PLT:1898- Fixed GoSec issues

docs/index.md

@@ -174,7 +174,7 @@ For questions or issues with the provider, open up an issue in the provider GitH
 
 - `api_key` (String, Sensitive) The Spectro Cloud API key. Can also be set with the `SPECTROCLOUD_APIKEY` environment variable.
 - `host` (String) The Spectro Cloud API host url. Can also be set with the `SPECTROCLOUD_HOST` environment variable. Defaults to https://api.spectrocloud.com
-- `ignore_insecure_tls_error` (Boolean) Ignore insecure TLS errors for Spectro Cloud API endpoints. Defaults to false.
+- `ignore_insecure_tls_error` (Boolean) Ignore insecure TLS errors for Spectro Cloud API endpoints. ⚠️ WARNING: Setting this to true disables SSL certificate verification and makes connections vulnerable to man-in-the-middle attacks. Only use this in development/testing environments or when connecting to self-signed certificates in trusted networks. Defaults to false.
 - `project_name` (String) The Palette project the provider will target. If no value is provided, the `Default` Palette project is used. The default value is `Default`.
 - `retry_attempts` (Number) Number of retry attempts. Can also be set with the `SPECTROCLOUD_RETRY_ATTEMPTS` environment variable. Defaults to 10.
 - `trace` (Boolean) Enable HTTP request tracing. Can also be set with the `SPECTROCLOUD_TRACE` environment variable. To enable Terraform debug logging, set `TF_LOG=DEBUG`. Visit the Terraform documentation to learn more about Terraform [debugging](https://developer.hashicorp.com/terraform/plugin/log/managing).

docs/resources/registry_oci.md

@@ -72,7 +72,7 @@ Optional:
 Optional:
 
 - `certificate` (String) Specifies the TLS certificate used for secure communication. Required for enabling SSL/TLS encryption.
-- `insecure_skip_verify` (Boolean) Disables TLS certificate verification when set to true. Use with caution as it may expose connections to security risks.
+- `insecure_skip_verify` (Boolean) Disables TLS certificate verification when set to true. ⚠️ WARNING: Setting this to true disables SSL certificate verification and makes connections vulnerable to man-in-the-middle attacks. Only use this when connecting to registries with self-signed certificates in trusted networks.
 
 
 

docs/resources/sso.md

@@ -102,7 +102,7 @@ Optional:
 
 - `default_team_ids` (Set of String) A set of default team IDs assigned to users.
 - `identity_provider_ca_certificate` (String) Certificate authority (CA) certificate for the identity provider.
-- `insecure_skip_tls_verify` (Boolean) Boolean to skip TLS verification for identity provider communication.
+- `insecure_skip_tls_verify` (Boolean) Boolean to skip TLS verification for identity provider communication. ⚠️ WARNING: Setting this to true disables SSL certificate verification and makes connections vulnerable to man-in-the-middle attacks. Only use this when connecting to identity providers with self-signed certificates in trusted networks.
 - `user_info_endpoint` (Block List, Max: 1) To allow Palette to query the OIDC userinfo endpoint using the provided Issuer URL. Palette will first attempt to retrieve role and group information from userInfo endpoint. If unavailable, Palette will fall back to using Required Claims as specified above. Use the following fields to specify what Required Claims Palette will include when querying the userinfo endpoint. (see [below for nested schema](#nestedblock--oidc--user_info_endpoint))
 
 Read-Only:

spectrocloud/constants/constants.go

@@ -0,0 +1,15 @@
+package constants
+
+const (
+	// Int32MaxValue represents the maximum value for int32 type (2^31 - 1)
+	Int32MaxValue = 2147483647
+
+	// Int32MinValue represents the minimum value for int32 type (-2^31)
+	Int32MinValue = -2147483648
+
+	// UInt32MaxValue represents the maximum value for uint32 type (2^32 - 1)
+	UInt32MaxValue = 4294967295
+
+	// Int64MaxValue represents the maximum value for int64 type (2^63 - 1)
+	Int64MaxValue = 9223372036854775807
+)

spectrocloud/kubevirt/schema/virtualmachineinstance/domain_spec.go

@@ -1,11 +1,14 @@
 package virtualmachineinstance
 
 import (
+	"fmt"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"k8s.io/apimachinery/pkg/api/resource"
 	kubevirtapiv1 "kubevirt.io/api/core/v1"
 
