fix(misconf): false positive avd-gcp-0029 when subnet has certain fields

[simar7]

Discussed in #5240

^{Originally posted by mcinquin September 25, 2023}

IDs

avd-gcp-0029

Description

Hello,

When a subnet is created with REGIONAL_MANAGED_PROXY or GLOBAL_MANAGED_PROXY purpose field, it leads to false positive. Which is incorrect because flow logs cannot be activated for this type of subnetwork (https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#log_config)

Reproduction Steps

1. main.tf

  resource "google_compute_subnetwork" "proxyonlysubnet" {
    provider = google
  
    project       = var.google_project_id
    name          = var.swp_proxy_subnet
    purpose       = "REGIONAL_MANAGED_PROXY"
    ip_cidr_range = var.swp_proxy_subnet_range
    region        = var.swp_region
    network       = var.swp_vpc
    role          = "ACTIVE"
  }

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

2023-09-25T11:53:31.308+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-25T11:53:31.317+0200	DEBUG	cache dir:  /home/mcinquin/.cache/trivy
2023-09-25T11:53:31.317+0200	INFO	Misconfiguration scanning is enabled
2023-09-25T11:53:31.317+0200	DEBUG	Policies successfully loaded from disk
2023-09-25T11:53:31.352+0200	DEBUG	Walk the file tree rooted at 'main.tf' in parallel
2023-09-25T11:53:31.352+0200	DEBUG	Scanning Terraform files for misconfigurations...
2023-09-25T11:53:32.061+0200	DEBUG	OS is not detected.
2023-09-25T11:53:32.061+0200	INFO	Detected config files: 2
2023-09-25T11:53:32.061+0200	DEBUG	Scanned config file: .
2023-09-25T11:53:32.061+0200	DEBUG	Scanned config file: main.tf

main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: Subnetwork does not have VPC flow logs enabled.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
VPC flow logs record information about all traffic, which is a vital tool in reviewing anomalous traffic.

See https://avd.aquasec.com/misconfig/avd-gcp-0029
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:24-34
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  24 ┌ resource "google_compute_subnetwork" "proxyonlysubnet" {
  25 │   provider = google
  26 │ 
  27 │   project       = var.google_project_id
  28 │   name          = var.swp_proxy_subnet
  29 │   purpose       = "REGIONAL_MANAGED_PROXY"
  30 │   ip_cidr_range = var.swp_proxy_subnet_range
  31 │   region        = var.swp_region
  32 └   network       = var.swp_vpc
  ..   
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

Version: 0.45.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-21 12:15:49.417165658 +0000 UTC
  NextUpdate: 2023-09-21 18:15:49.417165058 +0000 UTC
  DownloadedAt: 2023-09-21 13:24:34.657601678 +0000 UTC
Policy Bundle:
  Digest: sha256:fd5f1ce3d8efb1fe158cb41f9adb9d7c7cc5c4c863b261053c962e6d950350b3
  DownloadedAt: 2023-09-25 09:52:05.891545068 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct