Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): Fixed CKV2_GCP_10 to exclude non http triggered cloud functions from security_level requirement #7008

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(terraform): Fixed CKV2_GCP_10 to exclude non http triggered cloud functions from security_level requirement #7008

wants to merge 2 commits into from

Conversation

jbrule
Copy link
Contributor

@jbrule jbrule commented Feb 11, 2025
edited by baz-reviewer bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

New/Edited policies (Delete if not relevant)

CKV2_GCP_10 - Ensure GCP Cloud Function HTTP trigger is secured

Description

The policy was requiring all cloudfunctions set the https_trigger_security_level attribute even when non-http event triggering event_trigger was used. There are valid conditions when https_trigger_security_level should not be required.

Tests cases have been provided and verified.

Fix

This should prevent erroneous flagging of event triggered cloud functions.
#6946

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Modifies the CloudFunctionSecureHTTPTrigger check to exclude non-HTTP triggered cloud functions from the security_level requirement. Updates the policy definition in the YAML file and adds new test cases in the Terraform file to verify the changes.

TopicDetails
Test Cases Adds new test cases for non-HTTP triggered cloud functions
Modified files (2)
  • tests/terraform/graph/checks/resources/CloudFunctionSecureHTTPTrigger/main.tf
  • tests/terraform/graph/checks/resources/CloudFunctionSecureHTTPTrigger/expected.yaml
Latest Contributors(1)
UserCommitDate
ssiddardhafeat-terraform-PC-Poli...November 08, 2022
Policy Update Updates the CloudFunctionSecureHTTPTrigger policy to exclude non-HTTP triggered functions
Modified files (1)
  • checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml
Latest Contributors(1)
UserCommitDate
ssiddardhafeat-terraform-PC-Poli...November 08, 2022
This pull request is reviewed by Baz. Join @jbrule and the rest of your team on (Baz).

@jbrule
Copy link
Contributor Author

jbrule commented Feb 19, 2025

Anything more required?

Thank you

tsmithv11
tsmithv11 approved these changes Feb 21, 2025
View reviewed changes
Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spot on. Thanks! 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsmithv11 tsmithv11 tsmithv11 approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jbrule @tsmithv11