feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

pkg/iac/adapters/terraform/google/gke/adapt.go

@@ -26,7 +26,7 @@ type adapter struct {
 func (a *adapter) adaptClusters() []gke.Cluster {
 	for _, module := range a.modules {
 		for _, resource := range module.GetResourcesByType("google_container_cluster") {
-			a.adaptCluster(resource, module)
+			a.adaptCluster(resource)
 		}
 	}
 
@@ -46,7 +46,7 @@ func (a *adapter) adaptClusters() []gke.Cluster {
 	return clusters
 }
 
-func (a *adapter) adaptCluster(resource *terraform.Block, module *terraform.Module) {
+func (a *adapter) adaptCluster(resource *terraform.Block) {
 
 	cluster := gke.Cluster{
 		Metadata:  resource.GetMetadata(),
@@ -104,7 +104,7 @@ func (a *adapter) adaptCluster(resource *terraform.Block, module *terraform.Modu
 	}
 
 	if blocks := resource.GetBlocks("master_authorized_networks_config"); len(blocks) > 0 {
-		cluster.MasterAuthorizedNetworks = adaptMasterAuthNetworksAsBlocks(resource, blocks)
+		cluster.MasterAuthorizedNetworks = adaptMasterAuthNetworksAsBlocks(blocks)
 	}
 
 	if policyBlock := resource.GetBlock("network_policy"); policyBlock.IsNotNil() {
@@ -129,12 +129,24 @@ func (a *adapter) adaptCluster(resource *terraform.Block, module *terraform.Modu
 	}
 
 	if configBlock := resource.GetBlock("node_config"); configBlock.IsNotNil() {
-		if configBlock.GetBlock("metadata").IsNotNil() {
-			cluster.NodeConfig.Metadata = configBlock.GetBlock("metadata").GetMetadata()
-		}
 		cluster.NodeConfig = adaptNodeConfig(configBlock)
 	}
 
+	if autoScalingBlock := resource.GetBlock("cluster_autoscaling"); autoScalingBlock.IsNotNil() {
+		cluster.AutoScaling = gke.AutoScaling{
+			Metadata: autoScalingBlock.GetMetadata(),
+			Enabled:  autoScalingBlock.GetAttribute("enabled").AsBoolValueOrDefault(false, autoScalingBlock),
+		}
+
+		if b := autoScalingBlock.GetBlock("auto_provisioning_defaults"); b.IsNotNil() {
+			cluster.AutoScaling.AutoProvisioningDefaults = gke.AutoProvisioningDefaults{
+				Metadata:       b.GetMetadata(),
+				ServiceAccount: b.GetAttribute("service_account").AsStringValueOrDefault("", b),
+				Management:     adaptManagement(b),
+				ImageType:      b.GetAttribute("image_type").AsStringValueOrDefault("", b),
+			}
+		}
+	}
 	cluster.EnableShieldedNodes = resource.GetAttribute("enable_shielded_nodes").AsBoolValueOrDefault(true, resource)
 
 	enableLegacyABACAttr := resource.GetAttribute("enable_legacy_abac")
@@ -152,6 +164,23 @@ func (a *adapter) adaptCluster(resource *terraform.Block, module *terraform.Modu
 	a.clusterMap[resource.ID()] = cluster
 }
 
+func adaptManagement(parent *terraform.Block) gke.Management {
+	b := parent.GetBlock("management")
+	if b.IsNil() {
+		return gke.Management{
+			Metadata:          parent.GetMetadata(),
+			EnableAutoRepair:  iacTypes.BoolDefault(false, parent.GetMetadata()),
+			EnableAutoUpgrade: iacTypes.BoolDefault(false, parent.GetMetadata()),
+		}
+	}
+
+	return gke.Management{
+		Metadata:          b.GetMetadata(),
+		EnableAutoRepair:  b.GetAttribute("auto_repair").AsBoolValueOrDefault(false, b),
+		EnableAutoUpgrade: b.GetAttribute("auto_upgrade").AsBoolValueOrDefault(false, b),
+	}
+}
+
 func (a *adapter) adaptNodePools() {
 	for _, nodePoolBlock := range a.modules.GetResourcesByType("google_container_node_pool") {
 		a.adaptNodePool(nodePoolBlock)
@@ -170,28 +199,13 @@ func (a *adapter) adaptNodePool(resource *terraform.Block) {
 		EnableLegacyEndpoints: iacTypes.BoolDefault(true, resource.GetMetadata()),
 	}
 
