fix(terraform): Handle new resource type for CKV_GCP_73

checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py

@@ -3,6 +3,7 @@
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.common.util.type_forcers import force_list
 from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
+from checkov.common.graph.graph_builder import CustomAttributes
 
 
 class CloudArmorWAFACLCVE202144228(BaseResourceCheck):
@@ -38,6 +39,32 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
                         if rule.get("preview") == [True]:
                             return CheckResult.FAILED
                         return CheckResult.PASSED
+
+        resource_name = conf.get("name")[0]
+        connected_rules = [
+            g1[1] for g1 in self.graph.nodes()
+            if g1[1].get(CustomAttributes.RESOURCE_TYPE) == "google_compute_security_policy_rule" and
+            g1[1].get("security_policy") == resource_name
+        ]
+
+        for rule in force_list(connected_rules):
+            match = rule.get("match")
+            if match and isinstance(match, dict):
+                expr = match.get("expr")
+                if expr and isinstance(expr, dict):
+                    if expr.get("expression") == "evaluatePreconfiguredExpr('cve-canary')":
+                        if rule.get("action") == "allow":
+                            return CheckResult.FAILED
+                        if rule.get("preview"):
+                            return CheckResult.FAILED
+                        return CheckResult.PASSED
+                    elif expr.get("expression") == "evaluatePreconfiguredWaf('cve-canary')":
+                        if rule.get("action") == "allow":
+                            return CheckResult.FAILED
+                        if rule.get("preview"):
+                            return CheckResult.FAILED
+                        return CheckResult.PASSED
+
         return CheckResult.FAILED
 
 

tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf

@@ -43,6 +43,49 @@ resource "google_compute_security_policy" "pass_preconfigwaf" {
   }
 }
 
+resource "google_compute_security_policy" "pass_separate_resource" {
+  name        = "example_separate"
+
+  rule {
+    description = "Foo"
+    priority    = 1
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+
+    action = "deny(404)"
+  }
+}
+
+resource "google_compute_security_policy_rule" "cve_canary_waf" {
+  security_policy = google_compute_security_policy.pass_separate_resource.name
+  description = "cve-canary WAF rule"
+  priority    = 1
+  match {
+    expr {
+      expression = "evaluatePreconfiguredExpr('cve-canary')"
+    }
+  }
+  action          = "deny(403)"
+}
+
+resource "google_compute_security_policy_rule" "rule2" {
+  security_policy = google_compute_security_policy.pass_separate_resource.name
+  description = "rule2"
+  priority    = 2
+  match {
+    expr {
+      expression = "evaluatePreconfiguredWaf('xss-canary')"
+    }
+  }
+  action          = "allow"
+}
+
+
 # fail
 
 resource "google_compute_security_policy" "allow" {
@@ -101,4 +144,75 @@ resource "google_compute_security_policy" "pass_preconfigwaf" {
       }
     }
   }
+}
+
+resource "google_compute_security_policy" "fail" {
+
+  name = "my-policy"
+
+  rule {
+    action   = "deny(403)"
+    priority = "1000"
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["9.9.9.0/24"]
+      }
+    }
+    description = "Deny access to IPs in 9.9.9.0/24"
+  }
+
+  rule {
+    action   = "allow"
+    priority = "2147483647"
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+    description = "default rule"
+  }
+}
+
+resource "google_compute_security_policy" "fail_separate_resource" {
+  name        = "example_separate_fail"
+
+  rule {
+    description = "Foo"
+    priority    = 1
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+
+    action = "deny(404)"
+  }
+}
+
+resource "google_compute_security_policy_rule" "cve_canary_waf" {
+  security_policy = google_compute_security_policy.fail_separate_resource.name
+  description = "cve-canary WAF rule"
+  priority    = 1
+  match {
+    expr {
+      expression = "evaluatePreconfiguredExpr('cve-canary')"
+    }
+  }
+  action          = "allow"
+}
+
+resource "google_compute_security_policy_rule" "rule2" {
+  security_policy = google_compute_security_policy.fail_separate_resource.name
+  description = "rule2"
+  priority    = 2
+  match {
+    expr {
+      expression = "evaluatePreconfiguredWaf('xss-canary')"
+    }
+  }
+  action          = "allow"
 }

tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py

@@ -21,13 +21,16 @@ def test(self):
             "google_compute_security_policy.enabled_deny_403",
             "google_compute_security_policy.enabled_deny_404",
             "google_compute_security_policy.pass_preconfigwaf",
+            "google_compute_security_policy.pass_separate_resource",
         }
 
         failing_resources = {
             "google_compute_security_policy.allow",
             "google_compute_security_policy.preview",
             "google_compute_security_policy.different_expr",
-            "google_compute_security_policy.pass_preconfigwaf"
+            "google_compute_security_policy.pass_preconfigwaf",
+            "google_compute_security_policy.fail",
+            "google_compute_security_policy.fail_separate_resource",
         }
 
         passed_check_resources = {c.resource for c in report.passed_checks}