feat(misconf): add private ip google access attribute to subnetwork (#9199)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
2025-12-12 15:50:15 -08:00 · 2025-07-16 00:45:50 +03:00
parent 60723e6cfc
commit 263845cfc1
4 changed files with 42 additions and 8 deletions
--- a/pkg/iac/adapters/terraform/google/compute/networks.go
+++ b/pkg/iac/adapters/terraform/google/compute/networks.go
@@ -29,10 +29,11 @@ func adaptNetworks(modules terraform.Modules) (networks []compute.Network) {
 	for _, subnetworkBlock := range modules.GetResourcesByType("google_compute_subnetwork") {

 		subnetwork := compute.SubNetwork{
-			Metadata:       subnetworkBlock.GetMetadata(),
-			Name:           subnetworkBlock.GetAttribute("name").AsStringValueOrDefault("", subnetworkBlock),
-			Purpose:        subnetworkBlock.GetAttribute("purpose").AsStringValueOrDefault(defaultSubnetPurpose, subnetworkBlock),
-			EnableFlowLogs: iacTypes.BoolDefault(false, subnetworkBlock.GetMetadata()),
+			Metadata:              subnetworkBlock.GetMetadata(),
+			Name:                  subnetworkBlock.GetAttribute("name").AsStringValueOrDefault("", subnetworkBlock),
+			Purpose:               subnetworkBlock.GetAttribute("purpose").AsStringValueOrDefault(defaultSubnetPurpose, subnetworkBlock),
+			EnableFlowLogs:        iacTypes.BoolDefault(false, subnetworkBlock.GetMetadata()),
+			PrivateIPGoogleAccess: subnetworkBlock.GetAttribute("private_ip_google_access").AsBoolValueOrDefault(false, subnetworkBlock),
 		}

 		// logging
--- a/pkg/iac/adapters/terraform/google/compute/networks_test.go
+++ b/pkg/iac/adapters/terraform/google/compute/networks_test.go
@@ -122,6 +122,34 @@ func Test_adaptNetworks(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "private_ip_google_access_enabled",
+			terraform: `
+			resource "google_compute_subnetwork" "example" {
+				name          = "test-subnetwork"
+				network       = google_compute_network.example.id
+				private_ip_google_access = true
+			}
+			resource "google_compute_network" "example" {
+				name = "test-network"
+			}
+			`,
+			expected: []compute.Network{
+				{
+					Metadata: iacTypes.NewTestMetadata(),
+					Firewall: nil,
+					Subnetworks: []compute.SubNetwork{
+						{
+							Metadata:              iacTypes.NewTestMetadata(),
+							Name:                  iacTypes.String("test-subnetwork", iacTypes.NewTestMetadata()),
+							Purpose:               iacTypes.StringDefault("PRIVATE_RFC_1918", iacTypes.NewTestMetadata()),
+							EnableFlowLogs:        iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+							PrivateIPGoogleAccess: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+						},
+					},
+				},
+			},
+		},
 	}

 	for _, test := range tests {
--- a/pkg/iac/providers/google/compute/subnetwork.go
+++ b/pkg/iac/providers/google/compute/subnetwork.go
@@ -5,8 +5,9 @@ import (
 )

 type SubNetwork struct {
-	Metadata       iacTypes.Metadata
-	Name           iacTypes.StringValue
-	Purpose        iacTypes.StringValue
-	EnableFlowLogs iacTypes.BoolValue
+	Metadata              iacTypes.Metadata
+	Name                  iacTypes.StringValue
+	Purpose               iacTypes.StringValue
+	EnableFlowLogs        iacTypes.BoolValue
+	PrivateIPGoogleAccess iacTypes.BoolValue
 }
--- a/pkg/iac/rego/schemas/cloud.json
+++ b/pkg/iac/rego/schemas/cloud.json
@@ -6378,6 +6378,10 @@
          "type": "object",
          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
        },
+        "privateipgoogleaccess": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue"
+        },
        "purpose": {
          "type": "object",
          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"