-	management := gke.Management{
-		Metadata:          resource.GetMetadata(),
-		EnableAutoRepair:  iacTypes.BoolDefault(false, resource.GetMetadata()),
-		EnableAutoUpgrade: iacTypes.BoolDefault(false, resource.GetMetadata()),
-	}
-
-	if managementBlock := resource.GetBlock("management"); managementBlock.IsNotNil() {
-		management.Metadata = managementBlock.GetMetadata()
-		autoRepairAttr := managementBlock.GetAttribute("auto_repair")
-		management.EnableAutoRepair = autoRepairAttr.AsBoolValueOrDefault(false, managementBlock)
-
-		autoUpgradeAttr := managementBlock.GetAttribute("auto_upgrade")
-		management.EnableAutoUpgrade = autoUpgradeAttr.AsBoolValueOrDefault(false, managementBlock)
-	}
-
 	if nodeConfigBlock := resource.GetBlock("node_config"); nodeConfigBlock.IsNotNil() {
 		nodeConfig = adaptNodeConfig(nodeConfigBlock)
 	}
 
 	nodePool := gke.NodePool{
 		Metadata:   resource.GetMetadata(),
-		Management: management,
+		Management: adaptManagement(resource),
 		NodeConfig: nodeConfig,
 	}
 
@@ -270,9 +284,17 @@ func adaptNodeConfig(resource *terraform.Block) gke.NodeConfig {
 	}
 
 	if metadata := resource.GetAttribute("metadata"); metadata.IsNotNil() {
-		legacyMetadata := metadata.MapValue("disable-legacy-endpoints")
-		if legacyMetadata.IsWhollyKnown() && legacyMetadata.Type() == cty.Bool {
-			config.EnableLegacyEndpoints = iacTypes.Bool(legacyMetadata.False(), metadata.GetMetadata())
+		disableLegacy := metadata.MapValue("disable-legacy-endpoints")
+		if disableLegacy.IsKnown() {
+			var enableLegacyEndpoints bool
+			switch disableLegacy.Type() {
+			case cty.Bool:
+				enableLegacyEndpoints = disableLegacy.False()
+			case cty.String:
+				enableLegacyEndpoints = disableLegacy.AsString() == "false"
+			}
+
+			config.EnableLegacyEndpoints = iacTypes.Bool(enableLegacyEndpoints, metadata.GetMetadata())
 		}
 	}
 
@@ -312,7 +334,7 @@ func adaptMasterAuth(resource *terraform.Block) gke.MasterAuth {
 	}
 }
 
-func adaptMasterAuthNetworksAsBlocks(parent *terraform.Block, blocks terraform.Blocks) gke.MasterAuthorizedNetworks {
+func adaptMasterAuthNetworksAsBlocks(blocks terraform.Blocks) gke.MasterAuthorizedNetworks {
 	var cidrs []iacTypes.StringValue
 	for _, block := range blocks {
 		for _, cidrBlock := range block.GetBlocks("cidr_blocks") {

pkg/iac/adapters/terraform/google/gke/adapt_test.go

@@ -77,6 +77,18 @@ resource "google_container_cluster" "example" {
   enable_autopilot = true
 
   datapath_provider = "ADVANCED_DATAPATH"
+
+  cluster_autoscaling {
+    enabled = true
+    auto_provisioning_defaults {
+      service_account  = "test"
+	  image_type = "COS_CONTAINERD"
+	  management {
+        auto_repair  = true
+        auto_upgrade = true
+      }
+    }
+  }
 }
 
