fix(terraform): CKV_GCP_74, CKV_GCP_76 incorrectly enforced for REGIONAL and GLOBAL managed proxy networks

[jbrule]

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Simular to log_config REGIONAL_MANAGED_PROXY and GLOBAL_MANAGED_PROXY networks do not support private_ip_google_access

resource "google_compute_subnetwork" "unknown3" {
  ...
  purpose       = "REGIONAL_MANAGED_PROXY"
  role          = "ACTIVE"
 ...
}

Fixes #5730

Fixed CKV_GCP_74

• Added additional purposes that should result in unknown
• Added test cases

Fixed CKV_GCP_76 by

• Added additional purposes that should result in unknown
• Added test cases
• Corrected policy name to better align with observed practice.
• Corrected duplicated class name

Description

It is NOT a violation. That is the point of this fix.

Fix

N/A

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my feature, policy, or fix is effective and works
• New and existing tests pass locally with my changes

---

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Modifies the GoogleSubnetworkIPV6PrivateGoogleEnabled and GoogleSubnetworkPrivateGoogleEnabled checks to correctly handle REGIONAL_MANAGED_PROXY and GLOBAL_MANAGED_PROXY networks. Updates the corresponding test files to include new test cases for these network types. Renames some classes and variables for consistency.

Topic	Details
Check Logic Update	Updates the logic in GoogleSubnetworkIPV6PrivateGoogleEnabled and GoogleSubnetworkPrivateGoogleEnabled checks to handle additional network types Modified files (2) checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py Latest Contributors(2) User Commit Date tsmithv11 fix-terraform-Handle-d... July 29, 2024 JamesWoolfenden fix-terraform-Subnetwo... April 04, 2023
Test Updates	Adds new test cases and updates existing tests to cover the changes in check logic Modified files (4) tests/terraform/checks/resource/gcp/test_GoogleSubnetworkIPV6PrivateGoogleEnabled.py tests/terraform/checks/resource/gcp/test_GoogleSubnetworkPrivateGoogleEnabled.py tests/terraform/checks/resource/gcp/example_GoogleSubnetworkIPV6PrivateGoogleEnabled/main.tf tests/terraform/checks/resource/gcp/example_GoogleSubnetworkPrivateGoogleEnabled/main.tf Latest Contributors(2) User Commit Date JamesWoolfenden fix-terraform-Subnetwo... April 04, 2023 [email protected]... CKV_GCP_76-update-the-... May 19, 2022

This pull request is reviewed by Baz. Join @jbrule and the rest of your team on (Baz).

[jbrule]

Can I get a review?

[jbrule]

Anyone? Need me to provide anything additional?

Thank you

[tsmithv11]

Very nice. Thanks for the contribution! 🚀

[tsmithv11]

Suggested change

	PURPOSE_EXCEPTIONS = ["INTERNAL_HTTPS_LOAD_BALANCER", "REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY"]
	PURPOSE_EXCEPTIONS = ["INTERNAL_HTTPS_LOAD_BALANCER", "REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY", "PRIVATE_SERVICE_CONNECT", "PRIVATE_NAT"]

I believe these should also be excluded

[jbrule]

At that point I wonder if we shouldn't flip the logic and apply check only to PRIVATE

…

On Fri, Feb 21, 2025, 5:18 PM Taylor ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py <#7002 (comment)> : > @@ -5,6 +5,8 @@ from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +# private_ip_google_access is not supported for subnetworks with the following purpose set +PURPOSE_EXCEPTIONS = ["INTERNAL_HTTPS_LOAD_BALANCER", "REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY"] ⬇️ Suggested change -PURPOSE_EXCEPTIONS = ["INTERNAL_HTTPS_LOAD_BALANCER", "REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY"] +PURPOSE_EXCEPTIONS = ["INTERNAL_HTTPS_LOAD_BALANCER", "REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY", "PRIVATE_SERVICE_CONNECT", "PRIVATE_NAT"] I believe these should also be excluded — Reply to this email directly, view it on GitHub <#7002 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAF26ZXIKRTRXXMRQI4E4D32Q6X6FAVCNFSM6AAAAABWW7UT7OVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMMZUGQ2TSOJSGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[tsmithv11]

At that point I wonder if we shouldn't flip the logic and apply check only to PRIVATE
…
On Fri, Feb 21, 2025, 5:18 PM Taylor @.> wrote: @.* commented on this pull request. ------------------------------ In checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py <#7002 (comment)> : > @@ -5,6 +5,8 @@ from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +# private_ip_google_access is not supported for subnetworks with the following purpose set +PURPOSE_EXCEPTIONS = ["INTERNAL_HTTPS_LOAD_BALANCER", "REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY"] ⬇️ Suggested change -PURPOSE_EXCEPTIONS = ["INTERNAL_HTTPS_LOAD_BALANCER", "REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY"] +PURPOSE_EXCEPTIONS = ["INTERNAL_HTTPS_LOAD_BALANCER", "REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY", "PRIVATE_SERVICE_CONNECT", "PRIVATE_NAT"] I believe these should also be excluded — Reply to this email directly, view it on GitHub <#7002 (review)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF26ZXIKRTRXXMRQI4E4D32Q6X6FAVCNFSM6AAAAABWW7UT7OVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMMZUGQ2TSOJSGI . You are receiving this because you were mentioned.Message ID: @.***>

@jbrule that makes sense and works for me.