diff --git a/checkov/terraform/checks/resource/gcp/GKELegacyInstanceMetadataDisabled.py b/checkov/terraform/checks/resource/gcp/GKELegacyInstanceMetadataDisabled.py deleted file mode 100644 index b78250f5d1e..00000000000 --- a/checkov/terraform/checks/resource/gcp/GKELegacyInstanceMetadataDisabled.py +++ /dev/null @@ -1,36 +0,0 @@ -from checkov.common.models.enums import CheckResult, CheckCategories -from checkov.common.util.type_forcers import force_float -from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck - - -class GKELegacyInstanceMetadataDisabled(BaseResourceValueCheck): - - def __init__(self): - name = "Ensure legacy Compute Engine instance metadata APIs are Disabled" - id = "CKV_GCP_67" - supported_resources = ['google_container_cluster'] - categories = [CheckCategories.KUBERNETES] - super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - - def scan_resource_conf(self, conf): - """ - looks for min_master_version =1.12 which ensures that legacy metadata endpoints are disabled - https://www.terraform.io/docs/providers/google/r/compute_ssl_policy.html - :param conf: google_container_cluster configuration - :return: - """ - if 'min_master_version' in conf: - min_master_version = force_float(conf.get('min_master_version')[0]) - if min_master_version and min_master_version >= 1.12: - return CheckResult.PASSED - - return CheckResult.FAILED - - def get_inspected_key(self): - return 'min_master_version' - - def get_expected_value(self): - return "1.12" - - -check = GKELegacyInstanceMetadataDisabled() diff --git a/tests/terraform/checks/resource/gcp/test_GKELegacyInstanceMetadataDisabled.py b/tests/terraform/checks/resource/gcp/test_GKELegacyInstanceMetadataDisabled.py deleted file mode 100644 index 9e01511cb21..00000000000 --- a/tests/terraform/checks/resource/gcp/test_GKELegacyInstanceMetadataDisabled.py +++ /dev/null @@ -1,41 +0,0 @@ -import unittest -import os - -from checkov.terraform.checks.resource.gcp.GKELegacyInstanceMetadataDisabled import check -from checkov.runner_filter import RunnerFilter -from checkov.terraform.runner import Runner - - -class TestGKELegacyInstanceMetadataDisabled(unittest.TestCase): - - def test(self): - runner = Runner() - current_dir = os.path.dirname(os.path.realpath(__file__)) - - test_files_dir = current_dir + "/test_GKELegacyInstanceMetadataDisabled" - report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) - summary = report.get_summary() - - passing_resources = { - 'google_container_cluster.success1', - 'google_container_cluster.success2', - } - failing_resources = { - 'google_container_cluster.fail1', - 'google_container_cluster.fail2' - } - - passed_check_resources = set([c.resource for c in report.passed_checks]) - failed_check_resources = set([c.resource for c in report.failed_checks]) - - self.assertEqual(summary['passed'], 2) - self.assertEqual(summary['failed'], 2) - self.assertEqual(summary['skipped'], 0) - self.assertEqual(summary['parsing_errors'], 0) - - self.assertEqual(passing_resources, passed_check_resources) - self.assertEqual(failing_resources, failed_check_resources) - - -if __name__ == '__main__': - unittest.main() \ No newline at end of file diff --git a/tests/terraform/checks/resource/gcp/test_GKELegacyInstanceMetadataDisabled/main.tf b/tests/terraform/checks/resource/gcp/test_GKELegacyInstanceMetadataDisabled/main.tf deleted file mode 100644 index 5727783f10a..00000000000 --- a/tests/terraform/checks/resource/gcp/test_GKELegacyInstanceMetadataDisabled/main.tf +++ /dev/null @@ -1,91 +0,0 @@ - -resource "google_container_cluster" "fail1" { - name = var.name - location = var.location - initial_node_count = 1 - project = data.google_project.project.name - - network = var.network - subnetwork = var.subnetwork - - ip_allocation_policy { - cluster_ipv4_cidr_block = var.ip_allocation_policy["cluster_ipv4_cidr_block"] - cluster_secondary_range_name = var.ip_allocation_policy["cluster_secondary_range_name"] - services_ipv4_cidr_block = var.ip_allocation_policy["services_ipv4_cidr_block"] - services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"] - } -} - -resource "google_container_cluster" "fail2" { - name = var.name - location = var.location - initial_node_count = 1 - project = data.google_project.project.name - - network = var.network - subnetwork = var.subnetwork - min_master_version = "1.11" - - ip_allocation_policy { - cluster_ipv4_cidr_block = var.ip_allocation_policy["cluster_ipv4_cidr_block"] - cluster_secondary_range_name = var.ip_allocation_policy["cluster_secondary_range_name"] - services_ipv4_cidr_block = var.ip_allocation_policy["services_ipv4_cidr_block"] - services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"] - } - - node_config { - workload_metadata_config { - node_metadata = "GKE_METADATA_SERVER" - } - } -} - - -resource "google_container_cluster" "success1" { - name = var.name - location = var.location - initial_node_count = 1 - project = data.google_project.project.name - - network = var.network - subnetwork = var.subnetwork - min_master_version = 1.12 - - ip_allocation_policy { - cluster_ipv4_cidr_block = var.ip_allocation_policy["cluster_ipv4_cidr_block"] - cluster_secondary_range_name = var.ip_allocation_policy["cluster_secondary_range_name"] - services_ipv4_cidr_block = var.ip_allocation_policy["services_ipv4_cidr_block"] - services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"] - } - - node_config { - workload_metadata_config { - node_metadata = "GKE_METADATA_SERVER" - } - } -} - - -resource "google_container_cluster" "success2" { - name = var.name - location = var.location - initial_node_count = 1 - project = data.google_project.project.name - - network = var.network - subnetwork = var.subnetwork - min_master_version = 1.13 - - ip_allocation_policy { - cluster_ipv4_cidr_block = var.ip_allocation_policy["cluster_ipv4_cidr_block"] - cluster_secondary_range_name = var.ip_allocation_policy["cluster_secondary_range_name"] - services_ipv4_cidr_block = var.ip_allocation_policy["services_ipv4_cidr_block"] - services_secondary_range_name = var.ip_allocation_policy["services_secondary_range_name"] - } - - node_config { - workload_metadata_config { - node_metadata = "GKE_METADATA_SERVER" - } - } -} diff --git a/tests/terraform/runner/test_runner.py b/tests/terraform/runner/test_runner.py index 162e011f482..cc8cd753846 100644 --- a/tests/terraform/runner/test_runner.py +++ b/tests/terraform/runner/test_runner.py @@ -342,6 +342,9 @@ def test_no_missing_ids(self): if f'CKV_GCP_{i}' == 'CKV_GCP_5': # CKV_GCP_5 is no longer a valid platform check continue + if f'CKV_GCP_{i}' == 'CKV_GCP_67': + # CKV_GCP_67 is not deployable anymore https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata + continue self.assertIn(f'CKV_GCP_{i}', gcp_checks, msg=f'The new GCP violation should have the ID "CKV_GCP_{i}"')