@intentius/chant-lexicon-gcp 0.0.15

package/dist/rules/wgc110.ts

@@ -0,0 +1,38 @@
+/**
+ * WGC110: KMS CryptoKey missing rotation period
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc110: PostSynthCheck = {
+  id: "WGC110",
+  description: "KMS CryptoKey without rotation period configured",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "KMSCryptoKey") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        if (!spec.rotationPeriod) {
+          diagnostics.push({
+            checkId: "WGC110",
+            severity: "warning",
+            message: `KMSCryptoKey "${getResourceName(manifest)}" has no rotation period configured — consider setting rotationPeriod for key hygiene`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc111.ts

@@ -0,0 +1,54 @@
+/**
+ * WGC111: Dangling resource reference
+ *
+ * Checks that every `resourceRef.name` in a Config Connector resource's spec
+ * references a `metadata.name` that exists in the output.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, isConfigConnectorResource, getResourceName, findResourceRefs } from "./gcp-helpers";
+
+export const wgc111: PostSynthCheck = {
+  id: "WGC111",
+  description: "Resource reference points to a name not defined in the output",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+
+      // Collect all defined resource names
+      const definedNames = new Set<string>();
+      for (const manifest of manifests) {
+        if (isConfigConnectorResource(manifest)) {
+          const name = manifest.metadata?.name;
+          if (name) definedNames.add(name);
+        }
+      }
+
+      // Check each resource's refs
+      for (const manifest of manifests) {
+        if (!isConfigConnectorResource(manifest)) continue;
+        const resourceName = getResourceName(manifest);
+        const refs = findResourceRefs(manifest.spec);
+
+        for (const refName of refs) {
+          if (!definedNames.has(refName)) {
+            diagnostics.push({
+              checkId: "WGC111",
+              severity: "warning",
+              message: `Resource "${resourceName}" references "${refName}" via resourceRef, but no resource with that metadata.name exists in the output`,
+              entity: resourceName,
+              lexicon: "gcp",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc112.ts

@@ -0,0 +1,56 @@
+/**
+ * WGC112: Missing or invalid apiVersion
+ *
+ * Every Config Connector resource must have an apiVersion matching
+ * `<service>.cnrm.cloud.google.com/v<version>`.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getResourceName } from "./gcp-helpers";
+
+const VALID_API_VERSION = /^[a-z]+\.cnrm\.cloud\.google\.com\/v\d+(?:alpha\d+|beta\d+)?$/;
+
+export const wgc112: PostSynthCheck = {
+  id: "WGC112",
+  description: "Config Connector resource has missing or invalid apiVersion",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+
+      for (const manifest of manifests) {
+        // Only check resources that look like Config Connector (have a kind)
+        if (!manifest.kind) continue;
+
+        const resourceName = getResourceName(manifest);
+
+        if (!manifest.apiVersion) {
+          diagnostics.push({
+            checkId: "WGC112",
+            severity: "error",
+            message: `Resource "${resourceName}" (kind: ${manifest.kind}) is missing apiVersion`,
+            entity: resourceName,
+            lexicon: "gcp",
+          });
+          continue;
+        }
+
+        if (!VALID_API_VERSION.test(manifest.apiVersion)) {
+          diagnostics.push({
+            checkId: "WGC112",
+            severity: "error",
+            message: `Resource "${resourceName}" has invalid apiVersion "${manifest.apiVersion}" — expected format: <service>.cnrm.cloud.google.com/v<version>`,
+            entity: resourceName,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc113.ts

@@ -0,0 +1,42 @@
+/**
+ * WGC113: Alpha API version warning
+ *
+ * Warns when a Config Connector resource uses an alpha API version
+ * (e.g. v1alpha1). Alpha APIs are unstable — prefer v1beta1 or v1.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, isConfigConnectorResource, getResourceName } from "./gcp-helpers";
+
+export const wgc113: PostSynthCheck = {
+  id: "WGC113",
+  description: "Config Connector resource uses an alpha API version",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [_lexicon, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+
+      for (const manifest of manifests) {
+        if (!isConfigConnectorResource(manifest)) continue;
+
+        const apiVersion = manifest.apiVersion!;
+        if (/alpha\d+/.test(apiVersion)) {
+          const resourceName = getResourceName(manifest);
+          diagnostics.push({
+            checkId: "WGC113",
+            severity: "warning",
+            message: `Resource "${resourceName}" uses alpha API version "${apiVersion}" — alpha APIs are unstable, prefer v1beta1 or v1`,
+            entity: resourceName,
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc201.ts

@@ -0,0 +1,36 @@
+/**
+ * WGC201: Missing managed-by label
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, isConfigConnectorResource, getResourceName } from "./gcp-helpers";
+
+export const wgc201: PostSynthCheck = {
+  id: "WGC201",
+  description: "Config Connector resource without app.kubernetes.io/managed-by label",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (!isConfigConnectorResource(manifest)) continue;
+
+        const labels = manifest.metadata?.labels;
+        if (!labels?.["app.kubernetes.io/managed-by"]) {
+          diagnostics.push({
+            checkId: "WGC201",
+            severity: "info",
+            message: `Resource "${getResourceName(manifest)}" has no app.kubernetes.io/managed-by label — consider using defaultLabels() for consistent labeling`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc202.ts

