@intentius/chant-lexicon-gcp 0.0.18 → 0.0.24

package/src/lint/post-synth/wgc105.test.ts

@@ -0,0 +1,46 @@
+import { describe, test, expect } from "bun:test";
+import { wgc105 } from "./wgc105";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC105: public Cloud SQL", () => {
+  test("flags SQLInstance with 0.0.0.0/0 in authorizedNetworks", () => {
+    const yaml = `apiVersion: sql.cnrm.cloud.google.com/v1beta1
+kind: SQLInstance
+metadata:
+  name: my-db
+spec:
+  databaseVersion: POSTGRES_15
+  settings:
+    ipConfiguration:
+      authorizedNetworks:
+        - value: "0.0.0.0/0"
+          name: public
+`;
+    const diags = wgc105.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC105");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic with private networks only", () => {
+    const yaml = `apiVersion: sql.cnrm.cloud.google.com/v1beta1
+kind: SQLInstance
+metadata:
+  name: my-db
+spec:
+  databaseVersion: POSTGRES_15
+  settings:
+    ipConfiguration:
+      authorizedNetworks:
+        - value: "10.0.0.0/8"
+          name: internal
+`;
+    const diags = wgc105.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc106.test.ts

@@ -0,0 +1,38 @@
+import { describe, test, expect } from "bun:test";
+import { wgc106 } from "./wgc106";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC106: missing deletion policy", () => {
+  test("flags resource without deletion policy annotation", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc106.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC106");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when deletion policy present", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+  annotations:
+    cnrm.cloud.google.com/deletion-policy: abandon
+spec:
+  location: US
+`;
+    const diags = wgc106.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc107.test.ts

@@ -0,0 +1,38 @@
+import { describe, test, expect } from "bun:test";
+import { wgc107 } from "./wgc107";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC107: missing versioning", () => {
+  test("flags StorageBucket without versioning", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc107.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC107");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when versioning enabled", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+  versioning:
+    enabled: true
+`;
+    const diags = wgc107.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc108.test.ts

@@ -0,0 +1,42 @@
+import { describe, test, expect } from "bun:test";
+import { wgc108 } from "./wgc108";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC108: missing backup configuration", () => {
+  test("flags SQLInstance without backup", () => {
+    const yaml = `apiVersion: sql.cnrm.cloud.google.com/v1beta1
+kind: SQLInstance
+metadata:
+  name: my-db
+spec:
+  databaseVersion: POSTGRES_15
+  settings:
+    tier: db-f1-micro
+`;
+    const diags = wgc108.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC108");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when backup enabled", () => {
+    const yaml = `apiVersion: sql.cnrm.cloud.google.com/v1beta1
+kind: SQLInstance
+metadata:
+  name: my-db
+spec:
+  databaseVersion: POSTGRES_15
+  settings:
+    tier: db-f1-micro
+    backupConfiguration:
+      enabled: true
+`;
+    const diags = wgc108.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc109.test.ts

@@ -0,0 +1,46 @@
+import { describe, test, expect } from "bun:test";
+import { wgc109 } from "./wgc109";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC109: open firewall", () => {
+  test("flags ComputeFirewall with 0.0.0.0/0", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: allow-all
+spec:
+  sourceRanges:
+    - "0.0.0.0/0"
+  allowed:
+    - protocol: tcp
+      ports:
+        - "80"
+`;
+    const diags = wgc109.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC109");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic with specific source range", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: allow-internal
+spec:
+  sourceRanges:
+    - "10.0.0.0/8"
+  allowed:
+    - protocol: tcp
+      ports:
+        - "80"
+`;
+    const diags = wgc109.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc110.test.ts

@@ -0,0 +1,37 @@
+import { describe, test, expect } from "bun:test";
+import { wgc110 } from "./wgc110";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC110: missing key rotation", () => {
+  test("flags KMSCryptoKey without rotation period", () => {
+    const yaml = `apiVersion: kms.cnrm.cloud.google.com/v1beta1
+kind: KMSCryptoKey
+metadata:
+  name: my-key
+spec:
+  purpose: ENCRYPT_DECRYPT
+`;
+    const diags = wgc110.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC110");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when rotation period set", () => {
+    const yaml = `apiVersion: kms.cnrm.cloud.google.com/v1beta1
+kind: KMSCryptoKey
+metadata:
+  name: my-key
+spec:
+  purpose: ENCRYPT_DECRYPT
+  rotationPeriod: 7776000s
+`;
+    const diags = wgc110.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc111.test.ts

@@ -0,0 +1,46 @@
+import { describe, test, expect } from "bun:test";
+import { wgc111 } from "./wgc111";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC111: dangling resource reference", () => {
+  test("flags resourceRef pointing to nonexistent name", () => {
+    const yaml = `apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerNodePool
+metadata:
+  name: my-pool
+spec:
+  clusterRef:
+    name: nonexistent-cluster
+`;
+    const diags = wgc111.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC111");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when referenced resource exists", () => {
+    const yaml = `apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerCluster
+metadata:
+  name: my-cluster
+spec:
+  location: us-central1
+---
+apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerNodePool
+metadata:
+  name: my-pool
+spec:
+  clusterRef:
+    name: my-cluster
+`;
+    const diags = wgc111.check(makeCtx(yaml));
+    const poolDiags = diags.filter(d => d.entity === "my-pool");
+    expect(poolDiags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc112.test.ts

