@intentius/chant-lexicon-gcp 0.0.15

package/dist/rules/gcp-helpers.ts

@@ -0,0 +1,117 @@
+/**
+ * Shared helpers for GCP Config Connector post-synthesis lint rules.
+ *
+ * Provides YAML parsing for multi-document Config Connector manifests
+ * and accessor utilities for common manifest fields.
+ */
+
+import { parseYAML } from "@intentius/chant/yaml";
+export { getPrimaryOutput } from "@intentius/chant/lint/post-synth";
+
+/**
+ * A parsed Config Connector manifest (loosely typed).
+ */
+export interface GcpManifest {
+  apiVersion?: string;
+  kind?: string;
+  metadata?: {
+    name?: string;
+    namespace?: string;
+    labels?: Record<string, string>;
+    annotations?: Record<string, string>;
+    [key: string]: unknown;
+  };
+  spec?: Record<string, unknown>;
+  [key: string]: unknown;
+}
+
+/**
+ * Split a multi-document YAML string on `---` boundaries and parse each
+ * document into a GcpManifest.
+ */
+export function parseGcpManifests(yaml: string): GcpManifest[] {
+  const documents = yaml.split(/^---\s*$/m);
+  const manifests: GcpManifest[] = [];
+
+  for (const doc of documents) {
+    const trimmed = doc.trim();
+    if (trimmed === "" || trimmed === "---") continue;
+    try {
+      const parsed = parseYAML(trimmed);
+      if (typeof parsed === "object" && parsed !== null) {
+        manifests.push(parsed as GcpManifest);
+      }
+    } catch {
+      // Skip unparseable documents
+    }
+  }
+
+  return manifests;
+}
+
+/**
+ * Check if a manifest is a Config Connector resource
+ * (apiVersion contains cnrm.cloud.google.com).
+ */
+export function isConfigConnectorResource(manifest: GcpManifest): boolean {
+  return typeof manifest.apiVersion === "string" &&
+    manifest.apiVersion.includes("cnrm.cloud.google.com");
+}
+
+/**
+ * Safely extract the spec from a manifest.
+ */
+export function getSpec(manifest: GcpManifest): Record<string, unknown> | undefined {
+  return manifest.spec ?? undefined;
+}
+
+/**
+ * Safely extract annotations from a manifest's metadata.
+ */
+export function getAnnotations(manifest: GcpManifest): Record<string, string> | undefined {
+  return manifest.metadata?.annotations ?? undefined;
+}
+
+/**
+ * Get the resource name from metadata.
+ */
+export function getResourceName(manifest: GcpManifest): string {
+  return manifest.metadata?.name ?? "unknown";
+}
+
+/**
+ * Recursively walk a spec object looking for keys ending in `Ref`
+ * (e.g. `networkRef`, `topicRef`, `clusterRef`) that have a `name`
+ * sub-field. Returns the set of referenced names.
+ *
+ * Skips `external` refs (cross-project references outside the template).
+ */
+export function findResourceRefs(obj: unknown): Set<string> {
+  const refs = new Set<string>();
+  walkForRefs(obj, refs);
+  return refs;
+}
+
+function walkForRefs(value: unknown, refs: Set<string>): void {
+  if (value === null || value === undefined) return;
+
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      walkForRefs(item, refs);
+    }
+    return;
+  }
+
+  if (typeof value === "object") {
+    const obj = value as Record<string, unknown>;
+    for (const [key, val] of Object.entries(obj)) {
+      if (key.endsWith("Ref") && typeof val === "object" && val !== null) {
+        const refObj = val as Record<string, unknown>;
+        if (typeof refObj.name === "string" && !refObj.external) {
+          refs.add(refObj.name);
+        }
+      }
+      walkForRefs(val, refs);
+    }
+  }
+}

