diff --git a/CHANGELOG.md b/CHANGELOG.md index bab13bd..c0f77c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,8 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- Add CodeQL analysis (#4). -- Add dependabot npm scan (#4). +- CodeQL analysis (#4). +- dependabot npm scan (#4). +- `cloudrunv2-disallow-public-ingress` (#5). ## [1.1.0] - 2023-12-25 diff --git a/__tests__/cloudrun/index.ts b/__tests__/cloudrun/index.ts index 3ba0688..ba548aa 100644 --- a/__tests__/cloudrun/index.ts +++ b/__tests__/cloudrun/index.ts @@ -1 +1 @@ -export * as cloudRunService from "./cloudrunService" +export * as cloudrunService from "./cloudrunService" diff --git a/__tests__/cloudrunv2/cloudrunv2Service.ts b/__tests__/cloudrunv2/cloudrunv2Service.ts new file mode 100644 index 0000000..7bd8374 --- /dev/null +++ b/__tests__/cloudrunv2/cloudrunv2Service.ts @@ -0,0 +1,30 @@ +import * as gcp from "@pulumi/gcp"; + +export const clodrunv2ServicePass1 = new gcp.cloudrunv2.Service("pass#1", { + location: "europe-west1", + template: { + containers: [{ + image: "us-docker.pkg.dev/cloudrun/container/hello", + }], + }, +}); + +export const clodrunv2ServicePass2 = new gcp.cloudrunv2.Service("pass#2", { + location: "europe-west1", + ingress: "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER", + template: { + containers: [{ + image: "us-docker.pkg.dev/cloudrun/container/hello", + }], + }, +}); + +export const clodrunv2ServiceFail1 = new gcp.cloudrunv2.Service("fail#1", { + location: "europe-west1", + ingress: "INGRESS_TRAFFIC_ALL", + template: { + containers: [{ + image: "us-docker.pkg.dev/cloudrun/container/hello", + }], + }, +}); \ No newline at end of file diff --git a/__tests__/cloudrunv2/index.ts b/__tests__/cloudrunv2/index.ts new file mode 100644 index 0000000..f4e90b5 --- /dev/null +++ b/__tests__/cloudrunv2/index.ts @@ -0,0 +1 @@ +export * as cloudrunV2Service from "../cloudrunv2/cloudrunv2Service" diff --git a/__tests__/index.ts b/__tests__/index.ts index 34c1bb3..ef25f64 100644 --- a/__tests__/index.ts +++ b/__tests__/index.ts @@ -1,2 +1,3 @@ -export * as cloudRun from './cloudrun/index' +export * as cloudrun from './cloudrun/index' +export * as cloudrunv2 from './cloudrunv2/index' export * as compute from './compute/index' diff --git a/src/cloudrun/index.ts b/src/cloudrun/index.ts index 5edf319..aecedc5 100644 --- a/src/cloudrun/index.ts +++ b/src/cloudrun/index.ts @@ -1,5 +1,5 @@ import { cloudrunDisallowPublicIngress } from "./cloudrunDisallowPublicIngress"; -export const cloudRunPolicies = [ +export const cloudrunPolicies = [ cloudrunDisallowPublicIngress, ]; diff --git a/src/cloudrunv2/cloudrunv2DisallowPublicIngress/index.ts b/src/cloudrunv2/cloudrunv2DisallowPublicIngress/index.ts new file mode 100644 index 0000000..3040056 --- /dev/null +++ b/src/cloudrunv2/cloudrunv2DisallowPublicIngress/index.ts @@ -0,0 +1,17 @@ +import { ResourceValidationArgs, ReportViolation, EnforcementLevel } from "@pulumi/policy"; + +export const cloudrunv2DisallowPublicIngress = { + name: "cloudrunv2-disallow-public-ingress", + description: "Check that CloudRun2 services do not have public ingress set to 'all'.", + enforcementLevel: "advisory" as EnforcementLevel, + validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => { + if (args.type === "gcp:cloudrunv2/service:Service") { + const ingress = args.props.ingress; + if (ingress && ingress === "INGRESS_TRAFFIC_ALL") { + reportViolation( + "CloudRun2 services should not have public ingress set to 'all'. Use a load balancer instead." + ); + } + } + }, +} diff --git a/src/cloudrunv2/index.ts b/src/cloudrunv2/index.ts new file mode 100644 index 0000000..0df4603 --- /dev/null +++ b/src/cloudrunv2/index.ts @@ -0,0 +1,5 @@ +import { cloudrunv2DisallowPublicIngress } from "./cloudrunv2DisallowPublicIngress"; + +export const cloudrunv2Policies = [ + cloudrunv2DisallowPublicIngress, +]; diff --git a/src/index.ts b/src/index.ts index e3638e8..9a19a24 100644 --- a/src/index.ts +++ b/src/index.ts @@ -1,8 +1,13 @@ import { PolicyPack } from '@pulumi/policy' -import { cloudRunPolicies } from './cloudrun' +import { cloudrunPolicies } from './cloudrun' +import { cloudrunv2Policies } from './cloudrunv2' import { computePolicies } from './compute' -const allPolicies = [...cloudRunPolicies, ...computePolicies] +const allPolicies = [ + ...cloudrunPolicies, + ...cloudrunv2Policies, + ...computePolicies +] export const policies = new PolicyPack('gcp-pac', { policies: allPolicies