+	"github.com/spectrocloud/terraform-provider-spectrocloud/spectrocloud/constants"
 	"github.com/spectrocloud/terraform-provider-spectrocloud/spectrocloud/kubevirt/utils"
 )
 
@@ -286,12 +289,21 @@ func expandCPU(cpu map[string]interface{}) (kubevirtapiv1.CPU, error) {
 	}
 
 	if v, ok := cpu["cores"].(int); ok {
+		if v < 0 || v > constants.UInt32MaxValue {
+			return result, fmt.Errorf("cores value %d is out of range for uint32", v)
+		}
 		result.Cores = uint32(v)
 	}
 	if v, ok := cpu["sockets"].(int); ok {
+		if v < 0 || v > constants.UInt32MaxValue {
+			return result, fmt.Errorf("sockets value %d is out of range for uint32", v)
+		}
 		result.Sockets = uint32(v)
 	}
 	if v, ok := cpu["threads"].(int); ok {
+		if v < 0 || v > constants.UInt32MaxValue {
+			return result, fmt.Errorf("threads value %d is out of range for uint32", v)
+		}
 		result.Threads = uint32(v)
 	}
 

spectrocloud/provider.go

@@ -60,7 +60,7 @@ func New(_ string) func() *schema.Provider {
 				"ignore_insecure_tls_error": {
 					Type:        schema.TypeBool,
 					Optional:    true,
-					Description: "Ignore insecure TLS errors for Spectro Cloud API endpoints. Defaults to false.",
+					Description: "Ignore insecure TLS errors for Spectro Cloud API endpoints. ⚠️ WARNING: Setting this to true disables SSL certificate verification and makes connections vulnerable to man-in-the-middle attacks. Only use this in development/testing environments or when connecting to self-signed certificates in trusted networks. Defaults to false.",
 				},
 			},
 			ResourcesMap: map[string]*schema.Resource{
@@ -204,7 +204,9 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 	projectName := d.Get("project_name").(string)
 
 	insecure := d.Get("ignore_insecure_tls_error").(bool)
+
 	if insecure {
+		//nolint:gosec
 		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 

spectrocloud/resource_cluster_vsphere.go

@@ -15,6 +15,7 @@ import (
 	"github.com/spectrocloud/palette-sdk-go/api/models"
 	"github.com/spectrocloud/palette-sdk-go/client"
 
+	"github.com/spectrocloud/terraform-provider-spectrocloud/spectrocloud/constants"
 	"github.com/spectrocloud/terraform-provider-spectrocloud/spectrocloud/schemas"
 	"github.com/spectrocloud/terraform-provider-spectrocloud/types"
 )
@@ -848,20 +849,44 @@ func toMachinePoolVsphere(machinePool interface{}) (*models.V1VsphereMachinePool
 	}
 
 	ins := m["instance_type"].([]interface{})[0].(map[string]interface{})
+
+	// Check bounds before conversion
+	diskSizeInt := ins["disk_size_gb"].(int)
+	memoryInt := ins["memory_mb"].(int)
+	cpuInt := ins["cpu"].(int)
+
+	if diskSizeInt > constants.Int32MaxValue || memoryInt > constants.Int64MaxValue || cpuInt > constants.Int32MaxValue {
+		return nil, fmt.Errorf("instance type values out of range: disk_size_gb=%d, memory_mb=%d, cpu=%d", diskSizeInt, memoryInt, cpuInt)
+	}
+
 	instanceType := models.V1VsphereInstanceType{
-		DiskGiB:   types.Ptr(int32(ins["disk_size_gb"].(int))),
-		MemoryMiB: types.Ptr(int64(ins["memory_mb"].(int))),
-		NumCPUs:   types.Ptr(int32(ins["cpu"].(int))),
+		DiskGiB:   types.Ptr(int32(diskSizeInt)),
+		MemoryMiB: types.Ptr(int64(memoryInt)),
+		NumCPUs:   types.Ptr(int32(cpuInt)),
+	}
+
+	countInt := m["count"].(int)
+	if countInt > constants.Int32MaxValue {
+		return nil, fmt.Errorf("count value %d is out of range for int32", countInt)
 	}
-	min := int32(m["count"].(int))
-	max := int32(m["count"].(int))
+
+	min := int32(countInt)
+	max := int32(countInt)
 
