Skip to content

Commit

Permalink
feat(arm): implement CKV2_AZURE_27 for arm (#5534)
Browse files Browse the repository at this point in the history 
* feat(arm): implement CKV2_AZURE_27 for arm

* revert
  • Loading branch information
@JamesWoolfenden
JamesWoolfenden authored Sep 14, 2023
1 parent d64bbc4 commit 030b183
Show file tree
Hide file tree
Showing 5 changed files with 431 additions and 2 deletions.
29 changes: 29 additions & 0 deletions checkov/arm/checks/resource/SQLServerUsesADAuth.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
from __future__ import annotations

from typing import Any

from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck


class SQLServerUsesADAuth(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
"""
I think that this check is really, ensure that only AD auth is used (not user/pass)
"""

name = "Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)"
id = "CKV2_AZURE_27"
supported_resources = ["Microsoft.Sql/servers"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def get_inspected_key(self) -> str:
return 'properties/administratorLogin'

def get_forbidden_values(self) -> list[Any]:
return [ANY_VALUE]


check = SQLServerUsesADAuth()
4 changes: 2 additions & 2 deletions checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,5 @@ definition:
operator: "number_of_words_not_equals"
value: 0

# Checking for condition "number_of_words_not_equals=0" instead of "is_not_empty" because
# even whitespaces were getting considered in terraform YAML file
# Checking for condition "number_of_words_not_equals=0" instead of "is_not_empty" because
# even whitespaces were getting considered in terraform YAML file
181 changes: 181 additions & 0 deletions tests/arm/checks/resource/example_SQLServerUsesADAuth/fail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"administratorLogin": {
"type": "string",
"defaultValue": "anythingisbad"
},
"administratorLoginPassword": {
"type": "securestring",
"defaultValue": ""
},
"administrators": {
"type": "object",
"defaultValue": {}
},
"location": {
"type": "string"
},
"serverName": {
"type": "string"
},
"enableADS": {
"type": "bool",
"defaultValue": false
},
"useVAManagedIdentity": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "To enable vulnerability assessments, the user deploying this template must have an administrator or owner permissions."
}
},
"vaStoragelessEnabled": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Flag for enabling vulnerability assessments with express configuration (storage less), the user deploying this template must have administrator or owner permissions."
}
},
"publicNetworkAccess": {
"type": "string",
"defaultValue": ""
},
"minimalTlsVersion": {
"type": "string",
"defaultValue": ""
},
"allowAzureIps": {
"type": "bool",
"defaultValue": true
},
"enableVA": {
"type": "bool",
"defaultValue": false
},
"serverTags": {
"type": "object",
"defaultValue": {}
}
},
"variables": {
"subscriptionId": "[subscription().subscriptionId]",
"resourceGroupName": "[resourceGroup().name]",
"uniqueStorage": "[uniqueString(variables('subscriptionId'), variables('resourceGroupName'), parameters('location'))]",
"storageName": "[tolower(concat('sqlva', variables('uniqueStorage')))]",
"uniqueRoleGuid": "[guid(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), variables('storageBlobContributor'), resourceId('Microsoft.Sql/servers', parameters('serverName')))]",
"StorageBlobContributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
"resources": [
{
"condition": "[parameters('enableVA')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {
"minimumTlsVersion": "TLS1_2",
"supportsHttpsTrafficOnly": "true",
"allowBlobPublicAccess": "false"
},
"resources": [
{
"condition": "[parameters('useVAManagedIdentity')]",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[concat(variables('storageName'), '/Microsoft.Authorization/', variables('uniqueRoleGuid') )]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]"
],
"properties": {
"roleDefinitionId": "[variables('StorageBlobContributor')]",
"principalId": "[reference(resourceId('Microsoft.Sql/servers', parameters('serverName')), '2018-06-01-preview', 'Full').identity.principalId]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]",
"principalType": "ServicePrincipal"
}
}
]
},
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-11-01-preview",
"name": "fail",
"location": "[parameters('location')]",
"properties": {
"version": "12.0",
"minimalTlsVersion": "[parameters('minimalTlsVersion')]",
"publicNetworkAccess": "[parameters('publicNetworkAccess')]",
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"administrators": "[parameters('administrators')]"
},
"identity": "[if(and(parameters('enableVA'),parameters('useVAManagedIdentity')), json('{\"type\":\"SystemAssigned\"}'), json('null'))]",
"tags": "[parameters('serverTags')]",
"resources": [
{
"condition": "[parameters('allowAzureIPs')]",
"type": "firewallRules",
"apiVersion": "2021-11-01",
"name": "AllowAllWindowsAzureIps",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
},
{
"condition": "[parameters('enableADS')]",
"type": "advancedThreatProtectionSettings",
"apiVersion": "2021-11-01-preview",
"name": "Default",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"state": "Enabled"
}
},
{
"condition": "[parameters('enableVA')]",
"type": "vulnerabilityAssessments",
"apiVersion": "2018-06-01-preview",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/advancedThreatProtectionSettings/Default')]"
],
"properties": {
"storageContainerPath": "[if(parameters('enableVA'), concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment'), '')]",
"storageAccountAccessKey": "[if(and(parameters('enableVA'),not(parameters('useVAManagedIdentity'))), listKeys(variables('storageName'), '2018-02-01').keys[0].value, '')]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": false
}
}
},
{
"condition": "[parameters('vaStoragelessEnabled')]",
"type": "sqlVulnerabilityAssessments",
"apiVersion": "2022-02-01-preview",
"name": "Default",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"state": "Enabled"
}
}
]
}
]
}
Loading

0 comments on commit 030b183

Please sign in to comment.