fix(terraform): Added ssl_mode attribute support to CKV_GCP_6

checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py

@@ -1,24 +1,48 @@
-from checkov.common.models.enums import CheckCategories
-from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
 
+ALLOWED_SSL_MODES = ["TRUSTED_CLIENT_CERTIFICATE_REQUIRED"]
 
-class GoogleCloudSqlDatabaseRequireSsl(BaseResourceValueCheck):
+
+class GoogleCloudSqlDatabaseRequireSsl(BaseResourceCheck):
     def __init__(self):
         name = "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
         id = "CKV_GCP_6"
         supported_resources = ['google_sql_database_instance']
         categories = [CheckCategories.NETWORKING]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def get_inspected_key(self):
+    def scan_resource_conf(self, conf):
         """
         Looks for google_sql_database_instance which do not enforce SSL connections:
         :param
         conf: google_sql_database_instance
         configuration
         :return: < CheckResult >
         """
-        return 'settings/[0]/ip_configuration/[0]/require_ssl/[0]'
+
+        if 'settings' in conf.keys() and 'ip_configuration' in conf['settings'][0]:
+            ipconfiguration = conf['settings'][0]['ip_configuration'][0]
+
+            if 'ssl_mode' in ipconfiguration:
+                ssl_mode = ipconfiguration['ssl_mode']
+                ssl_mode = ssl_mode[0] if isinstance(ssl_mode, list) else ssl_mode
+
+                if ssl_mode in ALLOWED_SSL_MODES:
+                    return CheckResult.PASSED
+
+            elif 'require_ssl' in ipconfiguration:
+
+                require_ssl = ipconfiguration['require_ssl']
+                require_ssl = require_ssl[0] if isinstance(require_ssl, list) else require_ssl
+
+                if require_ssl:
+                    return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+    def get_inspected_keys(self):
+        return ['settings/[0]/ip_configuration/[0]/ssl_mode/[0]', 'settings/[0]/ip_configuration/[0]/require_ssl/[0]']
 
 
 check = GoogleCloudSqlDatabaseRequireSsl()

tests/terraform/checks/resource/gcp/test_GoogleCloudSqlDatabaseRequireSsl.py

@@ -8,15 +8,29 @@ class GoogleCloudSqlDatabaseRequireSsl(unittest.TestCase):
 
     def test_failure(self):
         resource_conf = {'name': ['google_cluster'], 'monitoring_service': ['none']}
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
 
+    def test_failure_requiressl_false(self):
+        resource_conf = {'settings': [{'tier': ['1'], 'ip_configuration': [{'require_ssl': [False]}]}]}
         scan_result = check.scan_resource_conf(conf=resource_conf)
         self.assertEqual(CheckResult.FAILED, scan_result)
 
-    def test_success(self):
+    def test_success_requiressl(self):
         resource_conf = {'settings': [{'tier': ['1'], 'ip_configuration': [{'require_ssl': [True]}]}]}
         scan_result = check.scan_resource_conf(conf=resource_conf)
         self.assertEqual(CheckResult.PASSED, scan_result)
 
+    def test_failure_sslmode_encryptonly(self):
+        resource_conf = {'settings': [{'tier': ['1'], 'ip_configuration': [{'ssl_mode': ["ENCRYPTED_ONLY"]}]}]}
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_success_sslmode_trustedclient(self):
+        resource_conf = {'settings': [{'tier': ['1'], 'ip_configuration': [{'ssl_mode': ["TRUSTED_CLIENT_CERTIFICATE_REQUIRED"]}]}]}
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.PASSED, scan_result)
+
 
 if __name__ == '__main__':
     unittest.main()