Closed jsmilani closed 2 years ago
I found this source code https://github.com/GoogleCloudPlatform/terraform-google-conversion/blob/master/google/compute_subnetwork.go#L261 that helped me locate an enabled
field nested under logConfig
that should be equivalent to the deprecated enable_flow_logs
field:
diff --git a/policies/templates/gcp_network_enable_flow_logs_v1.yaml b/policies/templates/gcp_network_enable_flow_logs_v1.yaml
index b331f83..fee5894 100644
--- a/policies/templates/gcp_network_enable_flow_logs_v1.yaml
+++ b/policies/templates/gcp_network_enable_flow_logs_v1.yaml
@@ -59,7 +59,8 @@ spec:
asset.asset_type == "compute.googleapis.com/Subnetwork"
network := asset.resource.data
- enable_flow_logs := lib.get_default(network, "enableFlowLogs", false)
+ log_config := lib.get_default(network, "logConfig", {})
+ enable_flow_logs := lib.get_default(log_config, "enable", false)
enable_flow_logs == false
message := sprintf("Flow logs are disabled in subnetwork %v.", [asset.name])
I tested with log_config set and unset. The violation is raised when unset so this looks like a solution for the newer google terraform libs. I assume this belongs in a new V2 version of the old template policies/templates/gcp_network_enable_flow_logs_v2.yaml
?
@jsmilani Thanks for investigating. I think we can actually do this without forcing a new policy version by:
Then, raise a violation if neither is found.
If you're able to work on a PR for this, it would be very appreciated!
I see this bug is still open although a solution has been identified. When will the fix be applied?
I am applying the the https://github.com/terraform-google-modules/terraform-example-foundation for my company and used this policy library but encountered a problem when validating the 3-networks stage. We are using the Cloud Build instructions so we never customized terraform or google plugin versions at all. We are using most, if not all the policies from this repo because we need the added security for compliance reasons. The error we are getting is:
The issue is that subnet has logging enabled so it shouldn't be failing validation:
My best guess is the line https://github.com/GoogleCloudPlatform/policy-library/blob/master/policies/templates/gcp_network_enable_flow_logs_v1.yaml#L62 is reading
enableFlowLogs
from the resource data but the enable_flow_logs field is deprecated according to https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_3_upgrade#enable_flow_logs-is-now-removedI assume there is a way to create my own GCPNetworkEnableFlowLogsConstraintV2 to fix this or more logic to check plugin versions, but I am new to terraform-validator and policies and these google golang libraries so it isn't obvious how to update the rego to fix it.