 resource "google_container_node_pool" "primary_preemptible_nodes" {
@@ -102,9 +114,7 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
 			expected: gke.GKE{
 				Clusters: []gke.Cluster{
 					{
-						Metadata: iacTypes.NewTestMetadata(),
 						NodeConfig: gke.NodeConfig{
-							Metadata:  iacTypes.NewTestMetadata(),
 							ImageType: iacTypes.String("COS_CONTAINERD", iacTypes.NewTestMetadata()),
 							WorkloadMetadataConfig: gke.WorkloadMetadataConfig{
 								Metadata:     iacTypes.NewTestMetadata(),
@@ -113,9 +123,19 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
 							ServiceAccount:        iacTypes.String("", iacTypes.NewTestMetadata()),
 							EnableLegacyEndpoints: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
 						},
+						AutoScaling: gke.AutoScaling{
+							Enabled: iacTypes.BoolTest(true),
+							AutoProvisioningDefaults: gke.AutoProvisioningDefaults{
+								ImageType:      iacTypes.StringTest("COS_CONTAINERD"),
+								ServiceAccount: iacTypes.StringTest("test"),
+								Management: gke.Management{
+									EnableAutoRepair:  iacTypes.BoolTest(true),
+									EnableAutoUpgrade: iacTypes.BoolTest(true),
+								},
+							},
+						},
 						NodePools: []gke.NodePool{
 							{
-								Metadata: iacTypes.NewTestMetadata(),
 								Management: gke.Management{
 									Metadata:          iacTypes.NewTestMetadata(),
 									EnableAutoRepair:  iacTypes.Bool(true, iacTypes.NewTestMetadata()),
@@ -134,19 +154,16 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
 							},
 						},
 						IPAllocationPolicy: gke.IPAllocationPolicy{
-							Metadata: iacTypes.NewTestMetadata(),
-							Enabled:  iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+							Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 						},
 						MasterAuthorizedNetworks: gke.MasterAuthorizedNetworks{
-							Metadata: iacTypes.NewTestMetadata(),
-							Enabled:  iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+							Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 							CIDRs: []iacTypes.StringValue{
 								iacTypes.String("10.10.128.0/24", iacTypes.NewTestMetadata()),
 							},
 						},
 						NetworkPolicy: gke.NetworkPolicy{
-							Metadata: iacTypes.NewTestMetadata(),
-							Enabled:  iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+							Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 						},
 						DatapathProvider: iacTypes.String("ADVANCED_DATAPATH", iacTypes.NewTestMetadata()),
 						PrivateCluster: gke.PrivateCluster{
@@ -156,7 +173,6 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
 						LoggingService:    iacTypes.String("logging.googleapis.com/kubernetes", iacTypes.NewTestMetadata()),
 						MonitoringService: iacTypes.String("monitoring.googleapis.com/kubernetes", iacTypes.NewTestMetadata()),
 						MasterAuth: gke.MasterAuth{
-							Metadata: iacTypes.NewTestMetadata(),
 							ClientCertificate: gke.ClientCertificate{
 								Metadata:         iacTypes.NewTestMetadata(),
 								IssueCertificate: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
@@ -182,7 +198,7 @@ resource "google_container_cluster" "example" {
   node_config {
     service_account = "service-account"
     metadata = {
-      disable-legacy-endpoints = true
+      disable-legacy-endpoints = "true"
     }
     image_type = "COS"
     workload_metadata_config {
@@ -194,7 +210,6 @@ resource "google_container_cluster" "example" {
 			expected: gke.GKE{
 				Clusters: []gke.Cluster{
 					{
-						Metadata: iacTypes.NewTestMetadata(),
 						NodeConfig: gke.NodeConfig{
 							Metadata:  iacTypes.NewTestMetadata(),
 							ImageType: iacTypes.String("COS", iacTypes.NewTestMetadata()),
@@ -207,17 +222,14 @@ resource "google_container_cluster" "example" {
 						},
 
