Fix/sql allowed authorized networks.rego

[FanchenBao]

The rego file "sql_allowed_authorized_networks.rego" has two issues.

1. In the package statement, templates.gcp.GCPSQLAllowedAuthorizedNetworksV1 needs be changed into templates.gcp.GCPSQLAllowedAuthorizedNetworksConstraintV1 in order for the template file "gcp_sql_allowed_authorized_networks_v1.yaml" to work.
2. data field needs to be added in between resource and settings to correctly retrieve info from authorizedNetworks.

I also modified the logic so that the rule can detect when authorizedNetworks does not exist or has no content.

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here (e.g. I signed it!) and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[FanchenBao]

I signed CLA.

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[FanchenBao]

Referencing #124
Though the issue is about another file, the problems fixed are related.

[morgante]

Thanks for the contribution - please make sure tests pass (using make test). Right now I see two potential issues:

1. The package name for the constraint and its test must match
2. The test fixtures also need to be updated to properly include the "data" field.

[FanchenBao]

You are welcome. And thanks for the suggestion. I will work on it.

[FanchenBao]

test fixture and test rego file for sql_allowed_authorized_networks have been updated. All tests passed using make test.

[AdrienWalkowiak]

@morgante any other comments on this?

[AdrienWalkowiak]

@morgante does this look good to you now?

[ocervell]

@AdrienWalkowiak @FanchenBao we shouldn't edit the fixture data.json manually - IMHO it should come from a real environment, otherwise we end up with issues where CAI data is different than our test fixtures

[FanchenBao]

If I remember correctly, the real environment CAI has data field, at least when I made the change last month. Therefore, I changed data.json file to reflect that fact.

[morgante]

@FanchenBao Can you rebase?

[FanchenBao]

@morgante Just rebased my fork onto current master, but I am still seeing conflict files.

[morgante]

@FanchenBao You'll have to resolve the conflicts manually. Also probably worth looking at the current implementation on master and seeing if your change still makes sense.

[morgante]

@FanchenBao Looks like tests fail, likely due to the addition of data in the test data.

Can you please run a CAI export and verify that it actually has that structure? Then make sure make test passes.

[FanchenBao]

@morgante Yes, at least from my end, the CAI file has "data" field. For example:

[ 
   { 
      "name":"//cloudsql.googleapis.com/projects/fanchen-sandbox/instances/private-instance",
      "asset_type":"sqladmin.googleapis.com/Instance",
      "ancestry_path":"project/fanchen-sandbox",
      "resource":{ 
         "version":"v1beta4",
         "discovery_document_uri":"https://www.googleapis.com/discovery/v1/apis/sqladmin/v1beta4/rest",
         "discovery_name":"DatabaseInstance",
         "parent":"//cloudresourcemanager.googleapis.com/projects/fanchen-sandbox",
         "data":{ 
            "databaseVersion":"MYSQL_5_7",
            "name":"private-instance",
            "project":"fanchen-sandbox",
            "region":"us-central1",
            "settings":{ 
               "ipConfiguration":{ 
                  "authorizedNetworks":[ 
                     { 
                        "name":"test_2",
                        "value":"199.27.25.0/24"
                     }
                  ],
                  "ipv4Enabled":false,
                  "requireSsl":true
               }
            }
         }
      }
   }
]

I also double-checked data.json files in other sql-related assets, and they all have "data" field. Furthermore, I found that my old logic of reporting violation when authorizedNetworks is not set is incorrect, because this field is optional. Therefore, I adopted the current code on master branch.