Create rule S6401[terraform] Creating keys without a rotation period is security-sensitive (#687)

* Create rule S6401

* init s6401

* fix small typo

* fixes after review

* Add code highlighted tag to code example

Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com>
Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com>
Co-authored-by: Nils Werner <nils.werner@sonarsource.com>

rules/S6401/ask-yourself.adoc

@@ -0,0 +1,4 @@
+== Ask Yourself Whether
+
+* The cryptographic key is a symmetric key.
+* The application requires compliance with some security standards like PCI-DSS.

rules/S6401/description.adoc

@@ -0,0 +1 @@
+The likelihood of security incidents increases when cryptographic keys are used for a long time. Thus, to strengthen the data protection it's recommended to rotate the symmetric keys created with the Google Cloud Key Management Service (KMS) automatically and periodically. Note that it's not possible in GCP KMS to rotate asymmetric keys automatically.

rules/S6401/message.adoc

@@ -0,0 +1,3 @@
+=== Message
+
+Make sure creating a key without a rotation period is safe here.

rules/S6401/metadata.json

@@ -0,0 +1,29 @@
+{
+    "title": "Creating keys without a rotation period is security-sensitive",
+    "type": "SECURITY_HOTSPOT",
+    "status": "ready",
+    "remediation": {
+      "func": "Constant\/Issue",
+      "constantCost": "30min"
+    },
+    "tags": [
+      "gcp"
+    ],
+    "defaultSeverity": "Major",
+    "ruleSpecification": "RSPEC-6401",
+    "sqKey": "S6401",
+    "scope": "All",
+    "securityStandards": {
+      "OWASP": [
+        "A6"
+      ],
+      "OWASP Top 10 2021": [
+        "A2"
+      ]
+    },
+    "defaultQualityProfiles": [
+      "Sonar way"
+    ],
+    "quickfix": "unknown"
+  }
+  

rules/S6401/recommended.adoc

@@ -0,0 +1,3 @@
+== Recommended Secure Coding Practices
+
+It's recommended to rotate keys automatically and regularly. The shorter the key period, the less data can be decrypted by an attacker if a key is compromised. So the key rotation period usually depends on the amount of data encrypted with a key or other requirements such as compliance with security standards. In general, a period of time of 90 days can be used.

rules/S6401/see.adoc

@@ -0,0 +1,5 @@
+== See
+
+* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures
+* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration
+* https://cloud.google.com/kms/docs/key-rotation[GCP Documentation] - KMS Key rotation

rules/S6401/terraform/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6401/terraform/rule.adoc

@@ -0,0 +1,36 @@
+include::../description.adoc[]
+
+include::../ask-yourself.adoc[]
+
+include::../recommended.adoc[]
+
+== Sensitive Code Example
+[source,terraform]
+----
+resource "google_kms_crypto_key" "noncompliant-key" { # Sensitive: a rotation period is not defined
+  name            = "crypto-key-compliant"
+  key_ring        = google_kms_key_ring.keyring.id"
+}
+----
+
+== Compliant Solution
+[source,terraform]
+----
+resource "google_kms_crypto_key" "compliant-key" {
+  name            = "crypto-key-compliant"
+  key_ring        = google_kms_key_ring.keyring.id
+  rotation_period = "7776000s" # 90 days
+}
+----
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+endif::env-github,rspecator-view[]