add cloudrunv2-disallow-public-ingress policy

losisin · Dec 26, 2023 · cbe9761 · cbe9761
1 parent 6e5ba31
commit cbe9761
Show file tree

Hide file tree

Showing 9 changed files with 67 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,8 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- Add CodeQL analysis (#4).
-- Add dependabot npm scan (#4).
+- CodeQL analysis (#4).
+- dependabot npm scan (#4).
+- `cloudrunv2-disallow-public-ingress` (#5).
 
 ## [1.1.0] - 2023-12-25
 

diff --git a/__tests__/cloudrun/index.ts b/__tests__/cloudrun/index.ts
@@ -1 +1 @@
-export * as cloudRunService from "./cloudrunService"
+export * as cloudrunService from "./cloudrunService"
diff --git a/__tests__/cloudrunv2/cloudrunv2Service.ts b/__tests__/cloudrunv2/cloudrunv2Service.ts
@@ -0,0 +1,30 @@
+import * as gcp from "@pulumi/gcp";
+
+export const clodrunv2ServicePass1 = new gcp.cloudrunv2.Service("pass#1", {
+    location: "europe-west1",
+    template: {
+        containers: [{
+            image: "us-docker.pkg.dev/cloudrun/container/hello",
+        }],
+    },
+});
+
+export const clodrunv2ServicePass2 = new gcp.cloudrunv2.Service("pass#2", {
+    location: "europe-west1",
+    ingress: "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER",
+    template: {
+        containers: [{
+            image: "us-docker.pkg.dev/cloudrun/container/hello",
+        }],
+    },
+});
+
+export const clodrunv2ServiceFail1 = new gcp.cloudrunv2.Service("fail#1", {
+    location: "europe-west1",
+    ingress: "INGRESS_TRAFFIC_ALL",
+    template: {
+        containers: [{
+            image: "us-docker.pkg.dev/cloudrun/container/hello",
+        }],
+    },
+});
diff --git a/__tests__/cloudrunv2/index.ts b/__tests__/cloudrunv2/index.ts
@@ -0,0 +1 @@
+export * as cloudrunV2Service from "../cloudrunv2/cloudrunv2Service"
diff --git a/__tests__/index.ts b/__tests__/index.ts
@@ -1,2 +1,3 @@
-export * as cloudRun from './cloudrun/index'
+export * as cloudrun from './cloudrun/index'
+export * as cloudrunv2 from './cloudrunv2/index'
 export * as compute from './compute/index'
diff --git a/src/cloudrun/index.ts b/src/cloudrun/index.ts
@@ -1,5 +1,5 @@
 import { cloudrunDisallowPublicIngress } from "./cloudrunDisallowPublicIngress";
 
-export const cloudRunPolicies = [
+export const cloudrunPolicies = [
 	cloudrunDisallowPublicIngress,
 ];
diff --git a/src/cloudrunv2/cloudrunv2DisallowPublicIngress/index.ts b/src/cloudrunv2/cloudrunv2DisallowPublicIngress/index.ts
@@ -0,0 +1,17 @@
+import { ResourceValidationArgs, ReportViolation, EnforcementLevel } from "@pulumi/policy";
+
+export const cloudrunv2DisallowPublicIngress = {
+	name: "cloudrunv2-disallow-public-ingress",
+	description: "Check that CloudRun2 services do not have public ingress set to 'all'.",
+	enforcementLevel: "advisory" as EnforcementLevel,
+	validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => {
+		if (args.type === "gcp:cloudrunv2/service:Service") {
+			const ingress = args.props.ingress;
+			if (ingress && ingress === "INGRESS_TRAFFIC_ALL") {
+				reportViolation(
+					"CloudRun2 services should not have public ingress set to 'all'. Use a load balancer instead."
+				);
+			}
+		}
+	},
+}
diff --git a/src/cloudrunv2/index.ts b/src/cloudrunv2/index.ts
@@ -0,0 +1,5 @@
+import { cloudrunv2DisallowPublicIngress } from "./cloudrunv2DisallowPublicIngress";
+
+export const cloudrunv2Policies = [
+	cloudrunv2DisallowPublicIngress,
+];
diff --git a/src/index.ts b/src/index.ts
@@ -1,8 +1,13 @@
 import { PolicyPack } from '@pulumi/policy'
-import { cloudRunPolicies } from './cloudrun'
+import { cloudrunPolicies } from './cloudrun'
+import { cloudrunv2Policies } from './cloudrunv2'
 import { computePolicies } from './compute'
 
-const allPolicies = [...cloudRunPolicies, ...computePolicies]
+const allPolicies = [
+  ...cloudrunPolicies,
+  ...cloudrunv2Policies,
+  ...computePolicies
+]
 
 export const policies = new PolicyPack('gcp-pac', {
   policies: allPolicies