package/dist/rules/hardcoded-project.ts

@@ -0,0 +1,58 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WGC001: Hardcoded GCP Project ID
+ *
+ * Detects hardcoded GCP project IDs in code.
+ * Project IDs should use GCP.ProjectId pseudo-parameter instead.
+ */
+export const hardcodedProjectRule: LintRule = {
+  id: "WGC001",
+  severity: "warning",
+  category: "security",
+  description: "Detects hardcoded GCP project IDs — use GCP.ProjectId pseudo-parameter instead",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    // GCP project ID pattern: lowercase letters, digits, hyphens, 6-30 chars
+    // We look for strings in annotation contexts like "cnrm.cloud.google.com/project-id"
+    const projectIdPattern = /^[a-z][a-z0-9-]{4,28}[a-z0-9]$/;
+
+    // Common false positives
+    const falsePositives = new Set([
+      "chant", "default", "kube-system", "kube-public", "kube-node-lease",
+      "config-connector", "cnrm-system", "my-project",
+    ]);
+
+    function visit(node: ts.Node): void {
+      if (ts.isPropertyAssignment(node) || ts.isPropertyDeclaration(node)) {
+        const propName = node.name?.getText(sourceFile) ?? "";
+        // Only flag project-id annotation values
+        if (propName.includes("project-id") || propName.includes("projectId") || propName === '"cnrm.cloud.google.com/project-id"') {
+          const initializer = ts.isPropertyAssignment(node) ? node.initializer : undefined;
+          if (initializer && ts.isStringLiteral(initializer)) {
+            const value = initializer.text;
+            if (projectIdPattern.test(value) && !falsePositives.has(value)) {
+              const { line, character } = sourceFile.getLineAndCharacterOfPosition(initializer.getStart());
+              diagnostics.push({
+                file: sourceFile.fileName,
+                line: line + 1,
+                column: character + 1,
+                ruleId: "WGC001",
+                severity: "warning",
+                message: `Hardcoded project ID "${value}" detected. Use GCP.ProjectId pseudo-parameter instead.`,
+              });
+            }
+          }
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/dist/rules/hardcoded-region.ts

@@ -0,0 +1,56 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WGC002: Hardcoded GCP Region/Zone
+ *
+ * Detects hardcoded GCP region and zone strings in code.
+ * Regions/zones should use GCP.Region or GCP.Zone pseudo-parameters instead.
+ */
+export const hardcodedRegionRule: LintRule = {
+  id: "WGC002",
+  severity: "warning",
+  category: "security",
+  description: "Detects hardcoded GCP region/zone strings — use GCP.Region/GCP.Zone pseudo-parameters instead",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    // GCP region pattern: continent-direction[N] (e.g., us-central1, europe-west4)
+    const regionPattern = /^(us|europe|asia|australia|southamerica|northamerica|me|africa)-(central|east|west|south|north|northeast|southeast|southwest|northwest)\d+$/;
+    // GCP zone pattern: region-[a-f] (e.g., us-central1-a)
+    const zonePattern = /^(us|europe|asia|australia|southamerica|northamerica|me|africa)-(central|east|west|south|north|northeast|southeast|southwest|northwest)\d+-[a-f]$/;
+
+    function visit(node: ts.Node): void {
+      if (ts.isStringLiteral(node)) {
+        const value = node.text;
+        if (zonePattern.test(value)) {
+          const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WGC002",
+            severity: "warning",
+            message: `Hardcoded zone "${value}" detected. Use GCP.Zone pseudo-parameter instead.`,
+          });
+        } else if (regionPattern.test(value)) {
+          const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WGC002",
+            severity: "warning",
+            message: `Hardcoded region "${value}" detected. Use GCP.Region pseudo-parameter instead.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/dist/rules/public-iam.ts

@@ -0,0 +1,43 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WGC003: Public IAM Binding
+ *
+ * Warns on allUsers or allAuthenticatedUsers IAM bindings,
+ * which grant public access to GCP resources.
+ */
+export const publicIamRule: LintRule = {
+  id: "WGC003",
+  severity: "warning",
+  category: "security",
+  description: "Warns on allUsers/allAuthenticatedUsers IAM members — grants public access",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    const publicMembers = new Set(["allUsers", "allAuthenticatedUsers"]);
+
+    function visit(node: ts.Node): void {
+      if (ts.isStringLiteral(node)) {
+        const value = node.text;
+        if (publicMembers.has(value)) {
+          const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WGC003",
+            severity: "warning",
+            message: `Public IAM member "${value}" detected. This grants access to everyone${value === "allAuthenticatedUsers" ? " with a Google account" : " on the internet"}.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/dist/rules/wgc101.ts

