Merge pull request #6 from losisin/policy/cloudrun-disallow-secret-envs

cloudrun disallow envs from secrets

.github/workflows/codeql-analysis.yaml

@@ -1,6 +1,7 @@
 name: CodeQL
 
 on:
+  push:
   pull_request:
     branches:
       - main

CHANGELOG.md

@@ -12,6 +12,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - CodeQL analysis (#4).
 - dependabot npm scan (#4).
 - `cloudrunv2-disallow-public-ingress` (#5).
+- disallow environment variables from Secret Manager - `cloudrun.Service`, `cloudrunv2.Service` and `cloudrunv2.Job` (#6).
+
+### Changed
+
+- Update test and code file structure (#6).
+
+### Fixed
+
+- codeql event on push in main branch (#6).
 
 ## [1.1.0] - 2023-12-25
 

__tests__/cloudrun/index.ts

@@ -1 +1,32 @@
-export * as cloudrunService from "./cloudrunService"
+import * as gcp from "@pulumi/gcp";
+
+export const cloudrunPService = new gcp.cloudrun.Service("fail#1", {
+    location: "europe-west1",
+    metadata: {
+        annotations: {
+            "run.googleapis.com/ingress": "all",
+        },
+    },
+    template: {
+        spec: {
+            containers: [{
+                image: "us-docker.pkg.dev/cloudrun/container/hello",
+                envs: [
+                    {
+                        name: "FOO",
+                        value: "bar",
+                    },
+                    {
+                        name: "SECRET_ENV_VAR",
+                        valueFrom: {
+                            secretKeyRef: {
+                                name: "my-secret",
+                                key: "1",
+                            },
+                        },
+                    },
+                ],
+            }],
+        },
+    }
+});

__tests__/cloudrunv2/index.ts

@@ -1 +1,53 @@
-export * as cloudrunV2Service from "../cloudrunv2/cloudrunv2Service"
+import * as gcp from "@pulumi/gcp";
+
+export const cloudrunv2Service = new gcp.cloudrunv2.Service("fail#1", {
+    location: "europe-west1",
+    ingress: "INGRESS_TRAFFIC_ALL",
+    template: {
+        containers: [{
+            image: "us-docker.pkg.dev/cloudrun/container/hello",
+            envs: [
+                {
+                    name: "FOO",
+                    value: "bar",
+                },
+                {
+                    name: "SECRET_ENV_VAR",
+                    valueSource: {
+                        secretKeyRef: {
+                            secret: "my-secret",
+                            version: "1",
+                        },
+                    },
+                },
+            ],
+        }],
+    },
+});
+
+export const cloudrunv2SJob = new gcp.cloudrunv2.Job("fail#1", {
+    location: "europe-west1",
+    template: {
+        template: {
+            containers: [{
+                image: "us-docker.pkg.dev/cloudrun/container/hello",
+                envs: [
+                    {
+                        name: "FOO",
+                        value: "bar",
+                    },
+                    {
+                        name: "SECRET_ENV_VAR",
+                        valueSource: {
+                            secretKeyRef: {
+                                secret: "my-secret",
+                                version: "1",
+                            },
+                        },
+                    },
+                ],
+            }],
+        },
+    },
+});
+

__tests__/compute/index.ts

@@ -1 +1,6 @@
-export * as backendService from "./backendService"
+import * as gcp from "@pulumi/gcp";
+
+export const backendService = new gcp.compute.BackendService("fail#1", {
+    name: "fail#1",
+    loadBalancingScheme: "EXTERNAL"
+});

__tests__/index.ts

@@ -1,3 +1,3 @@
-export * as cloudrun from './cloudrun/index'
-export * as cloudrunv2 from './cloudrunv2/index'
-export * as compute from './compute/index'
+export * as cloudrun from './cloudrun'
+export * as cloudrunv2 from './cloudrunv2'
+export * as compute from './compute'

src/cloudrun/disallowEnvsSecrets.ts

@@ -0,0 +1,25 @@
+import { ResourceValidationArgs, ReportViolation, EnforcementLevel } from "@pulumi/policy";
+
+export const disallowEnvsSecrets = {
+	name: "cloudrun-service-disallow-envs-secrets",
+	description: "Check that CloudRun services do not use environment variables from secrets.",
+	enforcementLevel: "advisory" as EnforcementLevel,
+	validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => {
+		if (args.type === "gcp:cloudrun/service:Service") {
+            const containers = args.props.template.spec.containers;
+            if (containers) {
+                containers.forEach((container: any) => {
+                    if (container.envs) {
+                        container.envs.forEach((env: any) => {
+                            if (env?.valueFrom?.secretKeyRef) {
+                                reportViolation(
+                                    "CloudRun services should use secrets as mounted volumes."
+                                );
+                            }
+                        });
+                    }
+              });
+            }
+		}
+	},
+}

src/cloudrun/cloudrunDisallowPublicIngress/index.ts → src/cloudrun/disallowPublicIngress.ts

