refactor(checks): migrate Nifcloud network, dns, sslcertificate to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/nifcloud/dns/AVD-NIF-0007/docs.md

@@ -1,10 +1,11 @@
 
+Removing verified record of TXT auth the risk that
 
-Removing verified record of TXT auth the risk that 
 If the authentication record remains, anyone can register the zone
 
+
 ### Impact
-Risk of DNS records be used by others
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/nifcloud/network/AVD-NIF-0016/docs.md

@@ -1,8 +1,9 @@
 
 Need to add a security group to your router.
 
+
 ### Impact
-A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/nifcloud/network/AVD-NIF-0017/docs.md

@@ -1,8 +1,9 @@
 
 When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.
 
+
 ### Impact
-The common private network is shared with other users
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/nifcloud/network/AVD-NIF-0018/docs.md

@@ -1,8 +1,9 @@
 
 Need to add a security group to your vpnGateway.
 
+
 ### Impact
-A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/nifcloud/network/AVD-NIF-0019/docs.md

@@ -1,8 +1,9 @@
 
 When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.
 
+
 ### Impact
-The common private network is shared with other users
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/nifcloud/network/AVD-NIF-0020/docs.md

@@ -1,8 +1,9 @@
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
 
+
 ### Impact
-The SSL policy is outdated and has known vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/nifcloud/network/AVD-NIF-0021/docs.md

@@ -3,8 +3,9 @@ Plain HTTP is unencrypted and human-readable. This means that if a malicious act
 
 You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.
 
+
 ### Impact
-Your traffic is not protected
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/nifcloud/sslcertificate/AVD-NIF-0006/docs.md

@@ -1,13 +1,15 @@
 
-
 Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be
-deployed accidentally to a resource such as NIFCLOUD Load Balancer(L4LB), which candamage the 
+
+deployed accidentally to a resource such as NIFCLOUD Load Balancer(L4LB), which candamage the
+
 credibility of the application/website behind the L4LB. As a best practice, it is
+
 recommended to delete expired certificates.
-			
+
 
 ### Impact
-Risk of misconfiguration and damage to credibility
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/nifcloud/dns/remove_verified_record.go

@@ -28,7 +28,8 @@ If the authentication record remains, anyone can register the zone`,
 		Links: []string{
 			"https://pfs.nifcloud.com/guide/dns/zone_new.htm",
 		},
-		Severity: severity.Critical,
+		Severity:   severity.Critical,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, record := range s.Nifcloud.DNS.Records {

checks/cloud/nifcloud/dns/remove_verified_record.rego

@@ -0,0 +1,37 @@
+# METADATA
+# title: Delete verified record
+# description: |
+#   Removing verified record of TXT auth the risk that
+#
+#   If the authentication record remains, anyone can register the zone
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://pfs.nifcloud.com/guide/dns/zone_new.htm
+# custom:
+#   id: AVD-NIF-0007
+#   avd_id: AVD-NIF-0007
+#   provider: nifcloud
+#   service: dns
+#   severity: CRITICAL
+#   short_code: remove-verified-record
+#   recommended_action: Remove verified record
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: dns
+#             provider: nifcloud
+package builtin.nifcloud.dns.nifcloud0007
+
+import rego.v1
+
+zone_registration_auth_txt := "nifty-dns-verify="
+
+deny contains res if {
+	some record in input.nifcloud.dns.records
+	record.type.value == "TXT"
+	startswith(record.record.value, zone_registration_auth_txt)
+	res := result.new("Authentication TXT record exists.", record)
+}

checks/cloud/nifcloud/dns/remove_verified_record_test.rego

@@ -0,0 +1,38 @@
+package builtin.nifcloud.dns.nifcloud0007_test
+
+import rego.v1
+
+import data.builtin.nifcloud.dns.nifcloud0007 as check
+import data.lib.test
+
+test_allow_txt_record if {
+	inp := build_input({
+		"type": {"value": "TXT"},
+		"record": {"value": "test"},
+	})
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_deny_verified_txt_record if {
+	inp := build_input({
+		"type": {"value": "TXT"},
+		"record": {"value": "nifty-dns-verify=test"},
+	})
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_verified_not_txt_record if {
+	inp := build_input({
+		"type": {"value": "A"},
+		"record": {"value": "nifty-dns-verify=test"},
+	})
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+build_input(record) := {"nifcloud": {"dns": {"records": [record]}}}

checks/cloud/nifcloud/network/add_security_group_to_router.go

@@ -28,7 +28,8 @@ var CheckAddSecurityGroupToRouter = rules.Register(
 			Links:               terraformAddSecurityGroupToRouterLinks,
 			RemediationMarkdown: terraformAddSecurityGroupToRouterRemediationMarkdown,
 		},
-		Severity: severity.Critical,
+		Severity:   severity.Critical,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, router := range s.Nifcloud.Network.Routers {

checks/cloud/nifcloud/network/add_security_group_to_router.rego

@@ -0,0 +1,37 @@
+# METADATA
+# title: Missing security group for router.
+# description: |
+#   Need to add a security group to your router.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://pfs.nifcloud.com/help/router/change.htm
+# custom:
+#   id: AVD-NIF-0016
+#   avd_id: AVD-NIF-0016
+#   provider: nifcloud
+#   service: network
+#   severity: CRITICAL
+#   short_code: add-security-group-to-router
+#   recommended_action: Add security group for all routers
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: network
+#             provider: nifcloud
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/router#security_group
+#     good_examples: checks/cloud/nifcloud/network/add_security_group_to_router.tf.go
+#     bad_examples: checks/cloud/nifcloud/network/add_security_group_to_router.tf.go
+package builtin.nifcloud.network.nifcloud0016
+
+import rego.v1
+
+deny contains res if {
+	some router in input.nifcloud.network.routers
+	router.securitygroup.value == ""
+	res := result.new("Router does not have a securiy group.", router.securitygroup)
+}