gcp/service/cloud_security_scanner

docs/gcp/Cloud_Security_Scanner/google_security_scanner_scan_config.md

@@ -0,0 +1,108 @@
+\# Google Cloud Security Scanner Scan Config Policy Documentation
+
+
+
+\## Resource
+
+
+
+Terraform resource: `google\_security\_scanner\_scan\_config`
+
+
+
+This resource defines a Google Cloud Security Scanner scan configuration. It controls scan entry points, scan rate, authentication settings, excluded URL patterns, target platform, and export of scan findings.
+
+
+
+The resource is implemented using the `google-beta` provider because the Terraform provider documentation marks `google\_security\_scanner\_scan\_config` as a beta resource.
+
+
+
+\## Implemented Policies
+
+
+
+| Policy | Terraform argument | Included / Excluded | Justification |
+
+|---|---|---|---|
+
+| `starting\_urls` | `starting\_urls` | Included | This argument defines the URLs where the scanner begins scanning. A policy was added to require HTTPS URLs so that scanner entry points use encrypted transport instead of insecure HTTP. |
+
+| `max\_qps` | `max\_qps` | Included | This argument controls the maximum scan requests per second. A policy was added to prevent overly aggressive scanning that may affect application availability. Terraform allows values from 5 to 20, but the policy applies a safer project limit. |
+
+| `export\_to\_security\_command\_center` | `export\_to\_security\_command\_center` | Included | This argument controls whether scan configuration and scan results are exported to Security Command Center. A policy was added to require `ENABLED` so findings remain visible for central security monitoring. |
+
+| `custom\_account\_login\_url` | `authentication.custom\_account.login\_url` | Included | This argument is required when custom account authentication is used. A policy was added to require HTTPS for the login URL so authentication traffic is not sent to an insecure HTTP endpoint. |
+
+| `blacklist\_patterns` | `blacklist\_patterns` | Included | This argument defines URL patterns excluded from scanning. A policy was added to require exclusions for sensitive or risky paths such as admin, logout, delete, account, or payment pages. |
+
+
+
+\## Excluded Arguments
+
+
+
+| Terraform argument | Included / Excluded | Reason for exclusion |
+
+|---|---|---|
+
+| `display\_name` | Excluded | This is a required display or identifier field. It does not directly create a security risk suitable for this policy set. |
+
+| `project` | Excluded | This is environment-specific. Enforcing a fixed project value would make the policy less reusable across projects. |
+
+| `target\_platforms` | Excluded | Valid values are environment-dependent, such as `APP\_ENGINE` or `COMPUTE`. There was no clear security requirement to restrict one platform over another. |
+
+| `user\_agent` | Excluded | The provider already restricts this to predefined allowed values. It is mainly scan-behaviour configuration rather than a strong security control. |
+
+| `schedule` | Excluded | This controls operational scan timing. No security requirement was provided to enforce a specific schedule or frequency. |
+
+| `authentication.google\_account.username` | Excluded | Username format alone is not a strong security control, and authentication method choice depends on the target application. |
+
+| `authentication.google\_account.password` | Excluded | Password values are sensitive and should not be validated directly in policy output. |
+
+| `authentication.custom\_account.username` | Excluded | Username value is application-specific and does not provide a general reusable security rule. |
+
+| `authentication.custom\_account.password` | Excluded | Password values are sensitive and should not be validated directly in policy output. |
+
+| `timeouts` | Excluded | Timeout settings are operational Terraform behaviour and do not directly affect the security posture of the scanner configuration. |
+
+| `id` / `name` | Excluded | These are computed attributes generated by Google Cloud after resource creation, so they are not suitable for input policy validation. |
+
+
+
+\## Testing Evidence
+
+
+
+Each policy was tested using:
+
+
+
+1\. A compliant Terraform example: `c.tf`
+
+2\. A non-compliant Terraform example: `nc.tf`
+
+3\. Terraform plan output converted to JSON using `terraform show -json`
+
+4\. OPA evaluation against the generated `plan.json`
+
+
+
+Expected result:
+
+
+
+\- `c.tf` should pass the policy.
+
+\- `nc.tf` should produce a policy violation message.
+
+\- OPA output should show the violation only for the non-compliant resource.
+
+
+
+\## Summary
+
+
+
+The selected policies focus on arguments that directly affect security posture, scan safety, encrypted communication, centralised finding visibility, and protection of sensitive application paths. Arguments that are operational, environment-specific, sensitive, or already provider-controlled were excluded to avoid unnecessary or unreliable policy checks.
+