@@ -0,0 +1,56 @@
+/**
+ * WGC101: Missing encryption on StorageBucket or SQLInstance
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseYAML } from "@intentius/chant/yaml";
+
+export const wgc101: PostSynthCheck = {
+  id: "WGC101",
+  description: "StorageBucket or SQLInstance without encryption configuration",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const documents = output.split(/^---\s*$/m).filter((d) => d.trim().length > 0);
+
+      for (const docStr of documents) {
+        const doc = parseYAML(docStr) as Record<string, unknown> | null;
+        if (!doc) continue;
+
+        const kind = doc.kind as string | undefined;
+        const metadata = doc.metadata as Record<string, unknown> | undefined;
+        const spec = doc.spec as Record<string, unknown> | undefined;
+        const name = (metadata?.name as string) ?? "unknown";
+
+        if (kind === "StorageBucket" && spec && !spec.encryption) {
+          diagnostics.push({
+            checkId: "WGC101",
+            severity: "warning",
+            message: `StorageBucket "${name}" has no encryption configuration — consider adding spec.encryption.defaultKmsKeyName`,
+            entity: name,
+            lexicon: "gcp",
+          });
+        }
+
+        if (kind === "SQLInstance" && spec) {
+          const settings = spec.settings as Record<string, unknown> | undefined;
+          if (!settings?.ipConfiguration || !(settings as Record<string, unknown>).backupConfiguration) {
+            diagnostics.push({
+              checkId: "WGC101",
+              severity: "warning",
+              message: `SQLInstance "${name}" may be missing encryption or backup configuration`,
+              entity: name,
+              lexicon: "gcp",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc102.ts

@@ -0,0 +1,35 @@
+/**
+ * WGC102: Public IAM in serialized output
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+
+export const wgc102: PostSynthCheck = {
+  id: "WGC102",
+  description: "allUsers/allAuthenticatedUsers detected in serialized Config Connector YAML",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const lines = output.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.includes("allUsers") || line.includes("allAuthenticatedUsers")) {
+          const member = line.includes("allUsers") ? "allUsers" : "allAuthenticatedUsers";
+          diagnostics.push({
+            checkId: "WGC102",
+            severity: "warning",
+            message: `Public IAM member "${member}" found in output (line ${i + 1}) — this grants public access`,
+            entity: `line:${i + 1}`,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc103.ts

@@ -0,0 +1,45 @@
+/**
+ * WGC103: Missing project annotation
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseYAML } from "@intentius/chant/yaml";
+
+export const wgc103: PostSynthCheck = {
+  id: "WGC103",
+  description: "Config Connector resource without cnrm.cloud.google.com/project-id annotation",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const documents = output.split(/^---\s*$/m).filter((d) => d.trim().length > 0);
+
+      for (const docStr of documents) {
+        const doc = parseYAML(docStr) as Record<string, unknown> | null;
+        if (!doc) continue;
+
+        const apiVersion = doc.apiVersion as string | undefined;
+        if (!apiVersion?.includes("cnrm.cloud.google.com")) continue;
+
+        const metadata = doc.metadata as Record<string, unknown> | undefined;
+        const annotations = metadata?.annotations as Record<string, unknown> | undefined;
+        const name = (metadata?.name as string) ?? "unknown";
+
+        if (!annotations?.["cnrm.cloud.google.com/project-id"]) {
+          diagnostics.push({
+            checkId: "WGC103",
+            severity: "info",
+            message: `Resource "${name}" has no cnrm.cloud.google.com/project-id annotation — will use namespace default`,
+            entity: name,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc104.ts

@@ -0,0 +1,42 @@
+/**
+ * WGC104: Missing uniform bucket-level access
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseYAML } from "@intentius/chant/yaml";
+
+export const wgc104: PostSynthCheck = {
+  id: "WGC104",
+  description: "StorageBucket without uniformBucketLevelAccess enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const documents = output.split(/^---\s*$/m).filter((d) => d.trim().length > 0);
+
+      for (const docStr of documents) {
+        const doc = parseYAML(docStr) as Record<string, unknown> | null;
+        if (!doc || doc.kind !== "StorageBucket") continue;
+
+        const metadata = doc.metadata as Record<string, unknown> | undefined;
+        const spec = doc.spec as Record<string, unknown> | undefined;
+        const name = (metadata?.name as string) ?? "unknown";
+
+        if (spec && spec.uniformBucketLevelAccess !== true) {
+          diagnostics.push({
+            checkId: "WGC104",
+            severity: "warning",
+            message: `StorageBucket "${name}" does not have uniformBucketLevelAccess enabled — recommended for consistent access control`,
+            entity: name,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc105.ts

