From b2d65b7b43079687faca150de1a794b48ff2e1e4 Mon Sep 17 00:00:00 2001
From: Owen Rumney <owen.rumney@aquasec.com>
Date: Tue, 26 Apr 2022 11:06:45 +0100
Subject: [PATCH] fix(rule): GCP dnssec not applicable for private zones

Resolves #538

Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>
---
 .../adapters/terraform/google/dns/adapt.go    |  7 +++++-
 .../terraform/google/dns/adapt_test.go        |  3 ++-
 internal/rules/google/dns/enable_dnssec.go    |  2 +-
 .../rules/google/dns/enable_dnssec_test.go    | 24 ++++++++++++++++---
 pkg/providers/google/dns/dns.go               |  7 +++++-
 5 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/internal/adapters/terraform/google/dns/adapt.go b/internal/adapters/terraform/google/dns/adapt.go
index 49f36841b..32f31121a 100644
--- a/internal/adapters/terraform/google/dns/adapt.go
+++ b/internal/adapters/terraform/google/dns/adapt.go
@@ -29,7 +29,8 @@ func adaptManagedZones(modules terraform.Modules) []dns.ManagedZone {
 func adaptManagedZone(resource *terraform.Block) dns.ManagedZone {
 
 	zone := dns.ManagedZone{
-		Metadata: resource.GetMetadata(),
+		Metadata:   resource.GetMetadata(),
+		Visibility: types.StringDefault("public", resource.GetMetadata()),
 		DNSSec: dns.DNSSec{
 			Metadata: resource.GetMetadata(),
 			Enabled:  types.BoolDefault(false, resource.GetMetadata()),
@@ -47,6 +48,10 @@ func adaptManagedZone(resource *terraform.Block) dns.ManagedZone {
 		},
 	}
 
+	if resource.HasChild("visibility") {
+		zone.Visibility = resource.GetAttribute("visibility").AsStringValueOrDefault("public", resource)
+	}
+
 	if resource.HasChild("dnssec_config") {
 		DNSSecBlock := resource.GetBlock("dnssec_config")
 		zone.DNSSec.Metadata = DNSSecBlock.GetMetadata()
diff --git a/internal/adapters/terraform/google/dns/adapt_test.go b/internal/adapters/terraform/google/dns/adapt_test.go
index f8def5cfb..e1b54ee61 100644
--- a/internal/adapters/terraform/google/dns/adapt_test.go
+++ b/internal/adapters/terraform/google/dns/adapt_test.go
@@ -42,7 +42,8 @@ func Test_Adapt(t *testing.T) {
 			expected: dns.DNS{
 				ManagedZones: []dns.ManagedZone{
 					{
-						Metadata: types.NewTestMetadata(),
+						Metadata:   types.NewTestMetadata(),
+						Visibility: types.String("public", types.NewTestMetadata()),
 						DNSSec: dns.DNSSec{
 							Enabled: types.Bool(true, types.NewTestMetadata()),
 							DefaultKeySpecs: dns.KeySpecs{
diff --git a/internal/rules/google/dns/enable_dnssec.go b/internal/rules/google/dns/enable_dnssec.go
index 001f85f50..d0e8345bd 100755
--- a/internal/rules/google/dns/enable_dnssec.go
+++ b/internal/rules/google/dns/enable_dnssec.go
@@ -29,7 +29,7 @@ var CheckEnableDnssec = rules.Register(
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, zone := range s.Google.DNS.ManagedZones {
-			if zone.IsUnmanaged() {
+			if zone.IsUnmanaged() || zone.IsPrivate() {
 				continue
 			}
 			if zone.DNSSec.Enabled.IsFalse() {
diff --git a/internal/rules/google/dns/enable_dnssec_test.go b/internal/rules/google/dns/enable_dnssec_test.go
index d2d964152..ecbf2afa6 100644
--- a/internal/rules/google/dns/enable_dnssec_test.go
+++ b/internal/rules/google/dns/enable_dnssec_test.go
@@ -20,11 +20,12 @@ func TestCheckEnableDnssec(t *testing.T) {
 		expected bool
 	}{
 		{
-			name: "DNSSec disabled",
+			name: "DNSSec disabled and required when visibility explicitly public",
 			input: dns.DNS{
 				ManagedZones: []dns.ManagedZone{
 					{
-						Metadata: types.NewTestMetadata(),
+						Metadata:   types.NewTestMetadata(),
+						Visibility: types.String("public", types.NewTestMetadata()),
 						DNSSec: dns.DNSSec{
 							Metadata: types.NewTestMetadata(),
 							Enabled:  types.Bool(false, types.NewTestMetadata()),
@@ -39,7 +40,24 @@ func TestCheckEnableDnssec(t *testing.T) {
 			input: dns.DNS{
 				ManagedZones: []dns.ManagedZone{
 					{
-						Metadata: types.NewTestMetadata(),
+						Metadata:   types.NewTestMetadata(),
+						Visibility: types.String("public", types.NewTestMetadata()),
+						DNSSec: dns.DNSSec{
+							Metadata: types.NewTestMetadata(),
+							Enabled:  types.Bool(true, types.NewTestMetadata()),
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "DNSSec not required when private",
+			input: dns.DNS{
+				ManagedZones: []dns.ManagedZone{
+					{
+						Metadata:   types.NewTestMetadata(),
+						Visibility: types.String("private", types.NewTestMetadata()),
 						DNSSec: dns.DNSSec{
 							Metadata: types.NewTestMetadata(),
 							Enabled:  types.Bool(true, types.NewTestMetadata()),
diff --git a/pkg/providers/google/dns/dns.go b/pkg/providers/google/dns/dns.go
index a64a1b3e1..0246911fb 100755
--- a/pkg/providers/google/dns/dns.go
+++ b/pkg/providers/google/dns/dns.go
@@ -10,7 +10,12 @@ type DNS struct {
 
 type ManagedZone struct {
 	types.Metadata
-	DNSSec DNSSec
+	DNSSec     DNSSec
+	Visibility types.StringValue
+}
+
+func (m ManagedZone) IsPrivate() bool {
+	return m.Visibility.EqualTo("private", types.IgnoreCase)
 }
 
 type DNSSec struct {