 	if m["min"] != nil {
-		min = int32(m["min"].(int))
+		minInt := m["min"].(int)
+		if minInt > constants.Int32MaxValue {
+			return nil, fmt.Errorf("min value %d is out of range for int32", minInt)
+		}
+		min = int32(minInt)
 	}
 
 	if m["max"] != nil {
-		max = int32(m["max"].(int))
+		maxInt := m["max"].(int)
+		if maxInt > constants.Int32MaxValue {
+			return nil, fmt.Errorf("max value %d is out of range for int32", maxInt)
+		}
+		max = int32(maxInt)
 	}
 
 	mp := &models.V1VsphereMachinePoolConfigEntity{
@@ -890,9 +915,16 @@ func toMachinePoolVsphere(machinePool interface{}) (*models.V1VsphereMachinePool
 		if m["node_repave_interval"] != nil {
 			nodeRepaveInterval = m["node_repave_interval"].(int)
 		}
+		if nodeRepaveInterval > constants.Int32MaxValue {
+			return nil, fmt.Errorf("node_repave_interval value %d is out of range for int32", nodeRepaveInterval)
+		}
 		mp.PoolConfig.NodeRepaveInterval = int32(nodeRepaveInterval)
 	} else {
-		err := ValidationNodeRepaveIntervalForControlPlane(m["node_repave_interval"].(int))
+		nodeRepaveInterval := m["node_repave_interval"].(int)
+		if nodeRepaveInterval > constants.Int32MaxValue {
+			return nil, fmt.Errorf("node_repave_interval value %d is out of range for int32", nodeRepaveInterval)
+		}
+		err := ValidationNodeRepaveIntervalForControlPlane(nodeRepaveInterval)
 		if err != nil {
 			return mp, err
 		}

spectrocloud/resource_developer_setting.go

@@ -3,11 +3,13 @@ package spectrocloud
 import (
 	"context"
 	"fmt"
+	"time"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/spectrocloud/palette-sdk-go/api/models"
-	"time"
+	"github.com/spectrocloud/terraform-provider-spectrocloud/spectrocloud/constants"
 )
 
 func resourceDeveloperSetting() *schema.Resource {
@@ -66,17 +68,34 @@ func resourceDeveloperSetting() *schema.Resource {
 }
 
 func toDeveloperSetting(d *schema.ResourceData) (*models.V1DeveloperCredit, *models.V1TenantEnableClusterGroup) {
+	cpuInt := d.Get("cpu").(int)
+	memoryInt := d.Get("memory").(int)
+	storageInt := d.Get("storage").(int)
+	virtualClustersLimitInt := d.Get("virtual_clusters_limit").(int)
+
+	// Check bounds for int32 conversion
+	if cpuInt > constants.Int32MaxValue || memoryInt > constants.Int32MaxValue || storageInt > constants.Int32MaxValue || virtualClustersLimitInt > constants.Int32MaxValue {
+		// Return default values if any value is out of range
+		return &models.V1DeveloperCredit{
+				CPU:                  12,
+				MemoryGiB:            16,
+				StorageGiB:           20,
+				VirtualClustersLimit: 2,
+			}, &models.V1TenantEnableClusterGroup{
+				HideSystemClusterGroups: false,
+			}
+	}
+
 	devCredit := &models.V1DeveloperCredit{
-		CPU:                  int32(d.Get("cpu").(int)),
-		MemoryGiB:            int32(d.Get("memory").(int)),
-		StorageGiB:           int32(d.Get("storage").(int)),
-		VirtualClustersLimit: int32(d.Get("virtual_clusters_limit").(int)),
+		CPU:                  int32(cpuInt),
+		MemoryGiB:            int32(memoryInt),
+		StorageGiB:           int32(storageInt),
+		VirtualClustersLimit: int32(virtualClustersLimitInt),
 	}
 	sysClusterGroupPref := &models.V1TenantEnableClusterGroup{
 		HideSystemClusterGroups: d.Get("hide_system_cluster_group").(bool),
 	}
 	return devCredit, sysClusterGroupPref
-
 }
 
