Checkmarx · cx-andre-pereira · Oct 28, 2025 · Oct 16, 2025 · Oct 16, 2025 · Oct 16, 2025
@@ -0,0 +1,14 @@
+{
+  "id": "cc9e464e-5abc-4c8f-8077-a9aa7ebe6a05",
+  "queryName": "Beta - Google DNS Policy Logging Disabled",
+  "severity": "MEDIUM",
+  "category": "Observability",
+  "descriptionText": "The 'google_dns_policy' should always have the 'enable_logging' field set to true",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_policy#enable_logging-1",
+  "platform": "Terraform",
+  "descriptionID": "cc9e464e",
+  "cloudProvider": "gcp",
+  "cwe": "778",
+  "riskScore": "3.0",
+  "experimental": "true"
+}
@@ -0,0 +1,46 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.google_dns_policy[name]
+
+	results := get_results(resource, name)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "google_dns_policy",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": results.searchKey,
+		"issueType": results.issueType,
+		"keyExpectedValue": results.keyExpectedValue,
+		"keyActualValue": results.keyActualValue,
+		"searchLine": results.searchLine
+	}
+}
+
+get_results(dns, name) = results {
+
+	not common_lib.valid_key(dns, "enable_logging")
+
+	results := {
+		"searchKey": sprintf("google_dns_policy[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'google_dns_policy[%s].enable_logging' should be defined and set to true", [name]),
+		"keyActualValue": sprintf("'google_dns_policy[%s].enable_logging' is undefined or null", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "google_dns_policy", name], [])
+	}
+
+} else = results {
+
+	dns.enable_logging != true
+
+	results := {
+		"searchKey": sprintf("google_dns_policy[%s].enable_logging", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'google_dns_policy[%s].enable_logging' should be defined and set to true", [name]),
+		"keyActualValue": sprintf("'google_dns_policy[%s].enable_logging' is set to %s", [name, dns.enable_logging]),
+		"searchLine": common_lib.build_search_line(["resource", "google_dns_policy", name, "enable_logging"], [])
+	}
+}
@@ -0,0 +1,6 @@
+resource "google_dns_policy" "example-policy" {
+  name                      = "example-policy"
+  enable_inbound_forwarding = true
+
+  enable_logging = true
+}
@@ -0,0 +1,12 @@
+resource "google_dns_policy" "example-policy" {
+  name                      = "example-policy"
+  enable_inbound_forwarding = true
+
+}
+
+resource "google_dns_policy" "example-policy-2" {
+  name                      = "example-policy-2"
+  enable_inbound_forwarding = true
+
+  enable_logging = false
+}
@@ -0,0 +1,12 @@
+[
+  {
+    "queryName": "Beta - Google DNS Policy Logging Disabled",
+    "severity": "MEDIUM",
+    "line": 1
+  },
+  {
+    "queryName": "Beta - Google DNS Policy Logging Disabled",
+    "severity": "MEDIUM",
+    "line": 11
+  }
+]
@@ -0,0 +1,5 @@
+similarityIDChangeList:
+    - queryId: cc9e464e-5abc-4c8f-8077-a9aa7ebe6a05
+      queryName: Beta - Google DNS Policy Logging Disabled
+      observations: ""
+      change: 2