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/blacklist_patterns/c.tf

@@ -0,0 +1,12 @@
+resource "google_security_scanner_scan_config" "c" {
+  provider     = google-beta
+  display_name = "compliant-security-scanner"
+
+  starting_urls = ["https://example.com"]
+
+  blacklist_patterns = [
+    "https://example.com/admin/*",
+    "https://example.com/logout",
+    "https://example.com/delete/*"
+  ]
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/blacklist_patterns/config.tf

@@ -0,0 +1,27 @@
+terraform {
+  required_providers {
+    google-beta = {
+      source = "hashicorp/google-beta"
+    }
+  }
+}
+
+provider "google-beta" {
+  project = "dummy-project"
+  region  = "us-central1"
+
+  credentials = <<EOT
+{
+  "type": "service_account",
+  "project_id": "dummy-project",
+  "private_key_id": "dummy",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASC\n-----END PRIVATE KEY-----\n",
+  "client_email": "dummy@dummy-project.iam.gserviceaccount.com",
+  "client_id": "123456789",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dummy"
+}
+EOT
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/blacklist_patterns/nc.tf

@@ -0,0 +1,7 @@
+resource "google_security_scanner_scan_config" "nc" {
+  provider     = google-beta
+  display_name = "nc"
+
+  starting_urls      = ["https://example.com"]
+  blacklist_patterns = []
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/custom_account_login_url/c.tf

@@ -0,0 +1,14 @@
+resource "google_security_scanner_scan_config" "c" {
+  provider     = google-beta
+  display_name = "compliant-security-scanner"
+
+  starting_urls = ["https://example.com"]
+
+  authentication {
+    custom_account {
+      username  = "scanner-user"
+      password  = "scanner-password"
+      login_url = "https://example.com/login"
+    }
+  }
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/custom_account_login_url/config.tf

@@ -0,0 +1,27 @@
+terraform {
+  required_providers {
+    google-beta = {
+      source = "hashicorp/google-beta"
+    }
+  }
+}
+
+provider "google-beta" {
+  project = "dummy-project"
+  region  = "us-central1"
+
+  credentials = <<EOT
+{
+  "type": "service_account",
+  "project_id": "dummy-project",
+  "private_key_id": "dummy",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASC\n-----END PRIVATE KEY-----\n",
+  "client_email": "dummy@dummy-project.iam.gserviceaccount.com",
+  "client_id": "123456789",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dummy"
+}
+EOT
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/custom_account_login_url/nc.tf

@@ -0,0 +1,14 @@
+resource "google_security_scanner_scan_config" "nc" {
+  provider     = google-beta
+  display_name = "nc"
+
+  starting_urls = ["https://example.com"]
+
+  authentication {
+    custom_account {
+      username  = "scanner-user"
+      password  = "scanner-password"
+      login_url = "http://example.com/login"
+    }
+  }
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/export_to_security_command_center/c.tf

@@ -0,0 +1,7 @@
+resource "google_security_scanner_scan_config" "c" {
+  provider     = google-beta
+  display_name = "compliant-security-scanner"
+
+  starting_urls                     = ["https://example.com"]
+  export_to_security_command_center = "ENABLED"
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/export_to_security_command_center/config.tf