@@ -0,0 +1,46 @@
+/**
+ * WGC105: Public Cloud SQL — authorizedNetworks with 0.0.0.0/0
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc105: PostSynthCheck = {
+  id: "WGC105",
+  description: "Cloud SQL instance with public 0.0.0.0/0 in authorizedNetworks",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "SQLInstance") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const settings = spec.settings as Record<string, unknown> | undefined;
+        const ipConfig = settings?.ipConfiguration as Record<string, unknown> | undefined;
+        const networks = ipConfig?.authorizedNetworks as Array<Record<string, unknown>> | undefined;
+
+        if (Array.isArray(networks)) {
+          for (const net of networks) {
+            if (net.value === "0.0.0.0/0") {
+              diagnostics.push({
+                checkId: "WGC105",
+                severity: "warning",
+                message: `SQLInstance "${getResourceName(manifest)}" allows connections from 0.0.0.0/0 — this exposes the database to the public internet`,
+                entity: getResourceName(manifest),
+                lexicon: "gcp",
+              });
+            }
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc106.ts

@@ -0,0 +1,36 @@
+/**
+ * WGC106: Missing deletion policy annotation
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, isConfigConnectorResource, getAnnotations, getResourceName } from "./gcp-helpers";
+
+export const wgc106: PostSynthCheck = {
+  id: "WGC106",
+  description: "Config Connector resource without cnrm.cloud.google.com/deletion-policy annotation",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (!isConfigConnectorResource(manifest)) continue;
+
+        const annotations = getAnnotations(manifest);
+        if (!annotations?.["cnrm.cloud.google.com/deletion-policy"]) {
+          diagnostics.push({
+            checkId: "WGC106",
+            severity: "info",
+            message: `Resource "${getResourceName(manifest)}" has no deletion-policy annotation — defaults to "delete" which removes the GCP resource on kubectl delete`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc107.ts

@@ -0,0 +1,39 @@
+/**
+ * WGC107: StorageBucket missing versioning
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc107: PostSynthCheck = {
+  id: "WGC107",
+  description: "StorageBucket without versioning enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "StorageBucket") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const versioning = spec.versioning as Record<string, unknown> | undefined;
+        if (!versioning || versioning.enabled !== true) {
+          diagnostics.push({
+            checkId: "WGC107",
+            severity: "info",
+            message: `StorageBucket "${getResourceName(manifest)}" does not have versioning enabled — consider enabling for data protection`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc108.ts

@@ -0,0 +1,41 @@
+/**
+ * WGC108: SQLInstance missing backup configuration
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc108: PostSynthCheck = {
+  id: "WGC108",
+  description: "SQLInstance without backup configuration enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "SQLInstance") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const settings = spec.settings as Record<string, unknown> | undefined;
+        const backupConfig = settings?.backupConfiguration as Record<string, unknown> | undefined;
+
+        if (!backupConfig || backupConfig.enabled !== true) {
+          diagnostics.push({
+            checkId: "WGC108",
+            severity: "warning",
+            message: `SQLInstance "${getResourceName(manifest)}" does not have backup configuration enabled — data loss risk`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc109.ts

@@ -0,0 +1,39 @@
+/**
+ * WGC109: ComputeFirewall allowing all sources (0.0.0.0/0)
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc109: PostSynthCheck = {
+  id: "WGC109",
+  description: "ComputeFirewall with sourceRanges containing 0.0.0.0/0",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "ComputeFirewall") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const sourceRanges = spec.sourceRanges as string[] | undefined;
+        if (Array.isArray(sourceRanges) && sourceRanges.includes("0.0.0.0/0")) {
+          diagnostics.push({
+            checkId: "WGC109",
+            severity: "warning",
+            message: `ComputeFirewall "${getResourceName(manifest)}" allows traffic from 0.0.0.0/0 — this opens the firewall to the entire internet`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};