fix: not to check unmanaged resources

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/google/gke/AVD-GCP-0057/Terraform.md

@@ -2,7 +2,16 @@
 Set node metadata to SECURE or GKE_METADATA_SERVER
 
 ```hcl
+resource "google_container_cluster" "primary" {
+  name     = "my-gke-cluster"
+  location = "us-central1"
+
+  remove_default_node_pool = true
+  initial_node_count       = 1
+}
+
 resource "google_container_node_pool" "good_example" {
+  cluster = google_container_cluster.primary.id
   node_config {
     workload_metadata_config {
       node_metadata = "SECURE"

checks/cloud/aws/elb/alb_not_public.rego

@@ -32,6 +32,7 @@ import data.lib.cloud.metadata
 
 deny contains res if {
 	some lb in input.aws.elb.loadbalancers
+	isManaged(lb)
 	not is_gateway(lb)
 	not lb.internal.value
 

checks/cloud/aws/elb/drop_invalid_headers.rego

@@ -35,6 +35,7 @@ import data.lib.cloud.metadata
 
 deny contains res if {
 	some lb in input.aws.elb.loadbalancers
+	isManaged(lb)
 	lb.type.value == "application"
 	not lb.dropinvalidheaderfields.value
 	res := result.new(

checks/cloud/aws/lambda/enable_tracing.rego

@@ -38,6 +38,7 @@ import data.lib.cloud.value
 
 deny contains res if {
 	some func in input.aws.lambda.functions
+	isManaged(func)
 	not is_active_mode(func)
 	res := result.new(
 		"Function does not have tracing enabled.",

checks/cloud/google/gke/enable_auto_repair.rego

@@ -28,9 +28,15 @@ package builtin.google.gke.google0063
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	some pool in cluster.nodepools
-	pool.management.enableautorepair.value == false
-	res := result.new("Node pool does not have auto-repair enabled.", pool.management.enableautorepair)
+	not pool.management.enableautorepair.value
+	res := result.new(
+		"Node pool does not have auto-repair enabled.",
+		metadata.obj_by_path(pool, ["management", "enableautorepair"]),
+	)
 }

checks/cloud/google/gke/enable_auto_upgrade.rego

@@ -28,9 +28,15 @@ package builtin.google.gke.google0058
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	some pool in cluster.nodepools
-	pool.management.enableautoupgrade.value == false
-	res := result.new("Node pool does not have auto-upgraade enabled.", pool.management.enableautoupgrade)
+	not pool.management.enableautoupgrade.value
+	res := result.new(
+		"Node pool does not have auto-upgraade enabled.",
+		metadata.obj_by_path(pool, ["management", "enableautoupgrade"]),
+	)
 }

checks/cloud/google/gke/enable_ip_aliasing.rego

@@ -28,8 +28,14 @@ package builtin.google.gke.google0049
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
-	cluster.ipallocationpolicy.enabled.value == false
-	res := result.new("Cluster has IP aliasing disabled.", cluster.ipallocationpolicy.enabled)
+	isManaged(cluster)
+	not cluster.ipallocationpolicy.enabled.value
+	res := result.new(
+		"Cluster has IP aliasing disabled.",
+		metadata.obj_by_path(cluster, ["ipallocationpolicy", "enabled"]),
+	)
 }

checks/cloud/google/gke/enable_master_networks.rego

@@ -28,11 +28,14 @@ package builtin.google.gke.google0061
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
-	cluster.masterauthorizednetworks.enabled.value == false
+	isManaged(cluster)
+	not cluster.masterauthorizednetworks.enabled.value
 	res := result.new(
 		"Cluster does not have master authorized networks enabled.",
-		cluster.masterauthorizednetworks.enabled,
+		metadata.obj_by_path(cluster, ["masterauthorizednetworks", "enabled"]),
 	)
 }

checks/cloud/google/gke/enable_private_cluster.rego

@@ -28,11 +28,14 @@ package builtin.google.gke.google0059
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
-	cluster.privatecluster.enableprivatenodes.value == false
+	isManaged(cluster)
+	not cluster.privatecluster.enableprivatenodes.value
 	res := result.new(
 		"Cluster does not have private nodes.",
-		cluster.privatecluster.enableprivatenodes,
+		metadata.obj_by_path(cluster, ["privatecluster", "enableprivatenodes"]),
 	)
 }

checks/cloud/google/gke/enable_stackdriver_logging.rego

@@ -28,8 +28,14 @@ package builtin.google.gke.google0060
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	cluster.loggingservice.value != "logging.googleapis.com/kubernetes"
-	res := result.new("Cluster does not use the logging.googleapis.com/kubernetes StackDriver logging service.", cluster.loggingservice)
+	res := result.new(
+		"Cluster does not use the logging.googleapis.com/kubernetes StackDriver logging service.",
+		metadata.obj_by_path(cluster, ["loggingservice"]),
+	)
 }

checks/cloud/google/gke/enable_stackdriver_monitoring.rego

@@ -28,11 +28,16 @@ package builtin.google.gke.google0052
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
-	cluster.monitoringservice.value != "monitoring.googleapis.com/kubernetes"
+	isManaged(cluster)
+	not use_kub_service(cluster)
 	res := result.new(
 		"Cluster does not use the monitoring.googleapis.com/kubernetes StackDriver monitoring service.",
