feat(query): implemented 'ensure critical contacts is configured for organization' query for terraform/gcp

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "7bd9c6a8-3b1f-495c-9752-a4a9c4e1b29f",
+  "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization",
+  "severity": "LOW",
+  "category": "Access Control",
+  "descriptionText": "It is advisable to set up Essential Contacts to specify email addresses that Google Cloud can use to send important technical or security notifications.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/essential_contacts_contact",
+  "platform": "Terraform",
+  "descriptionID": "7bd9c6a8",
+  "cloudProvider": "gcp",
+  "cwe": "862",
+  "riskScore": "1.0",
+  "experimental": "true"
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/query.rego

@@ -0,0 +1,48 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+    doc := input.document[i]
+    contact := doc.resource.google_essential_contacts_contact[name]
+
+    contacts_not_configured_for_org(contact, i, doc)
+
+    result := {
+        "documentId": input.document[i].id,
+        "resourceType": "google_essential_contacts_contact",
+        "resourceName": tf_lib.get_resource_name(contact, name),
+        "searchKey": sprintf("google_essential_contacts_contact[%s].notification_category_subscription_field", [name]),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined",
+        "keyActualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined",
+        "searchLine": common_lib.build_search_line(["resource", "google_essential_contacts_contact", name, "notification_category_subscriptions"], [])
+    }
+}
+
+contacts_not_configured_for_org(resource, document_index, document) {
+    is_at_organization_level(resource, document_index, document)
+    not all_in_list(resource.notification_category_subscriptions)
+}
+
+all_in_list(list) {
+    common_lib.inArray(list, "LEGAL")
+    common_lib.inArray(list, "SECURITY")
+    common_lib.inArray(list, "SUSPENSION")
+    common_lib.inArray(list, "TECHNICAL")
+} else {
+    common_lib.inArray(list, "ALL")
+}
+
+# check if the contact is at organization level through the parent field 
+is_at_organization_level(resource, document_index, document) {
+    resource_type := split(resource.parent, "/")[0]
+    resource_type == "organizations"
+} else { # case when the parent field references the cases when a data source of type google_organization
+    resource_type := split(resource.parent, ".")[1]
+    resource_type == "google_organization"
+    data_source_name := split(resource.parent, ".")[2]
+    data_source := document.data.google_organization[ds_name]
+    data_source_name == ds_name
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/negative1.tf

@@ -0,0 +1,16 @@
+data "google_organization" "org" {
+  organization = "123456789012"
+}
+
+resource "google_essential_contacts_contact" "negative1" {
+  parent = data.google_organization.org.name
+  email  = "foo@bar.com"
+  language_tag = "en-GB"
+
+  notification_category_subscriptions = [
+    "LEGAL",
+    "SECURITY",
+    "SUSPENSION",
+    "TECHNICAL"
+  ]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/negative2.tf

@@ -0,0 +1,11 @@
+data "google_organization" "org" {
+  organization = "123456789012"
+}
+
+resource "google_essential_contacts_contact" "negative2" {
+  parent = data.google_organization.org.name
+  email  = "foo@bar.com"
+  language_tag = "en-GB"
+
+  notification_category_subscriptions = ["ALL"]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/negative3.tf

@@ -0,0 +1,11 @@
+resource "google_essential_contacts_contact" "negative3" {
+  parent = "organizations/123456789012"
+  email = "foo@bar.com"
+  language_tag = "en-GB"
+  notification_category_subscriptions = [
+    "LEGAL",
+    "SECURITY",
+    "SUSPENSION",
+    "TECHNICAL"
+  ]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/negative4.tf

@@ -0,0 +1,6 @@
+resource "google_essential_contacts_contact" "negative4" {
+  parent = "organizations/123456789012"
+  email = "foo@bar.com"
+  language_tag = "en-GB"
+  notification_category_subscriptions = ["ALL"]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/negative5.tf

@@ -0,0 +1,7 @@
+resource "google_essential_contacts_contact" "negative5" {
+  parent = "folders/987654321"       # Not organization-level
+  email  = "foo@bar.com"
+  language_tag = "en-GB"
+
+  notification_category_subscriptions = ["ALL"]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/negative6.tf

@@ -0,0 +1,12 @@
+resource "google_essential_contacts_contact" "negative6" {
+  parent = "organizations/123456789012"
+  email = "foo@bar.com"
+  language_tag = "en-GB"
+  notification_category_subscriptions = [
+    "LEGAL",
+    "SECURITY",
+    "SUSPENSION",
+    "BILLING",
+    "TECHNICAL"
+  ]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/negative7.tf

@@ -0,0 +1,16 @@
+data "google_organization" "org" {
+  organization = "123456789012"
+}
+
+resource "google_essential_contacts_contact" "negative7" {
+  parent = data.google_organization.org.name
+  email  = "foo@bar.com"
+  language_tag = "en-GB"
+
+  notification_category_subscriptions = [
+    "LEGAL",
+    "SECURITY",
+    "SUSPENSION",
+    "ALL"
+  ]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive1.tf

@@ -0,0 +1,15 @@
+data "google_organization" "org" {
+  organization = "123456789012"
+}
+
+resource "google_essential_contacts_contact" "positive1" {
+  parent = data.google_organization.org.name
+  email  = "foo@bar.com"
+  language_tag = "en-GB"
+
+  notification_category_subscriptions = [
+    "LEGAL",
+    "SECURITY",
+    "SUSPENSION",
+  ]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive2.tf

@@ -0,0 +1,14 @@
+data "google_organization" "org" {
+  organization = "123456789012"
+}
+
+resource "google_essential_contacts_contact" "positive2" {
+  parent = data.google_organization.org.name
+  email  = "foo@bar.com"
+  language_tag = "en-GB"
+
+  notification_category_subscriptions = [
+    "BILLING", 
+    "PRODUCT_UPDATES",
+  ]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive3.tf

@@ -0,0 +1,11 @@
+resource "google_essential_contacts_contact" "positive3" {
+  parent = "organizations/123456789012"
+  email  = "foo@bar.com"
+  language_tag = "en-GB"
+
+  notification_category_subscriptions = [
+    "LEGAL",
+    "SECURITY",
+    "SUSPENSION",
+  ]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive4.tf

@@ -0,0 +1,10 @@
+resource "google_essential_contacts_contact" "positive4" {
+  parent = "organizations/123456789012"
+  email  = "foo@bar.com"
+  language_tag = "en-GB"
+
+  notification_category_subscriptions = [
+    "BILLING", 
+    "PRODUCT_UPDATES",
+  ]
+}

assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json

@@ -0,0 +1,26 @@
+[
+  {
+    "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization",
+    "severity": "LOW",
+    "line": 10,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization",
+    "severity": "LOW",
+    "line": 10,
+    "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization",
+    "severity": "LOW",
+    "line": 6,
+    "fileName": "positive3.tf"
+  },
+  {
+    "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization",
+    "severity": "LOW",
+    "line": 6,
+    "fileName": "positive4.tf"
+  }
+]

assets/similarityID_transition/terraform_gcp.yaml

@@ -63,3 +63,7 @@ similarityIDChangeList:
       queryName: Beta - SQL DB Instance With Exposed Show Privileges
       observations: ""
       change: 2
+    - queryId: 7bd9c6a8-3b1f-495c-9752-a4a9c4e1b29f
+      queryName: Beta - Ensure Essential Contacts Is Configured For Organization
+      observations: ""
+      change: 2