/
prohibited.sp
236 lines (217 loc) · 8.03 KB
/
prohibited.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
variable "prohibited_labels" {
type = list(string)
description = "A list of prohibited labels to check for."
default = ["Password", "Key"]
}
locals {
prohibited_sql = <<-EOT
with analysis as (
select
self_link,
array_agg(k) as prohibited_labels
from
__TABLE_NAME__,
jsonb_object_keys(labels) as k,
unnest($1::text[]) as prohibited_key
where
k = prohibited_key
group by
self_link
)
select
r.self_link as resource,
case
when a.prohibited_labels <> array[]::text[] then 'alarm'
else 'ok'
end as status,
case
when a.prohibited_labels <> array[]::text[] then r.title || ' has prohibited labels: ' || array_to_string(a.prohibited_labels, ', ') || '.'
else r.title || ' has no prohibited labels.'
end as reason,
__DIMENSIONS__
from
__TABLE_NAME__ as r
full outer join
analysis as a on a.self_link = r.self_link
EOT
}
locals {
prohibited_sql_project = replace(local.prohibited_sql, "__DIMENSIONS__", "r.project")
prohibited_sql_location = replace(local.prohibited_sql, "__DIMENSIONS__", "r.location, r.project")
}
benchmark "prohibited" {
title = "Prohibited"
description = "Prohibited labels may contain sensitive, confidential, or otherwise unwanted data and should be removed."
children = [
control.bigquery_dataset_prohibited,
control.bigquery_job_prohibited,
control.bigquery_table_prohibited,
control.bigtable_instance_prohibited,
control.compute_disk_prohibited,
control.compute_forwarding_rule_prohibited,
control.compute_image_prohibited,
control.compute_instance_prohibited,
control.compute_snapshot_prohibited,
control.dataproc_cluster_prohibited,
control.dns_managed_zone_prohibited,
control.pubsub_subscription_prohibited,
control.pubsub_topic_prohibited,
control.sql_database_instance_prohibited,
control.storage_bucket_prohibited
]
tags = merge(local.gcp_labels_common_tags, {
type = "Benchmark"
})
}
control "bigquery_dataset_prohibited" {
title = "BigQuery datasets should not have prohibited labels"
description = "Check if BigQuery datasets have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_bigquery_dataset")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "bigquery_job_prohibited" {
title = "BigQuery jobs should not have prohibited labels"
description = "Check if BigQuery jobs have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_bigquery_job")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "bigquery_table_prohibited" {
title = "BigQuery tables should not have prohibited labels"
description = "Check if BigQuery tables have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_bigquery_table")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "compute_disk_prohibited" {
title = "Compute disks should not have prohibited labels"
description = "Check if Compute disks have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_compute_disk")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "compute_forwarding_rule_prohibited" {
title = "Compute forwarding rules should not have prohibited labels"
description = "Check if Compute forwarding rules have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_compute_forwarding_rule")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "compute_image_prohibited" {
title = "Compute images should not have prohibited labels"
description = "Check if Compute images have any prohibited labels."
sql = <<-EOT
with analysis as (
select
self_link,
array_agg(k) as prohibited_labels
from
gcp_compute_image,
jsonb_object_keys(labels) as k,
unnest($1::text[]) as prohibited_key
where
k = prohibited_key
and source_project = project
group by
self_link
)
select
r.self_link as resource,
case
when a.prohibited_labels <> array[]::text[] then 'alarm'
else 'ok'
end as status,
case
when a.prohibited_labels <> array[]::text[] then r.title || ' has prohibited labels: ' || array_to_string(a.prohibited_labels, ', ') || '.'
else r.title || ' has no prohibited labels.'
end as reason,
location,
project
from
gcp_compute_image as r
full outer join
analysis as a on a.self_link = r.self_link
where source_project = project
EOT
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "compute_instance_prohibited" {
title = "Compute instances should not have prohibited labels"
description = "Check if Compute instances have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_compute_instance")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "compute_snapshot_prohibited" {
title = "Compute snapshots should not have prohibited labels"
description = "Check if Compute snapshots have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_compute_snapshot")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "dns_managed_zone_prohibited" {
title = "DNS managed zones should not have prohibited labels"
description = "Check if DNS managed zones have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_dns_managed_zone")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "sql_database_instance_prohibited" {
title = "SQL database instances should not have prohibited labels"
description = "Check if SQL database instances have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_sql_database_instance")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "storage_bucket_prohibited" {
title = "Storage buckets should not have prohibited labels"
description = "Check if Storage buckets have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_storage_bucket")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "bigtable_instance_prohibited" {
title = "Bigtable instances should not have prohibited labels"
description = "Check if Bigtable instances have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_bigtable_instance")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "dataproc_cluster_prohibited" {
title = "Dataproc clusters should not have prohibited labels"
description = "Check if Dataproc clusters have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_dataproc_cluster")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "pubsub_subscription_prohibited" {
title = "Pub/Sub subscriptions should not have prohibited labels"
description = "Check if Pub/Sub subscriptions have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_pubsub_subscription")
param "prohibited_labels" {
default = var.prohibited_labels
}
}
control "pubsub_topic_prohibited" {
title = "Pub/Sub topics should not have prohibited labels"
description = "Check if Pub/Sub topics have any prohibited labels."
sql = replace(local.prohibited_sql_location, "__TABLE_NAME__", "gcp_pubsub_topic")
param "prohibited_labels" {
default = var.prohibited_labels
}
}