@@ -1,6 +1,6 @@
 import { ResourceValidationArgs, ReportViolation, EnforcementLevel } from "@pulumi/policy";
 
-export const cloudrunDisallowPublicIngress = {
+export const disallowPublicIngress = {
 	name: "cloudrun-disallow-public-ingress",
 	description: "Check that CloudRun services do not have public ingress set to 'all'.",
 	enforcementLevel: "advisory" as EnforcementLevel,

src/cloudrun/index.ts

@@ -1,5 +1,7 @@
-import { cloudrunDisallowPublicIngress } from "./cloudrunDisallowPublicIngress";
+import { disallowPublicIngress } from "./disallowPublicIngress";
+import { disallowEnvsSecrets } from "./disallowEnvsSecrets";
 
 export const cloudrunPolicies = [
-	cloudrunDisallowPublicIngress,
+	disallowEnvsSecrets,
+	disallowPublicIngress,
 ];

src/cloudrunv2/disallowEnvsSecrets.ts

@@ -0,0 +1,49 @@
+import { ResourceValidationArgs, ReportViolation, EnforcementLevel } from "@pulumi/policy";
+
+export const serviceDisallowEnvsSecrets = {
+	name: "cloudrunv2-service-disallow-envs-secrets",
+	description: "Check that CloudRun2 services do not use environment variables from secrets.",
+	enforcementLevel: "advisory" as EnforcementLevel,
+	validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => {
+		if (args.type === "gcp:cloudrunv2/service:Service") {
+            const containers = args.props.template.containers;
+            if (containers) {
+                containers.forEach((container: any) => {
+                    if (container.envs) {
+                        container.envs.forEach((env: any) => {
+                            if (env?.valueSource?.secretKeyRef) {
+                                reportViolation(
+                                    "CloudRun2 services should use secrets as mounted volumes."
+                                );
+                            }
+                        });
+                    }
+              });
+            }
+		}
+	},
+}
+
+export const jobDisallowEnvsSecrets = {
+	name: "cloudrunv2-job-disallow-envs-secrets",
+	description: "Check that CloudRun2 jobs do not use environment variables from secrets.",
+	enforcementLevel: "advisory" as EnforcementLevel,
+	validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => {
+		if (args.type === "gcp:cloudrunv2/job:Job") {
+            const containers = args.props.template.template.containers;
+            if (containers) {
+                containers.forEach((container: any) => {
+                    if (container.envs) {
+                        container.envs.forEach((env: any) => {
+                            if (env?.valueSource?.secretKeyRef) {
+                                reportViolation(
+                                    "CloudRun2 jobs should use secrets as mounted volumes."
+                                );
+                            }
+                        });
+                    }
+              });
+            }
+		}
+	},
+}

src/cloudrunv2/cloudrunv2DisallowPublicIngress/index.ts → src/cloudrunv2/disallowPublicIngress.ts

@@ -1,7 +1,7 @@
 import { ResourceValidationArgs, ReportViolation, EnforcementLevel } from "@pulumi/policy";
 
-export const cloudrunv2DisallowPublicIngress = {
-	name: "cloudrunv2-disallow-public-ingress",
+export const disallowPublicIngress = {
+	name: "cloudrunv2-service-disallow-public-ingress",
 	description: "Check that CloudRun2 services do not have public ingress set to 'all'.",
 	enforcementLevel: "advisory" as EnforcementLevel,
 	validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => {

src/cloudrunv2/index.ts

@@ -1,5 +1,8 @@
-import { cloudrunv2DisallowPublicIngress } from "./cloudrunv2DisallowPublicIngress";
+import { disallowPublicIngress } from "./disallowPublicIngress";
+import { serviceDisallowEnvsSecrets, jobDisallowEnvsSecrets } from "./disallowEnvsSecrets";
 
 export const cloudrunv2Policies = [
-	cloudrunv2DisallowPublicIngress,
+	serviceDisallowEnvsSecrets,
+	jobDisallowEnvsSecrets,
+	disallowPublicIngress,
 ];