compute_allowed_networks not working as expected

[mittalsharad]

Hi team,

i just started using terraform-validator for scanning my tf plan files.

While trying to secure the network for compute engine, it is not throwing any error even though teh network in not the one mentioned in the allowed section.

Here are the tf scripts:

main.tf

Creating the compute instance resource

resource "google_compute_instance" "compute-service" { name = var.instance_name project = var.project_name machine_type = var.instance_machine_type zone = var.instance_zone tags = var.instance_tags can_ip_forward = var.can_ip_forward

service_account { scopes = var.scope

no-scope

}

Boot disk configuration

boot_disk { kms_key_self_link = "${google_kms_crypto_key.gkck.self_link}" initialize_params { image = var.instance_boot_image } }

sheilding the vm

shielded_instance_config { enable_secure_boot = var.enable_secure_boot enable_vtpm = var.enable_vtpm enable_integrity_monitoring = var.enable_integrity_monitoring }

network interface configuration

network_interface { network = var.instance_network subnetwork = var.instance_subnetwork subnetwork_project = var.project_name }

configuration using metadata

metadata = { block-project-ssh-keys = var.block-project-ssh-keys enable-oslogin = var.enable-oslogin serial-port-enable = var.serial_port_enable }

}

Creating kms key ring

resource "google_kms_key_ring" "gkkr" { name = var.kms_key_ring_name location = var.kms_key_ring_location }

Creating kms crypto key

resource "google_kms_crypto_key" "gkck" { name = var.kms_crypto_key_name key_ring = "${google_kms_key_ring.gkkr.self_link}" rotation_period = var.kms_crypto_key_rotation }

Creating IAM role and member

resource "google_project_iam_member" "grant-google-compute-service-encrypt-decrypt" { role = var.role_to_compute member = var.member_to_compute }

variables.tf

variable "project_name" { description = "The ID of the Google Cloud project" type = string }

#############--------------- Instance---------###############

variable "instance_name" { description = "Name of VM" type = string }

variable "instance_zone" { description = "GC zone" type = string }

variable "instance_tags" { description = "tags to be given to VM" type = list(string)

type = "list"

}

variable "instance_machine_type" { description = "List of VM sizes: https://github.com/Eimert/terraform-google-compute-engine-instance#machine_type" type = string
}

variable "scope" { description = "grant specific API's access to VM" type = list(string) }

variable "instance_boot_image" { description = "List of VM sizes: https://github.com/Eimert/terraform-google-compute-engine-instance#machine_type" type = string
}

variable "enable_secure_boot" { description = "enabling the secure boot of VM" type = bool }

variable "enable_vtpm" { description = "enabling the vtpm in VM" type = bool }

variable "enable_integrity_monitoring" { description = "enable_integrity_monitoring in VM" type = bool }

variable "instance_network" { description = "network where VM belong" type = string }

variable "instance_subnetwork" { description = "Subnetwork where VM belong" type = string }

variable "can_ip_forward" { description = "restriction on ip forwarding" type = bool }

variable "block-project-ssh-keys" { description = "block-project-ssh-keys in VM" type = bool }

variable "enable-oslogin" { description = "enable-oslogin in VM" type = bool }

variable "serial_port_enable" { description = "serial-port-enabling or not in VM" type = bool }

#######----google_kms_key_ring---#########

variable "kms_key_ring_name" { description = "Name of the kms key ring" type = string }

variable "kms_key_ring_location" { description = "location of the kms key ring" type = string }

------kms_crypto_key----

variable "kms_crypto_key_name" { description = "Name of the kms_crypto_key" type = string }

variable "kms_crypto_key_rotation" { description = "rotation of the kms_crypto_key" type = string }

----- IAM role to compute service------

variable "role_to_compute" { description = "IAM role to compute serivce" type = string }

variable "member_to_compute" { description = "IAM member to compute service" type = string }

tfvars

project_name = "PROJECT_NAME" instance_name = "abc-instance" instance_zone = "us-central1-a" instance_tags = ["node-server1"] instance_machine_type = "n1-standard-1" scope = ["bigquery"] enable_secure_boot = "true" enable_vtpm = "true" enable_integrity_monitoring = "true" instance_boot_image = "ubuntu-1804-bionic-v20200317" instance_network = "myvpc1" instance_subnetwork = "myvpc1" can_ip_forward = "true" block-project-ssh-keys = "true" enable-oslogin = "true" serial_port_enable = "false"

kms_key_ring_name = "gci-key" kms_key_ring_location = "us-central1" kms_crypto_key_name = "gce-key" kms_crypto_key_rotation = "86401s"

role_to_compute = "roles/cloudkms.cryptoKeyEncrypterDecrypter" member_to_compute = "serviceAccount:service-xxxxxxxxxxxxxx@compute-system.iam.gserviceaccount.com"

constraints file (compute_allowed_network.yaml)

apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPComputeAllowedNetworksConstraintV2 metadata: name: allowed-networks spec: severity: high match: gcp: target: ["organizations/*"] parameters: allowed:

• https://www.googleapis.com/compute/v1/projects/project_name/global/networks/default

Issue:

I am running these commands: terraform init terraform plan -out tfplan.plan terraform show -json tfplan.plan > tfplan.json ./terraform-validator-linux-amd64 validate ./tfplan.json --policy-path POLICY_PATH

(i tested using terraform 0.13 as well as 0.12) while scanning the plan, it is not throwing that no violations found. But is should throw an error for network name. Also, for other constraints also, it is not throwing violation error.

Templates used: compute_allowed_networks.yaml compute_zone.yaml compute_disk_resource_policies.yaml compute_forbid_ip_forward.yaml

Out of these, only IP forward voilation is coming wherea all 4 should come

[melinath]

compute_zone is covered by https://github.com/GoogleCloudPlatform/terraform-validator/issues/134. We can scope this issue to just compute_allowed_networks.

[melinath]

b/211495350