github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/google/compute/instances.go (about) 1 package compute 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/pkg/providers/google/compute" 5 "github.com/khulnasoft-lab/defsec/pkg/terraform" 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 "github.com/zclconf/go-cty/cty" 8 ) 9 10 func adaptInstances(modules terraform.Modules) (instances []compute.Instance) { 11 12 for _, instanceBlock := range modules.GetResourcesByType("google_compute_instance") { 13 14 instance := compute.Instance{ 15 Metadata: instanceBlock.GetMetadata(), 16 Name: instanceBlock.GetAttribute("name").AsStringValueOrDefault("", instanceBlock), 17 ShieldedVM: compute.ShieldedVMConfig{ 18 Metadata: instanceBlock.GetMetadata(), 19 SecureBootEnabled: defsecTypes.BoolDefault(false, instanceBlock.GetMetadata()), 20 IntegrityMonitoringEnabled: defsecTypes.BoolDefault(false, instanceBlock.GetMetadata()), 21 VTPMEnabled: defsecTypes.BoolDefault(false, instanceBlock.GetMetadata()), 22 }, 23 ServiceAccount: compute.ServiceAccount{ 24 Metadata: instanceBlock.GetMetadata(), 25 Email: defsecTypes.StringDefault("", instanceBlock.GetMetadata()), 26 IsDefault: defsecTypes.BoolDefault(false, instanceBlock.GetMetadata()), 27 Scopes: nil, 28 }, 29 CanIPForward: instanceBlock.GetAttribute("can_ip_forward").AsBoolValueOrDefault(false, instanceBlock), 30 OSLoginEnabled: defsecTypes.BoolDefault(true, instanceBlock.GetMetadata()), 31 EnableProjectSSHKeyBlocking: defsecTypes.BoolDefault(false, instanceBlock.GetMetadata()), 32 EnableSerialPort: defsecTypes.BoolDefault(false, instanceBlock.GetMetadata()), 33 NetworkInterfaces: nil, 34 BootDisks: nil, 35 AttachedDisks: nil, 36 } 37 38 // network interfaces 39 for _, networkInterfaceBlock := range instanceBlock.GetBlocks("network_interface") { 40 ni := compute.NetworkInterface{ 41 Metadata: networkInterfaceBlock.GetMetadata(), 42 Network: nil, 43 SubNetwork: nil, 44 HasPublicIP: defsecTypes.BoolDefault(false, networkInterfaceBlock.GetMetadata()), 45 NATIP: defsecTypes.StringDefault("", networkInterfaceBlock.GetMetadata()), 46 } 47 if accessConfigBlock := networkInterfaceBlock.GetBlock("access_config"); accessConfigBlock.IsNotNil() { 48 ni.HasPublicIP = defsecTypes.Bool(true, accessConfigBlock.GetMetadata()) 49 } 50 instance.NetworkInterfaces = append(instance.NetworkInterfaces, ni) 51 } 52 53 // vm shielding 54 if shieldedBlock := instanceBlock.GetBlock("shielded_instance_config"); shieldedBlock.IsNotNil() { 55 instance.ShieldedVM.Metadata = shieldedBlock.GetMetadata() 56 instance.ShieldedVM.IntegrityMonitoringEnabled = shieldedBlock.GetAttribute("enable_integrity_monitoring").AsBoolValueOrDefault(true, shieldedBlock) 57 instance.ShieldedVM.VTPMEnabled = shieldedBlock.GetAttribute("enable_vtpm").AsBoolValueOrDefault(true, shieldedBlock) 58 instance.ShieldedVM.SecureBootEnabled = shieldedBlock.GetAttribute("enable_secure_boot").AsBoolValueOrDefault(false, shieldedBlock) 59 } 60 61 // metadata 62 if metadataAttr := instanceBlock.GetAttribute("metadata"); metadataAttr.IsNotNil() { 63 if val := metadataAttr.MapValue("enable-oslogin"); val.Type() == cty.Bool { 64 instance.OSLoginEnabled = defsecTypes.BoolExplicit(val.True(), metadataAttr.GetMetadata()) 65 } 66 if val := metadataAttr.MapValue("block-project-ssh-keys"); val.Type() == cty.Bool { 67 instance.EnableProjectSSHKeyBlocking = defsecTypes.BoolExplicit(val.True(), metadataAttr.GetMetadata()) 68 } 69 if val := metadataAttr.MapValue("serial-port-enable"); val.Type() == cty.Bool { 70 instance.EnableSerialPort = defsecTypes.BoolExplicit(val.True(), metadataAttr.GetMetadata()) 71 } 72 } 73 74 // disks 75 for _, diskBlock := range instanceBlock.GetBlocks("boot_disk") { 76 disk := compute.Disk{ 77 Metadata: diskBlock.GetMetadata(), 78 Name: diskBlock.GetAttribute("device_name").AsStringValueOrDefault("", diskBlock), 79 Encryption: compute.DiskEncryption{ 80 Metadata: diskBlock.GetMetadata(), 81 RawKey: diskBlock.GetAttribute("disk_encryption_key_raw").AsBytesValueOrDefault(nil, diskBlock), 82 KMSKeyLink: diskBlock.GetAttribute("kms_key_self_link").AsStringValueOrDefault("", diskBlock), 83 }, 84 } 85 instance.BootDisks = append(instance.BootDisks, disk) 86 } 87 for _, diskBlock := range instanceBlock.GetBlocks("attached_disk") { 88 disk := compute.Disk{ 89 Metadata: diskBlock.GetMetadata(), 90 Name: diskBlock.GetAttribute("device_name").AsStringValueOrDefault("", diskBlock), 91 Encryption: compute.DiskEncryption{ 92 Metadata: diskBlock.GetMetadata(), 93 RawKey: diskBlock.GetAttribute("disk_encryption_key_raw").AsBytesValueOrDefault(nil, diskBlock), 94 KMSKeyLink: diskBlock.GetAttribute("kms_key_self_link").AsStringValueOrDefault("", diskBlock), 95 }, 96 } 97 instance.AttachedDisks = append(instance.AttachedDisks, disk) 98 } 99 100 if serviceAccountBlock := instanceBlock.GetBlock("service_account"); serviceAccountBlock.IsNotNil() { 101 emailAttr := serviceAccountBlock.GetAttribute("email") 102 instance.ServiceAccount.Email = emailAttr.AsStringValueOrDefault("", serviceAccountBlock) 103 104 if instance.ServiceAccount.Email.IsEmpty() || instance.ServiceAccount.Email.EndsWith("-compute@developer.gserviceaccount.com") { 105 instance.ServiceAccount.IsDefault = defsecTypes.Bool(true, serviceAccountBlock.GetMetadata()) 106 } 107 108 if emailAttr.IsResourceBlockReference("google_service_account") { 109 if accBlock, err := modules.GetReferencedBlock(emailAttr, instanceBlock); err == nil { 110 instance.ServiceAccount.IsDefault = defsecTypes.Bool(false, serviceAccountBlock.GetMetadata()) 111 instance.ServiceAccount.Email = accBlock.GetAttribute("email").AsStringValueOrDefault("", accBlock) 112 } 113 } 114 115 if scopesAttr := serviceAccountBlock.GetAttribute("scopes"); scopesAttr.IsNotNil() { 116 instance.ServiceAccount.Scopes = append(instance.ServiceAccount.Scopes, scopesAttr.AsStringValues()...) 117 } 118 } 119 120 instances = append(instances, instance) 121 } 122 123 return instances 124 }