@@ -0,0 +1,27 @@
+terraform {
+  required_providers {
+    google-beta = {
+      source = "hashicorp/google-beta"
+    }
+  }
+}
+
+provider "google-beta" {
+  project = "dummy-project"
+  region  = "us-central1"
+
+  credentials = <<EOT
+{
+  "type": "service_account",
+  "project_id": "dummy-project",
+  "private_key_id": "dummy",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASC\n-----END PRIVATE KEY-----\n",
+  "client_email": "dummy@dummy-project.iam.gserviceaccount.com",
+  "client_id": "123456789",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dummy"
+}
+EOT
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/export_to_security_command_center/nc.tf

@@ -0,0 +1,7 @@
+resource "google_security_scanner_scan_config" "nc" {
+  provider     = google-beta
+  display_name = "nc"
+
+  starting_urls                     = ["https://example.com"]
+  export_to_security_command_center = "DISABLED"
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/max_qps/c.tf

@@ -0,0 +1,7 @@
+resource "google_security_scanner_scan_config" "c" {
+  provider     = google-beta
+  display_name = "compliant-security-scanner"
+
+  starting_urls = ["https://example.com"]
+  max_qps       = 10
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/max_qps/config.tf

@@ -0,0 +1,27 @@
+terraform {
+  required_providers {
+    google-beta = {
+      source = "hashicorp/google-beta"
+    }
+  }
+}
+
+provider "google-beta" {
+  project = "dummy-project"
+  region  = "us-central1"
+
+  credentials = <<EOT
+{
+  "type": "service_account",
+  "project_id": "dummy-project",
+  "private_key_id": "dummy",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASC\n-----END PRIVATE KEY-----\n",
+  "client_email": "dummy@dummy-project.iam.gserviceaccount.com",
+  "client_id": "123456789",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dummy"
+}
+EOT
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/max_qps/nc.tf

@@ -0,0 +1,8 @@
+resource "google_security_scanner_scan_config" "nc" {
+  provider     = google-beta
+  display_name = "nc"
+
+  starting_urls = ["https://example.com"]
+
+  max_qps = 20
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/starting_urls/c.tf

@@ -0,0 +1,6 @@
+resource "google_security_scanner_scan_config" "c" {
+  provider         = google-beta
+  display_name     = "compliant-security-scanner"
+  starting_urls    = ["https://example.com"]
+  target_platforms = ["COMPUTE"]
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/starting_urls/config.tf

@@ -0,0 +1,27 @@
+terraform {
+  required_providers {
+    google-beta = {
+      source = "hashicorp/google-beta"
+    }
+  }
+}
+
+provider "google-beta" {
+  project = "dummy-project"
+  region  = "us-central1"
+
+  credentials = <<EOT
+{
+  "type": "service_account",
+  "project_id": "dummy-project",
+  "private_key_id": "dummy",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASC\n-----END PRIVATE KEY-----\n",
+  "client_email": "dummy@dummy-project.iam.gserviceaccount.com",
+  "client_id": "123456789",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dummy"
+}
+EOT
+}

inputs/gcp/cloud_security_scanner/google_security_scanner_scan_config/starting_urls/nc.tf

@@ -0,0 +1,6 @@
+resource "google_security_scanner_scan_config" "nc" {
+  provider         = google-beta
+  display_name     = "nc"
+  starting_urls    = ["http://example.com"]
+  target_platforms = ["COMPUTE"]
+}

policies/gcp/cloud_security_scanner/google_security_scanner_scan_config/blacklist_patterns/policy.rego

@@ -0,0 +1,21 @@
+package terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns
+
+import data.terraform.helpers
+import data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.vars
+
+conditions := [[
+	{
+		"situation_description": "Security scanner scan config does not exclude sensitive URL patterns.",
+		"remedies": ["Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages."],
+	},
+	{
+		"condition": "blacklist_patterns must not be null or empty",
+		"attribute_path": ["blacklist_patterns"],
+		"values": [null, []],
+		"policy_type": "blacklist",
+	},
+]]
+
+result := helpers.get_multi_summary(conditions, vars.variables)
+message := result.message
+details := result.details