@@ -0,0 +1,39 @@
+/**
+ * WGC202: GKE cluster without workload identity
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc202: PostSynthCheck = {
+  id: "WGC202",
+  description: "ContainerCluster without workload identity configuration",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "ContainerCluster") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const workloadIdentity = spec.workloadIdentityConfig as Record<string, unknown> | undefined;
+        if (!workloadIdentity?.workloadPool) {
+          diagnostics.push({
+            checkId: "WGC202",
+            severity: "warning",
+            message: `ContainerCluster "${getResourceName(manifest)}" does not have workload identity configured — recommended for secure pod-to-GCP authentication`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc203.ts

@@ -0,0 +1,44 @@
+/**
+ * WGC203: GKE node pool with cloud-platform OAuth scope
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc203: PostSynthCheck = {
+  id: "WGC203",
+  description: "ContainerNodePool using overly broad cloud-platform OAuth scope",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "ContainerNodePool") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const nodeConfig = spec.nodeConfig as Record<string, unknown> | undefined;
+        const oauthScopes = nodeConfig?.oauthScopes as string[] | undefined;
+
+        if (Array.isArray(oauthScopes) && oauthScopes.some(s =>
+          (typeof s === "string" && s.includes("cloud-platform")) ||
+          (typeof s === "object" && s !== null && JSON.stringify(s).includes("cloud-platform")),
+        )) {
+          diagnostics.push({
+            checkId: "WGC203",
+            severity: "warning",
+            message: `ContainerNodePool "${getResourceName(manifest)}" uses cloud-platform OAuth scope — this grants overly broad access; prefer workload identity with fine-grained IAM`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc204.ts

@@ -0,0 +1,39 @@
+/**
+ * WGC204: ComputeInstance without shielded VM config
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc204: PostSynthCheck = {
+  id: "WGC204",
+  description: "ComputeInstance without shielded VM configuration",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "ComputeInstance") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const shieldedConfig = spec.shieldedInstanceConfig as Record<string, unknown> | undefined;
+        if (!shieldedConfig) {
+          diagnostics.push({
+            checkId: "WGC204",
+            severity: "info",
+            message: `ComputeInstance "${getResourceName(manifest)}" has no shielded VM configuration — consider enabling secureboot, vtpm, and integrity monitoring`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc301.ts

@@ -0,0 +1,34 @@
+/**
+ * WGC301: No audit logging config (IAMAuditConfig) in output
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests } from "./gcp-helpers";
+
+export const wgc301: PostSynthCheck = {
+  id: "WGC301",
+  description: "No IAMAuditConfig resource found in output — audit logging may not be configured",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+      if (manifests.length === 0) continue;
+
+      const hasAuditConfig = manifests.some(m => m.kind === "IAMAuditConfig");
+      if (!hasAuditConfig) {
+        diagnostics.push({
+          checkId: "WGC301",
+          severity: "info",
+          message: "No IAMAuditConfig resource found — consider adding audit logging for compliance",
+          lexicon: "gcp",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc302.ts

@@ -0,0 +1,34 @@
+/**
+ * WGC302: Service API not explicitly enabled
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests } from "./gcp-helpers";
+
+export const wgc302: PostSynthCheck = {
+  id: "WGC302",
+  description: "No Service resource found — GCP APIs may not be explicitly enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+      if (manifests.length === 0) continue;
+
+      const hasService = manifests.some(m => m.kind === "Service" && m.apiVersion?.includes("serviceusage.cnrm"));
+      if (!hasService) {
+        diagnostics.push({
+          checkId: "WGC302",
+          severity: "info",
+          message: "No Service (serviceusage) resource found — consider explicitly enabling required GCP APIs",
+          lexicon: "gcp",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgc303.ts

@@ -0,0 +1,37 @@
+/**
+ * WGC303: Missing VPC Service Controls perimeter
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests } from "./gcp-helpers";
+
+export const wgc303: PostSynthCheck = {
+  id: "WGC303",
+  description: "No AccessContextManager ServicePerimeter found — VPC Service Controls not configured",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+      if (manifests.length === 0) continue;
+
+      const hasPerimeter = manifests.some(m =>
+        m.kind === "AccessContextManagerServicePerimeter" ||
+        (m.apiVersion?.includes("accesscontextmanager") && m.kind?.includes("ServicePerimeter")),
+      );
+      if (!hasPerimeter) {
+        diagnostics.push({
+          checkId: "WGC303",
+          severity: "info",
+          message: "No VPC Service Controls perimeter found — consider adding for data exfiltration protection",
+          lexicon: "gcp",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};