@intentius/chant-lexicon-gcp 0.0.15

package/src/lint/post-synth/wgc101.ts

@@ -0,0 +1,56 @@
+/**
+ * WGC101: Missing encryption on StorageBucket or SQLInstance
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseYAML } from "@intentius/chant/yaml";
+
+export const wgc101: PostSynthCheck = {
+  id: "WGC101",
+  description: "StorageBucket or SQLInstance without encryption configuration",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const documents = output.split(/^---\s*$/m).filter((d) => d.trim().length > 0);
+
+      for (const docStr of documents) {
+        const doc = parseYAML(docStr) as Record<string, unknown> | null;
+        if (!doc) continue;
+
+        const kind = doc.kind as string | undefined;
+        const metadata = doc.metadata as Record<string, unknown> | undefined;
+        const spec = doc.spec as Record<string, unknown> | undefined;
+        const name = (metadata?.name as string) ?? "unknown";
+
+        if (kind === "StorageBucket" && spec && !spec.encryption) {
+          diagnostics.push({
+            checkId: "WGC101",
+            severity: "warning",
+            message: `StorageBucket "${name}" has no encryption configuration — consider adding spec.encryption.defaultKmsKeyName`,
+            entity: name,
+            lexicon: "gcp",
+          });
+        }
+
+        if (kind === "SQLInstance" && spec) {
+          const settings = spec.settings as Record<string, unknown> | undefined;
+          if (!settings?.ipConfiguration || !(settings as Record<string, unknown>).backupConfiguration) {
+            diagnostics.push({
+              checkId: "WGC101",
+              severity: "warning",
+              message: `SQLInstance "${name}" may be missing encryption or backup configuration`,
+              entity: name,
+              lexicon: "gcp",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc102.ts

@@ -0,0 +1,35 @@
+/**
+ * WGC102: Public IAM in serialized output
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+
+export const wgc102: PostSynthCheck = {
+  id: "WGC102",
+  description: "allUsers/allAuthenticatedUsers detected in serialized Config Connector YAML",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const lines = output.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.includes("allUsers") || line.includes("allAuthenticatedUsers")) {
+          const member = line.includes("allUsers") ? "allUsers" : "allAuthenticatedUsers";
+          diagnostics.push({
+            checkId: "WGC102",
+            severity: "warning",
+            message: `Public IAM member "${member}" found in output (line ${i + 1}) — this grants public access`,
+            entity: `line:${i + 1}`,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc103.ts

@@ -0,0 +1,45 @@
+/**
+ * WGC103: Missing project annotation
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseYAML } from "@intentius/chant/yaml";
+
+export const wgc103: PostSynthCheck = {
+  id: "WGC103",
+  description: "Config Connector resource without cnrm.cloud.google.com/project-id annotation",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const documents = output.split(/^---\s*$/m).filter((d) => d.trim().length > 0);
+
+      for (const docStr of documents) {
+        const doc = parseYAML(docStr) as Record<string, unknown> | null;
+        if (!doc) continue;
+
+        const apiVersion = doc.apiVersion as string | undefined;
+        if (!apiVersion?.includes("cnrm.cloud.google.com")) continue;
+
+        const metadata = doc.metadata as Record<string, unknown> | undefined;
+        const annotations = metadata?.annotations as Record<string, unknown> | undefined;
+        const name = (metadata?.name as string) ?? "unknown";
+
+        if (!annotations?.["cnrm.cloud.google.com/project-id"]) {
+          diagnostics.push({
+            checkId: "WGC103",
+            severity: "info",
+            message: `Resource "${name}" has no cnrm.cloud.google.com/project-id annotation — will use namespace default`,
+            entity: name,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc104.ts

@@ -0,0 +1,42 @@
+/**
+ * WGC104: Missing uniform bucket-level access
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseYAML } from "@intentius/chant/yaml";
+
+export const wgc104: PostSynthCheck = {
+  id: "WGC104",
+  description: "StorageBucket without uniformBucketLevelAccess enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const documents = output.split(/^---\s*$/m).filter((d) => d.trim().length > 0);
+
+      for (const docStr of documents) {
+        const doc = parseYAML(docStr) as Record<string, unknown> | null;
+        if (!doc || doc.kind !== "StorageBucket") continue;
+
+        const metadata = doc.metadata as Record<string, unknown> | undefined;
+        const spec = doc.spec as Record<string, unknown> | undefined;
+        const name = (metadata?.name as string) ?? "unknown";
+
+        if (spec && spec.uniformBucketLevelAccess !== true) {
+          diagnostics.push({
+            checkId: "WGC104",
+            severity: "warning",
+            message: `StorageBucket "${name}" does not have uniformBucketLevelAccess enabled — recommended for consistent access control`,
+            entity: name,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc105.ts

