Terrascan wrongly reports a accurics.gcp.NS.130 (checkIpForward) violation

[ferrarimarco]

• terrascan version: 1.0.0
• Operating System: Ubuntu 20.04

Description

Terrascan reports a violation of the accurics.gcp.NS.130 rule (rule code is in checkIpForward.rego), and it should not.

What I Did

Here's my google_compute_instance. Adding a can_ip_forward = false doesn't make any difference.

resource "google_compute_instance" "development-workstation" {
  name             = var.development_workstation_name
  machine_type     = var.development_workstation_machine_type
  min_cpu_platform = var.development_workstation_min_cpu_platform

  boot_disk {
    initialize_params {
      image = "${google_compute_image.dev-workstation-image-ubuntu-2004.family}/${google_compute_image.dev-workstation-image-ubuntu-2004.name}"
      type  = "pd-ssd"
    }
  }

  network_interface {
    network = "default"

    access_config {
      // Ephemeral IP
    }
  }
}

What am I doing wrong?

[williepaul]

Hi @ferrarimarco, appreciate the bug report. I verified the issue on my dev box, and it's definitely a policy bug.

Basically, it looks like the intention for the checkIpForward rule was to check if !(.can_ip_forward == true), but due to syntax, "not api.config.can_ip_forward" actually checks if a key does not exist, which in this case is true (it's not in the test file).
Since the can_ip_forward rule defaults to false, removing the "not" and just checking for can_ip_forward == true should suffice.

pkg/policies/opa/rego/gcp/google_compute_instance/checkIpForward.rego:

checkIpForward[api.id]
{
api := input.google_compute_instance[_]
not api.config.can_ip_forward == true
}

Fixed:
checkIpForward[api.id]
{
api := input.google_compute_instance[_]
api.config.can_ip_forward == true
}

I'll check in the fix shortly.