refactor(checks): migrate Google sql and storage to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/google/sql/AVD-GCP-0014/docs.md

@@ -1,8 +1,9 @@
 
 Temporary files are not logged by default. To log all temporary files, a value of `0` should set in the `log_temp_files` flag - as all files greater in size than the number of bytes set in this flag will be logged.
 
+
 ### Impact
-Use of temporary files will not be logged
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0015/docs.md

@@ -1,8 +1,9 @@
 
 In-transit data should be encrypted so that if traffic is intercepted data will not be exposed in plaintext to attackers.
 
+
 ### Impact
-Intercepted data can be read in transit
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0016/docs.md

@@ -1,8 +1,9 @@
 
 Logging connections provides useful diagnostic data such as session length, which can identify performance issues in an application and potential DoS vectors.
 
+
 ### Impact
-Insufficient diagnostic data.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0017/docs.md

@@ -1,8 +1,9 @@
 
 Database instances should be configured so that they are not available over the public internet, but to internal compute resources which access them.
 
+
 ### Impact
-Public exposure of sensitive data
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0018/docs.md

@@ -1,8 +1,9 @@
 
 Setting the minimum log severity too high will cause errors not to be logged
 
+
 ### Impact
-Loss of error logging
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0019/docs.md

@@ -1,8 +1,9 @@
 
 Cross-database ownership chaining, also known as cross-database chaining, is a security feature of SQL Server that allows users of databases access to other databases besides the one they are currently using.
 
+
 ### Impact
-Unintended access to sensitive data
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0020/docs.md

@@ -1,8 +1,9 @@
 
 Lock waits are often an indication of poor performance and often an indicator of a potential denial of service vulnerability, therefore occurrences should be logged for analysis.
 
+
 ### Impact
-Issues leading to denial of service may not be identified.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0021/docs.md

@@ -1,8 +1,9 @@
 
 Logging of statements which could contain sensitive data is not advised, therefore this setting should preclude all statements from being logged.
 
+
 ### Impact
-Sensitive data could be exposed in the database logs.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0022/docs.md

@@ -1,8 +1,9 @@
 
 Logging disconnections provides useful diagnostic data such as session length, which can identify performance issues in an application and potential DoS vectors.
 
+
 ### Impact
-Insufficient diagnostic data.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0023/docs.md

@@ -1,8 +1,9 @@
 
 Users with ALTER permissions on users can grant access to a contained database without the knowledge of an administrator
 
+
 ### Impact
-Access can be granted without knowledge of the database administrator
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0024/docs.md

@@ -1,8 +1,9 @@
 
 Automated backups are not enabled by default. Backups are an easy way to restore data in a corruption or data-loss scenario.
 
+
 ### Impact
-No recovery of lost or corrupted data
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0025/docs.md

@@ -1,8 +1,9 @@
 
 Logging checkpoints provides useful diagnostic data, which can identify performance issues in an application and potential DoS vectors.
 
+
 ### Impact
-Insufficient diagnostic data.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/sql/AVD-GCP-0026/docs.md

@@ -1,8 +1,9 @@
 
 Arbitrary files can be read from the system using LOAD_DATA unless this setting is disabled.
 
+
 ### Impact
-Arbitrary files read by attackers when combined with a SQL injection vulnerability.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/storage/AVD-GCP-0001/docs.md

@@ -1,8 +1,9 @@
 
 Using 'allUsers' or 'allAuthenticatedUsers' as members in an IAM member/binding causes data to be exposed outside of the organisation.
 
+
 ### Impact
-Public exposure of sensitive data.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/storage/AVD-GCP-0002/docs.md

@@ -1,8 +1,9 @@
 
 When you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains. You revoke all access granted by object ACLs and the ability to administrate permissions using bucket ACLs.
 
+
 ### Impact
-ACLs are difficult to manage and often lead to incorrect/unintended configurations.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/google/storage/AVD-GCP-0066/docs.md

@@ -1,8 +1,9 @@
 
 Using unmanaged keys makes rotation and general management difficult.
 
+
 ### Impact
-Using unmanaged keys does not allow for proper key management.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/google/sql/enable_backup.go

@@ -27,7 +27,8 @@ var CheckEnableBackup = rules.Register(
 			Links:               terraformEnableBackupLinks,
 			RemediationMarkdown: terraformEnableBackupRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, instance := range s.Google.SQL.Instances {

checks/cloud/google/sql/enable_backup.rego

@@ -0,0 +1,38 @@
+# METADATA
+# title: Enable automated backups to recover from data-loss
+# description: |
+#   Automated backups are not enabled by default. Backups are an easy way to restore data in a corruption or data-loss scenario.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://cloud.google.com/sql/docs/mysql/backup-recovery/backups
+# custom:
+#   id: AVD-GCP-0024
+#   avd_id: AVD-GCP-0024
+#   provider: google
+#   service: sql
+#   severity: MEDIUM
+#   short_code: enable-backup
+#   recommended_action: Enable automated backups
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: sql
+#             provider: google
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#settings.backup_configuration.enabled=true
+#     good_examples: checks/cloud/google/sql/enable_backup.tf.go
+#     bad_examples: checks/cloud/google/sql/enable_backup.tf.go
+package builtin.google.sql.google0024
+
+import rego.v1
+
+deny contains res if {
+	some instance in input.google.sql.instances
+	instance.isreplica.value == false
+	instance.settings.backups.enabled.value == false
+	res := result.new("Database instance does not have backups enabled.", instance.settings.backups.enabled)
+}

checks/cloud/google/sql/enable_backup_test.rego

@@ -0,0 +1,38 @@
+package builtin.google.sql.google0024_test
+
+import rego.v1
+
+import data.builtin.google.sql.google0024 as check
+import data.lib.test
+
+test_allow_backups_enabled if {
+	inp := build_input({
+		"isreplica": {"value": false},
+		"settings": {"backups": {"enabled": {"value": true}}},
+	})
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_deny_backups_disabled if {
+	inp := build_input({
+		"isreplica": {"value": false},
+		"settings": {"backups": {"enabled": {"value": false}}},
+	})
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_backups_disabled_for_replica if {
+	inp := build_input({
+		"isreplica": {"value": true},
+		"settings": {"backups": {"enabled": {"value": false}}},
+	})
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+build_input(instance) := {"google": {"sql": {"instances": [instance]}}}

checks/cloud/google/sql/enable_pg_temp_file_logging.go

@@ -28,7 +28,8 @@ var CheckEnablePgTempFileLogging = rules.Register(
 			Links:               terraformEnablePgTempFileLoggingLinks,
 			RemediationMarkdown: terraformEnablePgTempFileLoggingRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, instance := range s.Google.SQL.Instances {