-		cluster.monitoringservice,
+		metadata.obj_by_path(cluster, ["monitoringservice"]),
 	)
 }
+
+use_kub_service(cluster) if cluster.monitoringservice.value == "monitoring.googleapis.com/kubernetes"

checks/cloud/google/gke/metadata_endpoints_disabled.rego

@@ -38,6 +38,7 @@ import rego.v1
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	cluster.removedefaultnodepool.value == true
 	some pool in cluster.nodepools
 	pool.nodeconfig.enablelegacyendpoints.value == true
@@ -49,6 +50,7 @@ deny contains res if {
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	not cluster.removedefaultnodepool.value
 	cluster.nodeconfig.enablelegacyendpoints.value == true
 	res := result.new(

checks/cloud/google/gke/no_legacy_authentication.rego

@@ -36,6 +36,7 @@ import data.lib.cloud.value
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	cluster.masterauth.clientcertificate.issuecertificate.value
 	res := result.new(
 		"Cluster allows the use of certificates for master authentication.",
@@ -45,6 +46,7 @@ deny contains res if {
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	not cluster.masterauth.clientcertificate.issuecertificate.value
 	value.is_not_empty(cluster.masterauth.username)
 	res := result.new(

checks/cloud/google/gke/node_metadata_security.rego

@@ -34,13 +34,15 @@ import rego.v1
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	metadata := cluster.nodeconfig.workloadmetadataconfig.nodemetadata
 	is_exposes(metadata.value)
 	res := result.new("Cluster exposes node metadata of pools by default.", metadata)
 }
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	some pool in cluster.nodepools
 	metadata := pool.nodeconfig.workloadmetadataconfig.nodemetadata
 	is_exposes(metadata.value)

checks/cloud/google/gke/node_metadata_security.yaml

@@ -1,7 +1,16 @@
 terraform:
   good:
     - |-
+      resource "google_container_cluster" "primary" {
+        name     = "my-gke-cluster"
+        location = "us-central1"
+
+        remove_default_node_pool = true
+        initial_node_count       = 1
+      }
+
       resource "google_container_node_pool" "good_example" {
+        cluster = google_container_cluster.primary.id
         node_config {
           workload_metadata_config {
             node_metadata = "SECURE"
@@ -10,7 +19,16 @@ terraform:
       }
   bad:
     - |-
+      resource "google_container_cluster" "primary" {
+        name     = "my-gke-cluster"
+        location = "us-central1"
+
+        remove_default_node_pool = true
+        initial_node_count       = 1
+      }
+
       resource "google_container_node_pool" "bad_example" {
+        cluster = google_container_cluster.primary.id
         node_config {
           workload_metadata_config {
             node_metadata = "EXPOSE"

checks/cloud/google/gke/node_pool_uses_cos.rego

@@ -30,6 +30,7 @@ import rego.v1
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	image_type := cluster.nodeconfig.imagetype
 	not lower(image_type.value) in {"cos", "cos_containerd", ""}
 	res := result.new(
@@ -40,6 +41,7 @@ deny contains res if {
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	some pool in cluster.nodepools
 	image_type := pool.nodeconfig.imagetype
 	not lower(image_type.value) in {"cos", "cos_containerd"}

checks/cloud/google/gke/node_shielding_enabled.rego

@@ -32,8 +32,14 @@ package builtin.google.gke.google0055
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
-	cluster.enableshieldednodes.value == false
-	res := result.new("Cluster has shielded nodes disabled.", cluster.enableshieldednodes)
+	isManaged(cluster)
+	not cluster.enableshieldednodes.value
+	res := result.new(
+		"Cluster has shielded nodes disabled.",
+		metadata.obj_by_path(cluster, ["enableshieldednodes"]),
+	)
 }

checks/cloud/google/gke/use_cluster_labels.rego

@@ -28,8 +28,14 @@ package builtin.google.gke.google0051
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	count(cluster.resourcelabels.value) == 0
-	res := result.new("Cluster does not use GCE resource labels.", cluster.resourcelabels)
+	res := result.new(
+		"Cluster does not use GCE resource labels.",
+		metadata.obj_by_path(cluster, ["resourcelabels"]),
+	)
 }

checks/cloud/google/gke/use_rbac_permissions.rego

@@ -34,6 +34,7 @@ import rego.v1
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	cluster.enablelegacyabac.value == true
 	res := result.new("Cluster has legacy ABAC enabled.", cluster.enablelegacyabac)
 }

checks/cloud/google/gke/use_service_account.rego

@@ -35,6 +35,7 @@ import data.lib.cloud.value
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	value.is_false(cluster.removedefaultnodepool)
 	default_account_is_not_overrided(cluster.nodeconfig)
 	res := result.new(
@@ -45,6 +46,7 @@ deny contains res if {
 
 deny contains res if {
 	some cluster in input.google.gke.clusters
+	isManaged(cluster)
 	some pool in cluster.nodepools
 	default_account_is_not_overrided(pool.nodeconfig)
 	res := result.new(