Modifications made as per mentioned

bridgecrewio · Oct 17, 2023 · 302890e · 302890e
1 parent a819274
commit 302890e
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 31 deletions.
diff --git a/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml
@@ -1,7 +1,7 @@
 metadata:
-  id: "CKV_AZURE_229"
-  name: "Ensure storage account is configured with Shared Key authorization"
-  category: "GENERAL_SECURITY"
+  id: "CKV2_AZURE_40"
+  name: "Ensure storage account is not configured with Shared Key authorization"
+  category: "IAM"
 
 definition:
   and:

diff --git a/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml
@@ -1,7 +1,7 @@
 metadata:
-  id: "CKV_AZURE_230"
+  id: "CKV2_AZURE_41"
   name: "Ensure storage account is configured with SAS expiration policy"
-  category: "GENERAL_SECURITY"
+  category: "IAM"
 
 definition:
   and:
@@ -14,7 +14,7 @@ definition:
       resource_types: "azurerm_storage_account"
       attribute: "shared_access_key_enabled"
       operator: "equals_ignore_case"
-      value: "false"
+      value: "true"
 
     - cond_type: "attribute"
       resource_types: "azurerm_storage_account"

diff --git a/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml b/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml
@@ -1,28 +1,52 @@
 metadata:
-  id: "CKV_AZURE_228"
+  id: "CKV2_AZURE_39"
+
   name: "Ensure Azure VM is not configured with public IP and serial console access"
-  category: "GENERAL_SECURITY"
+  category: "NETWORKING"
 
 definition:
-  and:
-    - cond_type: filter
-      attribute: resource_type
-      value:
-        - azurerm_network_interface
-      operator: within
+  or:
+    - and:
+        - cond_type: filter
+          attribute: resource_type
+          value:
+            - azurerm_network_interface
+          operator: within
+
+        - resource_types:
+            - azurerm_network_interface
+          connected_resource_types:
+            - azurerm_linux_virtual_machine
+            - azurerm_windows_virtual_machine
+            - azurerm_virtual_machine
+          operator: exists
+          cond_type: connection
+
+        - cond_type: attribute
+          resource_types:
+             - azurerm_network_interface
+          attribute: ip_configuration.public_ip_address_id
+          operator: length_greater_than
+          value: 0
+
+        - cond_type: attribute
+          resource_types:
+            - azurerm_linux_virtual_machine
+            - azurerm_windows_virtual_machine
+            - azurerm_virtual_machine
+          attribute: boot_diagnostics
+          operator: not_exists
 
-    - resource_types:
+    - cond_type: attribute
+      resource_types:
         - azurerm_network_interface
-      connected_resource_types:
-        - azurerm_linux_virtual_machine
-        - azurerm_windows_virtual_machine
-        - azurerm_virtual_machine
-      operator: exists
-      cond_type: connection
+      attribute: ip_configuration.public_ip_address_id
+      operator: not_exists
 
     - cond_type: attribute
       resource_types:
-         - azurerm_network_interface
+        - azurerm_network_interface
       attribute: ip_configuration.public_ip_address_id
-      operator: length_greater_than
+      operator: length_less_than_or_equal
       value: 0
+
diff --git a/.../terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml b/.../terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml
@@ -1,4 +1,5 @@
 pass:
-  - "azurerm_network_interface.pass_int"
+  - "azurerm_network_interface.pass_int_1"
+  - "azurerm_network_interface.pass_int_2"
 fail:
   - "azurerm_network_interface.fail_int"
diff --git a/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf b/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf
@@ -16,9 +16,9 @@ resource "azurerm_resource_group" "pud-rg" {
   location = "West Europe"
 }
 
-# Case 1: Pass case: "ip_configuration.public_ip_address_id" exists
+# Case 1: FAIL case: "ip_configuration.public_ip_address_id" exists and boot_diagnostics also exists
 
-resource "azurerm_network_interface" "pass_int" {
+resource "azurerm_network_interface" "fail_int" {
   name                = "pass-nic"
   location            = azurerm_resource_group.pud-rg.location
   resource_group_name = azurerm_resource_group.pud-rg.name
@@ -35,14 +35,20 @@ resource "azurerm_virtual_machine" "pass_vm" {
   name                  = "${var.prefix}-vm"
   location              = azurerm_resource_group.pud-rg.location
   resource_group_name   = azurerm_resource_group.pud-rg.name
-  network_interface_ids = [azurerm_network_interface.pass_int.id]
+  network_interface_ids = [azurerm_network_interface.fail_int.id]
   vm_size               = "Standard_DS1_v2"
+
+  boot_diagnostics {
+    storage_account_uri = null # null enables managed storage account for boot diagnostics
+    enabled             = true
+    storage_uri         = ""
+  }
 }
 
-# Case 2: Fail case: Missing "ip_configuration.public_ip_address_id" (does NOT exist)
+# Case 2: Pass case: "ip_configuration.public_ip_address_id" does NOT exist
 
-resource "azurerm_network_interface" "fail_int" {
-  name                = "fail-nic"
+resource "azurerm_network_interface" "pass_int_1" {
+  name                = "pass-nic"
   location            = azurerm_resource_group.pud-rg.location
   resource_group_name = azurerm_resource_group.pud-rg.name
 
@@ -60,7 +66,36 @@ resource "azurerm_linux_virtual_machine" "pud-linux-vm" {
   size                = "Standard_F2"
   admin_username      = "pud-admin"
   network_interface_ids = [
-    azurerm_network_interface.fail_int.id,
+    azurerm_network_interface.pass_int_1.id,
   ]
 
+}
+
+# Case 3: Pass case: "ip_configuration.public_ip_address_id" exists but boot_diagnostics does not exist
+
+resource "azurerm_network_interface" "pass_int_2" {
+  name                = "pass-nic"
+  location            = azurerm_resource_group.pud-rg.location
+  resource_group_name = azurerm_resource_group.pud-rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = var.prefix
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id = var.pub-ip-id
+  }
+}
+
+resource "azurerm_virtual_machine" "pass_vm" {
+  name                  = "${var.prefix}-vm"
+  location              = azurerm_resource_group.pud-rg.location
+  resource_group_name   = azurerm_resource_group.pud-rg.name
+  network_interface_ids = [azurerm_network_interface.pass_int_2.id]
+  vm_size               = "Standard_DS1_v2"
+
+#  boot_diagnostics {
+#    storage_account_uri = null # null enables managed storage account for boot diagnostics
+#    enabled             = true
+#    storage_uri         = ""
+#  }
 }