@@ -0,0 +1,46 @@
+/**
+ * WGC105: Public Cloud SQL — authorizedNetworks with 0.0.0.0/0
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc105: PostSynthCheck = {
+  id: "WGC105",
+  description: "Cloud SQL instance with public 0.0.0.0/0 in authorizedNetworks",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "SQLInstance") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const settings = spec.settings as Record<string, unknown> | undefined;
+        const ipConfig = settings?.ipConfiguration as Record<string, unknown> | undefined;
+        const networks = ipConfig?.authorizedNetworks as Array<Record<string, unknown>> | undefined;
+
+        if (Array.isArray(networks)) {
+          for (const net of networks) {
+            if (net.value === "0.0.0.0/0") {
+              diagnostics.push({
+                checkId: "WGC105",
+                severity: "warning",
+                message: `SQLInstance "${getResourceName(manifest)}" allows connections from 0.0.0.0/0 — this exposes the database to the public internet`,
+                entity: getResourceName(manifest),
+                lexicon: "gcp",
+              });
+            }
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc106.ts

@@ -0,0 +1,36 @@
+/**
+ * WGC106: Missing deletion policy annotation
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, isConfigConnectorResource, getAnnotations, getResourceName } from "./gcp-helpers";
+
+export const wgc106: PostSynthCheck = {
+  id: "WGC106",
+  description: "Config Connector resource without cnrm.cloud.google.com/deletion-policy annotation",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (!isConfigConnectorResource(manifest)) continue;
+
+        const annotations = getAnnotations(manifest);
+        if (!annotations?.["cnrm.cloud.google.com/deletion-policy"]) {
+          diagnostics.push({
+            checkId: "WGC106",
+            severity: "info",
+            message: `Resource "${getResourceName(manifest)}" has no deletion-policy annotation — defaults to "delete" which removes the GCP resource on kubectl delete`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc107.ts

@@ -0,0 +1,39 @@
+/**
+ * WGC107: StorageBucket missing versioning
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc107: PostSynthCheck = {
+  id: "WGC107",
+  description: "StorageBucket without versioning enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "StorageBucket") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const versioning = spec.versioning as Record<string, unknown> | undefined;
+        if (!versioning || versioning.enabled !== true) {
+          diagnostics.push({
+            checkId: "WGC107",
+            severity: "info",
+            message: `StorageBucket "${getResourceName(manifest)}" does not have versioning enabled — consider enabling for data protection`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc108.ts

@@ -0,0 +1,41 @@
+/**
+ * WGC108: SQLInstance missing backup configuration
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc108: PostSynthCheck = {
+  id: "WGC108",
+  description: "SQLInstance without backup configuration enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "SQLInstance") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const settings = spec.settings as Record<string, unknown> | undefined;
+        const backupConfig = settings?.backupConfiguration as Record<string, unknown> | undefined;
+
+        if (!backupConfig || backupConfig.enabled !== true) {
+          diagnostics.push({
+            checkId: "WGC108",
+            severity: "warning",
+            message: `SQLInstance "${getResourceName(manifest)}" does not have backup configuration enabled — data loss risk`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc109.ts

@@ -0,0 +1,39 @@
+/**
+ * WGC109: ComputeFirewall allowing all sources (0.0.0.0/0)
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc109: PostSynthCheck = {
+  id: "WGC109",
+  description: "ComputeFirewall with sourceRanges containing 0.0.0.0/0",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "ComputeFirewall") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const sourceRanges = spec.sourceRanges as string[] | undefined;
+        if (Array.isArray(sourceRanges) && sourceRanges.includes("0.0.0.0/0")) {
+          diagnostics.push({
+            checkId: "WGC109",
+            severity: "warning",
+            message: `ComputeFirewall "${getResourceName(manifest)}" allows traffic from 0.0.0.0/0 — this opens the firewall to the entire internet`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc110.ts

@@ -0,0 +1,38 @@
+/**
+ * WGC110: KMS CryptoKey missing rotation period
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc110: PostSynthCheck = {
+  id: "WGC110",
+  description: "KMS CryptoKey without rotation period configured",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "KMSCryptoKey") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        if (!spec.rotationPeriod) {
+          diagnostics.push({
+            checkId: "WGC110",
+            severity: "warning",
+            message: `KMSCryptoKey "${getResourceName(manifest)}" has no rotation period configured — consider setting rotationPeriod for key hygiene`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc111.ts