 func toDeveloperSettingDefault(d *schema.ResourceData) (*models.V1DeveloperCredit, *models.V1TenantEnableClusterGroup) {

spectrocloud/resource_pcg_ippool.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
 	"github.com/spectrocloud/palette-sdk-go/api/models"
+	"github.com/spectrocloud/terraform-provider-spectrocloud/spectrocloud/constants"
 )
 
 func resourcePrivateCloudGatewayIpPool() *schema.Resource {
@@ -201,10 +202,16 @@ func resourceIpPoolDelete(ctx context.Context, d *schema.ResourceData, m interfa
 }
 
 func toIpPool(d *schema.ResourceData) *models.V1IPPoolInputEntity {
+	prefixInt := d.Get("prefix").(int)
+	if prefixInt > constants.Int32MaxValue {
+		// This should not happen in practice as prefix is typically 0-32 for CIDR notation
+		prefixInt = 24 // Default to /24 if out of range
+	}
+
 	pool := &models.V1Pool{
 		Gateway:    d.Get("gateway").(string),
 		Nameserver: &models.V1Nameserver{},
-		Prefix:     int32(d.Get("prefix").(int)),
+		Prefix:     int32(prefixInt),
 	}
 
 	if d.Get("network_type").(string) == "range" {

spectrocloud/resource_platform_setting.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/spectrocloud/palette-sdk-go/api/models"
+	"github.com/spectrocloud/terraform-provider-spectrocloud/spectrocloud/constants"
 )
 
 func resourcePlatformSetting() *schema.Resource {
@@ -140,8 +141,12 @@ func updatePlatformSettings(d *schema.ResourceData, m interface{}) diag.Diagnost
 	if platformSettingContext == tenantString {
 		// session timeout
 		if sessionTime, ok := d.GetOk("session_timeout"); ok {
+			sessionTimeInt := sessionTime.(int)
+			if sessionTimeInt > constants.Int32MaxValue {
+				return diag.FromErr(fmt.Errorf("session_timeout value %d is out of range for int32", sessionTimeInt))
+			}
 			err = c.UpdateSessionTimeout(tenantUID,
-				&models.V1AuthTokenSettings{ExpiryTimeMinutes: int32(sessionTime.(int))})
+				&models.V1AuthTokenSettings{ExpiryTimeMinutes: int32(sessionTimeInt)})
 			if err != nil {
 				return diag.FromErr(err)
 			}
@@ -391,8 +396,12 @@ func resourcePlatformSettingUpdate(ctx context.Context, d *schema.ResourceData,
 		// session timeout
 		if d.HasChange("session_timeout") {
 			if sessionTime, ok := d.GetOk("session_timeout"); ok {
+				sessionTimeInt := sessionTime.(int)
+				if sessionTimeInt > constants.Int32MaxValue {
+					return diag.FromErr(fmt.Errorf("session_timeout value %d is out of range for int32", sessionTimeInt))
+				}
 				err = c.UpdateSessionTimeout(tenantUID,
-					&models.V1AuthTokenSettings{ExpiryTimeMinutes: int32(sessionTime.(int))})
+					&models.V1AuthTokenSettings{ExpiryTimeMinutes: int32(sessionTimeInt)})
 				if err != nil {
 					return diag.FromErr(err)
 				}

spectrocloud/resource_registry_oci_ecr.go

@@ -4,9 +4,10 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/spectrocloud/palette-sdk-go/client"
 	"time"
 
