+check = CloudFunctionPermissiveIngress()

tests/terraform/checks/resource/gcp/example_CloudFunctionPermissiveIngress/main.tf

@@ -0,0 +1,98 @@
+resource "google_cloudfunctions2_function" "pass1" {
+  name = "gcf-function"
+  location = "us-central1"
+  description = "a new function"
+
+  service_config {
+    max_instance_count  = 3
+    min_instance_count = 1
+    available_memory    = "4Gi"
+    timeout_seconds     = 60
+    max_instance_request_concurrency = 80
+    available_cpu = "4"
+    environment_variables = {
+        SERVICE_CONFIG_TEST = "config_test"
+    }
+    ingress_settings = "ALLOW_INTERNAL_ONLY"
+    all_traffic_on_latest_revision = true
+    service_account_email = google_service_account.account.email
+  }
+}
+
+resource "google_cloudfunctions2_function" "fail1" {
+  name = "gcf-function"
+  location = "us-central1"
+  description = "a new function"
+
+  service_config {
+    max_instance_count  = 3
+    min_instance_count = 1
+    available_memory    = "4Gi"
+    timeout_seconds     = 60
+    max_instance_request_concurrency = 80
+    available_cpu = "4"
+    environment_variables = {
+        SERVICE_CONFIG_TEST = "config_test"
+    }
+    ingress_settings = "ALLOW_ALL"
+    all_traffic_on_latest_revision = true
+    service_account_email = google_service_account.account.email
+  }
+}
+
+# Defaults to ALLOW_ALL (https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions2_function#ingress_settings)
+resource "google_cloudfunctions2_function" "fail2_not_specified" {
+  name = "gcf-function"
+  location = "us-central1"
+  description = "a new function"
+
+  service_config {
+    max_instance_count  = 3
+    min_instance_count = 1
+    available_memory    = "4Gi"
+    timeout_seconds     = 60
+    max_instance_request_concurrency = 80
+    available_cpu = "4"
+    environment_variables = {
+        SERVICE_CONFIG_TEST = "config_test"
+    }
+    all_traffic_on_latest_revision = true
+    service_account_email = google_service_account.account.email
+  }
+}
+
+resource "google_cloudfunctions_function" "pass2" {
+  name                  = "serverless-lb-test-function"
+  region                = "europe-west1"
+  description           = "serverless-lb-test-function"
+  available_memory_mb   = 512
+  source_archive_bucket = google_storage_bucket.lb-zip.name
+  source_archive_object = google_storage_bucket_object.lb-zip.name
+  timeout               = 60
+  service_account_email = google_service_account.serverless.email
+  labels = {
+    deployment-tool = "console-cloud"
+  }
+  entry_point           = "hello_get"
+  runtime               = "python37"
+  trigger_http = true
+  ingress_settings = "ALLOW_INTERNAL_AND_GCLB"
+}
+
+resource "google_cloudfunctions_function" "fail3" {
+  name                  = "serverless-lb-test-function"
+  region                = "europe-west1"
+  description           = "serverless-lb-test-function"
+  available_memory_mb   = 512
+  source_archive_bucket = google_storage_bucket.lb-zip.name
+  source_archive_object = google_storage_bucket_object.lb-zip.name
+  timeout               = 60
+  service_account_email = google_service_account.serverless.email
+  labels = {
+    deployment-tool = "console-cloud"
+  }
+  entry_point           = "hello_get"
+  runtime               = "python37"
+  trigger_http = true
+  ingress_settings = "ALLOW_ALL"
+}

tests/terraform/checks/resource/gcp/test_CloudFunctionPermissiveIngress.py

@@ -0,0 +1,42 @@
+import unittest
+import os
+
+from checkov.terraform.checks.resource.gcp.CloudFunctionPermissiveIngress import check
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+
+
+class TestCloudFunctionPermissiveIngress(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_CloudFunctionPermissiveIngress"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'google_cloudfunctions2_function.pass1',
+            'google_cloudfunctions_function.pass2',
+        }
+        failing_resources = {
+            'google_cloudfunctions2_function.fail1',
+            'google_cloudfunctions2_function.fail2_not_specified',
+            'google_cloudfunctions_function.fail3'
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], 2)
+        self.assertEqual(summary['failed'], 3)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()