@@ -0,0 +1,54 @@
+/**
+ * WGC111: Dangling resource reference
+ *
+ * Checks that every `resourceRef.name` in a Config Connector resource's spec
+ * references a `metadata.name` that exists in the output.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, isConfigConnectorResource, getResourceName, findResourceRefs } from "./gcp-helpers";
+
+export const wgc111: PostSynthCheck = {
+  id: "WGC111",
+  description: "Resource reference points to a name not defined in the output",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+
+      // Collect all defined resource names
+      const definedNames = new Set<string>();
+      for (const manifest of manifests) {
+        if (isConfigConnectorResource(manifest)) {
+          const name = manifest.metadata?.name;
+          if (name) definedNames.add(name);
+        }
+      }
+
+      // Check each resource's refs
+      for (const manifest of manifests) {
+        if (!isConfigConnectorResource(manifest)) continue;
+        const resourceName = getResourceName(manifest);
+        const refs = findResourceRefs(manifest.spec);
+
+        for (const refName of refs) {
+          if (!definedNames.has(refName)) {
+            diagnostics.push({
+              checkId: "WGC111",
+              severity: "warning",
+              message: `Resource "${resourceName}" references "${refName}" via resourceRef, but no resource with that metadata.name exists in the output`,
+              entity: resourceName,
+              lexicon: "gcp",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc112.ts

@@ -0,0 +1,56 @@
+/**
+ * WGC112: Missing or invalid apiVersion
+ *
+ * Every Config Connector resource must have an apiVersion matching
+ * `<service>.cnrm.cloud.google.com/v<version>`.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getResourceName } from "./gcp-helpers";
+
+const VALID_API_VERSION = /^[a-z]+\.cnrm\.cloud\.google\.com\/v\d+(?:alpha\d+|beta\d+)?$/;
+
+export const wgc112: PostSynthCheck = {
+  id: "WGC112",
+  description: "Config Connector resource has missing or invalid apiVersion",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+
+      for (const manifest of manifests) {
+        // Only check resources that look like Config Connector (have a kind)
+        if (!manifest.kind) continue;
+
+        const resourceName = getResourceName(manifest);
+
+        if (!manifest.apiVersion) {
+          diagnostics.push({
+            checkId: "WGC112",
+            severity: "error",
+            message: `Resource "${resourceName}" (kind: ${manifest.kind}) is missing apiVersion`,
+            entity: resourceName,
+            lexicon: "gcp",
+          });
+          continue;
+        }
+
+        if (!VALID_API_VERSION.test(manifest.apiVersion)) {
+          diagnostics.push({
+            checkId: "WGC112",
+            severity: "error",
+            message: `Resource "${resourceName}" has invalid apiVersion "${manifest.apiVersion}" — expected format: <service>.cnrm.cloud.google.com/v<version>`,
+            entity: resourceName,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc113.ts

@@ -0,0 +1,42 @@
+/**
+ * WGC113: Alpha API version warning
+ *
+ * Warns when a Config Connector resource uses an alpha API version
+ * (e.g. v1alpha1). Alpha APIs are unstable — prefer v1beta1 or v1.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, isConfigConnectorResource, getResourceName } from "./gcp-helpers";
+
+export const wgc113: PostSynthCheck = {
+  id: "WGC113",
+  description: "Config Connector resource uses an alpha API version",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+
+      for (const manifest of manifests) {
+        if (!isConfigConnectorResource(manifest)) continue;
+
+        const apiVersion = manifest.apiVersion!;
+        if (/alpha\d+/.test(apiVersion)) {
+          const resourceName = getResourceName(manifest);
+          diagnostics.push({
+            checkId: "WGC113",
+            severity: "warning",
+            message: `Resource "${resourceName}" uses alpha API version "${apiVersion}" — alpha APIs are unstable, prefer v1beta1 or v1`,
+            entity: resourceName,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc201.ts

@@ -0,0 +1,36 @@
+/**
+ * WGC201: Missing managed-by label
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, isConfigConnectorResource, getResourceName } from "./gcp-helpers";
+
+export const wgc201: PostSynthCheck = {
+  id: "WGC201",
+  description: "Config Connector resource without app.kubernetes.io/managed-by label",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (!isConfigConnectorResource(manifest)) continue;
+
+        const labels = manifest.metadata?.labels;
+        if (!labels?.["app.kubernetes.io/managed-by"]) {
+          diagnostics.push({
+            checkId: "WGC201",
+            severity: "info",
+            message: `Resource "${getResourceName(manifest)}" has no app.kubernetes.io/managed-by label — consider using defaultLabels() for consistent labeling`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc202.ts

@@ -0,0 +1,39 @@
+/**
+ * WGC202: GKE cluster without workload identity
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc202: PostSynthCheck = {
+  id: "WGC202",
+  description: "ContainerCluster without workload identity configuration",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "ContainerCluster") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const workloadIdentity = spec.workloadIdentityConfig as Record<string, unknown> | undefined;
+        if (!workloadIdentity?.workloadPool) {
+          diagnostics.push({
+            checkId: "WGC202",
+            severity: "warning",
+            message: `ContainerCluster "${getResourceName(manifest)}" does not have workload identity configured — recommended for secure pod-to-GCP authentication`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};