+	"github.com/spectrocloud/palette-sdk-go/client"
+
 	"github.com/go-openapi/strfmt"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 
@@ -140,7 +141,7 @@ func resourceRegistryOciEcr() *schema.Resource {
 										Type:        schema.TypeBool,
 										Optional:    true,
 										Default:     false,
-										Description: "Disables TLS certificate verification when set to true. Use with caution as it may expose connections to security risks.",
+										Description: "Disables TLS certificate verification when set to true. ⚠️ WARNING: Setting this to true disables SSL certificate verification and makes connections vulnerable to man-in-the-middle attacks. Only use this when connecting to registries with self-signed certificates in trusted networks.",
 									},
 								},
 							},

spectrocloud/resource_sso.go

@@ -94,7 +94,7 @@ func resourceSSO() *schema.Resource {
 							Type:        schema.TypeBool,
 							Optional:    true,
 							Default:     false,
-							Description: "Boolean to skip TLS verification for identity provider communication.",
+							Description: "Boolean to skip TLS verification for identity provider communication. ⚠️ WARNING: Setting this to true disables SSL certificate verification and makes connections vulnerable to man-in-the-middle attacks. Only use this when connecting to identity providers with self-signed certificates in trusted networks.",
 						},
 						"client_id": {
 							Type:        schema.TypeString,

spectrocloud/resource_workspace.go

@@ -96,7 +96,10 @@ func resourceWorkspaceCreate(ctx context.Context, d *schema.ResourceData, m inte
 
 	var diags diag.Diagnostics
 
-	workspace := toWorkspace(d, c)
+	workspace, err := toWorkspace(d, c)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 
 	uid, err := c.CreateWorkspace(workspace)
 	if err != nil {
@@ -203,7 +206,10 @@ func resourceWorkspaceUpdate(ctx context.Context, d *schema.ResourceData, m inte
 
 	if d.HasChange("clusters") || d.HasChange("workspace_quota") {
 		// resource allocation should go first because clusters are inside.
-		namespaces := toUpdateWorkspaceNamespaces(d, c)
+		namespaces, err := toUpdateWorkspaceNamespaces(d, c)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 		if err := c.UpdateWorkspaceResourceAllocation(d.Id(), namespaces); err != nil {
 			return diag.FromErr(err)
 		}
@@ -219,7 +225,11 @@ func resourceWorkspaceUpdate(ctx context.Context, d *schema.ResourceData, m inte
 			}
 		}
 		if d.HasChange("namespaces") {
-			if err := c.UpdateWorkspaceResourceAllocation(d.Id(), toUpdateWorkspaceNamespaces(d, c)); err != nil {
+			namespaces, err := toUpdateWorkspaceNamespaces(d, c)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+			if err := c.UpdateWorkspaceResourceAllocation(d.Id(), namespaces); err != nil {
 				return diag.FromErr(err)
 			}
 		}
@@ -269,12 +279,17 @@ func resourceWorkspaceDelete(ctx context.Context, d *schema.ResourceData, m inte
 	return diags
 }
 
-func toWorkspace(d *schema.ResourceData, c *client.V1Client) *models.V1WorkspaceEntity {
+func toWorkspace(d *schema.ResourceData, c *client.V1Client) (*models.V1WorkspaceEntity, error) {
 	annotations := make(map[string]string)
 	if len(d.Get("description").(string)) > 0 {
 		annotations["description"] = d.Get("description").(string)
 	}
 
+	quota, err := toQuota(d)
+	if err != nil {
+		return nil, err
+	}
+
 	workspace := &models.V1WorkspaceEntity{
 		Metadata: &models.V1ObjectMeta{
 			Name:        d.Get("name").(string),
@@ -287,11 +302,11 @@ func toWorkspace(d *schema.ResourceData, c *client.V1Client) *models.V1Workspace
 			ClusterRbacs:      toWorkspaceRBACs(d),
 			ClusterRefs:       toClusterRefs(d, c),
 			Policies:          toWorkspacePolicies(d),
-			Quota:             toQuota(d),
+			Quota:             quota,
 		},
 	}
 
-	return workspace
+	return workspace, nil
 }
 
 func resourceWorkspaceImport(ctx context.Context, d *schema.ResourceData, m interface{}) ([]*schema.ResourceData, error) {