Create rule S6400[Terraform]: Granting highly privileged GCP resource rights is security-sensitive (#685)

* Create rule S6400

* first draft

* second draft

* relecture

* last relecture du matin

* another idea, last paragraph may be overkill

* add small precision for new resources

* Add code highlighted tag to code example

Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com>
Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
Co-authored-by: Nils Werner <nils.werner@sonarsource.com>

rules/S6400/metadata.json

@@ -0,0 +1 @@
+{}

rules/S6400/terraform/metadata.json

@@ -0,0 +1,40 @@
+{
+  "title": "Granting highly privileged GCP resource rights is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "azure",
+    "cwe-284"
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
+  },
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6400",
+  "sqKey": "S6400",
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      284
+    ],
+    "OWASP": [
+      "A5"
+    ],
+    "OWASP Top 10 2021": [
+      "A1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}

rules/S6400/terraform/rule.adoc

@@ -0,0 +1,147 @@
+Granting highly privileged resource rights to users or groups can reduce an
+organization's ability to protect against account or service theft. It prevents
+proper segregation of duties and creates potentially critical attack vectors on
+affected resources. 
+
+If elevated access rights are abused or compromised, both the data that the
+affected resources work with and their access tracking are at risk.
+
+== Ask Yourself Whether
+
+* This GCP resource is essential to the information system infrastructure.
+* This GCP resource is essential to mission-critical functions.
+* Compliance policies require that administrative privileges for this resource be limited to a small group of individuals.
+
+There is a risk if you answered yes to any of these questions.
+
+== Recommended Secure Coding Practices
+
+Grant IAM policies or members a less permissive role: In most cases, granting
+them read-only privileges is sufficient.
+
+Separate tasks by creating multiple roles that do not use a full access role
+for day-to-day work.
+
+If the predefined GCP roles do not include the specific permissions you need,
+create https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role[custom IAM roles].
+
+== Sensitive Code Example
+
+For an IAM policy setup:
+[source,terraform]
+----
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/run.admin" # Sensitive
+    members = [
+      "user:name@example.com",
+    ]
+  }
+}
+
+resource "google_cloud_run_service_iam_policy" "policy" {
+  location = google_cloud_run_service.default.location
+  project = google_cloud_run_service.default.project
+  service = google_cloud_run_service.default.name
+  policy_data = data.google_iam_policy.admin.policy_data
+}
+----
+
+For an IAM policy binding:
+[source,terraform]
+----
+resource "google_cloud_run_service_iam_binding" "example" {
+  location = google_cloud_run_service.default.location
+  project = google_cloud_run_service.default.project
+  service = google_cloud_run_service.default.name
+  role = "roles/run.admin" # Sensitive
+  members = [
+    "user:name@example.com",
+  ]
+}
+----
+
+For adding a member to a policy:
+[source,terraform]
+----
+resource "google_cloud_run_service_iam_member" "example" {
+  location = google_cloud_run_service.default.location
+  project = google_cloud_run_service.default.project
+  service = google_cloud_run_service.default.name
+  role = "roles/run.admin" # Sensitive
+  member = "user:name@example.com"
+}
+----
+
+== Compliant Solution
+
+For an IAM policy setup:
+[source,terraform]
+----
+data "google_iam_policy" "admin" {
+  binding {
+    role = "roles/viewer"
+    members = [
+      "user:name@example.com",
+    ]
+  }
+}
+
+resource "google_cloud_run_service_iam_policy" "example" {
+  location = google_cloud_run_service.default.location
+  project = google_cloud_run_service.default.project
+  service = google_cloud_run_service.default.name
+  policy_data = data.google_iam_policy.admin.policy_data
+}
+----
+
+For an IAM policy binding:
+[source,terraform]
+----
+resource "google_cloud_run_service_iam_binding" "example" {
+  location = google_cloud_run_service.default.location
+  project = google_cloud_run_service.default.project
+  service = google_cloud_run_service.default.name
+  role = "roles/viewer"
+  members = [
+    "user:name@example.com",
+  ]
+}
+----
+
+For adding a member to a policy:
+[source,terraform]
+----
+resource "google_cloud_run_service_iam_member" "example" {
+  location = google_cloud_run_service.default.location
+  project = google_cloud_run_service.default.project
+  service = google_cloud_run_service.default.name
+  role = "roles/viewer"
+  member = "user:name@example.com"
+}
+----
+
+== See
+
+* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
+* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
+* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-284] - Improper Access Control
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+* For a policy: Make sure it is safe to give all future members full access to this resource.
+* For a binding: Make sure it is safe to give those members full access to the resource.
+* For a member add: Make sure it is safe to grant that member full access to the resource.
+* For the rest: Make sure it is safe to grant full access to the resource.
+
+=== Highlighting
+
+Highlight the full role assignment. In lists, highlight the non-compliant item.
+
+endif::env-github,rspecator-view[]