@@ -0,0 +1,48 @@
+import { describe, test, expect } from "bun:test";
+import { wgc112 } from "./wgc112";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC112: missing or invalid apiVersion", () => {
+  test("flags resource with missing apiVersion", () => {
+    const yaml = `kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc112.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC112");
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("flags resource with malformed apiVersion", () => {
+    const yaml = `apiVersion: not-a-valid-version
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc112.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC112");
+  });
+
+  test("no diagnostic with valid apiVersion", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc112.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc113.test.ts

@@ -0,0 +1,36 @@
+import { describe, test, expect } from "bun:test";
+import { wgc113 } from "./wgc113";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC113: alpha API version", () => {
+  test("flags resource with v1alpha1 apiVersion", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1alpha1
+kind: ComputeInstance
+metadata:
+  name: my-vm
+spec:
+  machineType: e2-medium
+`;
+    const diags = wgc113.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC113");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic with v1beta1 apiVersion", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeInstance
+metadata:
+  name: my-vm
+spec:
+  machineType: e2-medium
+`;
+    const diags = wgc113.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc201.test.ts

@@ -0,0 +1,38 @@
+import { describe, test, expect } from "bun:test";
+import { wgc201 } from "./wgc201";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC201: missing managed-by label", () => {
+  test("flags resource without managed-by label", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc201.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC201");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when managed-by label present", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+  labels:
+    app.kubernetes.io/managed-by: chant
+spec:
+  location: US
+`;
+    const diags = wgc201.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc202.test.ts

@@ -0,0 +1,38 @@
+import { describe, test, expect } from "bun:test";
+import { wgc202 } from "./wgc202";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC202: missing workload identity", () => {
+  test("flags ContainerCluster without workload identity", () => {
+    const yaml = `apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerCluster
+metadata:
+  name: my-cluster
+spec:
+  location: us-central1
+`;
+    const diags = wgc202.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC202");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when workload identity configured", () => {
+    const yaml = `apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerCluster
+metadata:
+  name: my-cluster
+spec:
+  location: us-central1
+  workloadIdentityConfig:
+    workloadPool: my-project.svc.id.goog
+`;
+    const diags = wgc202.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc203.test.ts

@@ -0,0 +1,45 @@
+import { describe, test, expect } from "bun:test";
+import { wgc203 } from "./wgc203";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC203: cloud-platform OAuth scope", () => {
+  test("flags ContainerNodePool with cloud-platform scope", () => {
+    const yaml = `apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerNodePool
+metadata:
+  name: my-pool
+spec:
+  clusterRef:
+    name: my-cluster
+  nodeConfig:
+    oauthScopes:
+      - "https://www.googleapis.com/auth/cloud-platform"
+`;
+    const diags = wgc203.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC203");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic with specific scopes", () => {
+    const yaml = `apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerNodePool
+metadata:
+  name: my-pool
+spec:
+  clusterRef:
+    name: my-cluster
+  nodeConfig:
+    oauthScopes:
+      - "https://www.googleapis.com/auth/logging.write"
+      - "https://www.googleapis.com/auth/monitoring"
+`;
+    const diags = wgc203.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc204.test.ts

@@ -0,0 +1,42 @@
+import { describe, test, expect } from "bun:test";
+import { wgc204 } from "./wgc204";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC204: missing shielded VM config", () => {
+  test("flags ComputeInstance without shielded VM", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeInstance
+metadata:
+  name: my-vm
+spec:
+  machineType: e2-medium
+  zone: us-central1-a
+`;
+    const diags = wgc204.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC204");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when shielded VM configured", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeInstance
+metadata:
+  name: my-vm
+spec:
+  machineType: e2-medium
+  zone: us-central1-a
+  shieldedInstanceConfig:
+    enableSecureBoot: true
+    enableVtpm: true
+    enableIntegrityMonitoring: true
+`;
+    const diags = wgc204.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc301.test.ts

@@ -0,0 +1,39 @@
+import { describe, test, expect } from "bun:test";
+import { wgc301 } from "./wgc301";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC301: no audit logging", () => {
+  test("flags output without IAMAuditConfig", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc301.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC301");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when IAMAuditConfig present", () => {
+    const yaml = `apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMAuditConfig
+metadata:
+  name: audit-config
+spec:
+  service: allServices
+  auditLogConfigs:
+    - logType: ADMIN_READ
+    - logType: DATA_READ
+`;
+    const diags = wgc301.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc302.test.ts

@@ -0,0 +1,36 @@
+import { describe, test, expect } from "bun:test";
+import { wgc302 } from "./wgc302";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC302: service API not enabled", () => {
+  test("flags output without Service resource", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc302.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC302");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when Service resource present", () => {
+    const yaml = `apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
+kind: Service
+metadata:
+  name: compute-api
+spec:
+  resourceID: compute.googleapis.com
+`;
+    const diags = wgc302.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc303.test.ts

@@ -0,0 +1,37 @@
+import { describe, test, expect } from "bun:test";
+import { wgc303 } from "./wgc303";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC303: missing VPC Service Controls", () => {
+  test("flags output without service perimeter", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc303.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC303");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when service perimeter present", () => {
+    const yaml = `apiVersion: accesscontextmanager.cnrm.cloud.google.com/v1beta1
+kind: AccessContextManagerServicePerimeter
+metadata:
+  name: my-perimeter
+spec:
+  title: my-perimeter
+  perimeterType: PERIMETER_TYPE_REGULAR
+`;
+    const diags = wgc303.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});