 						IPAllocationPolicy: gke.IPAllocationPolicy{
-							Metadata: iacTypes.NewTestMetadata(),
-							Enabled:  iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+							Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
 						},
 						MasterAuthorizedNetworks: gke.MasterAuthorizedNetworks{
-							Metadata: iacTypes.NewTestMetadata(),
-							Enabled:  iacTypes.Bool(false, iacTypes.NewTestMetadata()),
-							CIDRs:    []iacTypes.StringValue{},
+							Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+							CIDRs:   []iacTypes.StringValue{},
 						},
 						NetworkPolicy: gke.NetworkPolicy{
-							Metadata: iacTypes.NewTestMetadata(),
-							Enabled:  iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+							Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
 						},
 						DatapathProvider: iacTypes.StringDefault("DATAPATH_PROVIDER_UNSPECIFIED", iacTypes.NewTestMetadata()),
 						PrivateCluster: gke.PrivateCluster{
@@ -227,7 +239,6 @@ resource "google_container_cluster" "example" {
 						LoggingService:    iacTypes.String("logging.googleapis.com/kubernetes", iacTypes.NewTestMetadata()),
 						MonitoringService: iacTypes.String("monitoring.googleapis.com/kubernetes", iacTypes.NewTestMetadata()),
 						MasterAuth: gke.MasterAuth{
-							Metadata: iacTypes.NewTestMetadata(),
 							ClientCertificate: gke.ClientCertificate{
 								Metadata:         iacTypes.NewTestMetadata(),
 								IssueCertificate: iacTypes.Bool(false, iacTypes.NewTestMetadata()),

pkg/iac/providers/google/gke/gke.go

@@ -19,6 +19,7 @@ type Cluster struct {
 	MonitoringService        iacTypes.StringValue
 	MasterAuth               MasterAuth
 	NodeConfig               NodeConfig
+	AutoScaling              AutoScaling
 	EnableShieldedNodes      iacTypes.BoolValue
 	EnableLegacyABAC         iacTypes.BoolValue
 	ResourceLabels           iacTypes.MapValue
@@ -35,6 +36,19 @@ type NodeConfig struct {
 	EnableLegacyEndpoints  iacTypes.BoolValue
 }
 
+type AutoScaling struct {
+	Metadata                 iacTypes.Metadata
+	Enabled                  iacTypes.BoolValue
+	AutoProvisioningDefaults AutoProvisioningDefaults
+}
+
+type AutoProvisioningDefaults struct {
+	Metadata       iacTypes.Metadata
+	ImageType      iacTypes.StringValue
+	ServiceAccount iacTypes.StringValue
+	Management     Management
+}
+
 type WorkloadMetadataConfig struct {
 	Metadata     iacTypes.Metadata
 	NodeMetadata iacTypes.StringValue

pkg/iac/rego/schemas/cloud.json

@@ -6450,6 +6450,44 @@
         }
       }
     },
+    "github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.AutoProvisioningDefaults": {
+      "type": "object",
+      "properties": {
+        "__defsec_metadata": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
+        },
+        "imagetype": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
+        },
+        "management": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.Management"
+        },
+        "serviceaccount": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
+        }
+      }
+    },
+    "github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.AutoScaling": {
+      "type": "object",
+      "properties": {
+        "__defsec_metadata": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
+        },
+        "autoprovisioningdefaults": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.AutoProvisioningDefaults"
+        },
+        "enabled": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue"
+        }
+      }
+    },
     "github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.ClientCertificate": {
       "type": "object",
       "properties": {
@@ -6470,6 +6508,10 @@
           "type": "object",
           "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
         },
+        "autoscaling": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.gke.AutoScaling"
+        },
         "datapathprovider": {
           "type": "object",
           "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"