feat(arm): add CKV_AZURE_73 to ensure that Automation account variabl…

…es are encrypted (#6271) * added new arm policy for resource:AzureDefenderOnKeyVaults.py * added new arm policy for resource:AutomationEncrypted.py * added new arm policy for resource:AppServiceIdentityProviderEnabled.py * added new arm policy for resource:AutomationEncrypted.py * added new arm policy for resource:AutomationEncrypted.py * added new arm policy for resource:AutomationEncrypted.py * added new arm policy for resource:AzureDefenderOnKeyVaults.py * added new arm policy for resource:AutomationEncrypted.py * added new arm policy for resource:AutomationEncrypted.py * added new arm policy for resource:AutomationEncrypted.py --------- Co-authored-by: ChanochShayner <[email protected]>
bridgecrewio · May 19, 2024 · 4bb8d0c · 4bb8d0c
1 parent d522599
commit 4bb8d0c
Show file tree

Hide file tree

Showing 5 changed files with 121 additions and 0 deletions.
diff --git a/checkov/arm/checks/resource/AutomationEncrypted.py b/checkov/arm/checks/resource/AutomationEncrypted.py
@@ -0,0 +1,20 @@
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class AutomationEncrypted(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Automation account variables are encrypted"
+        id = "CKV_AZURE_73"
+        supported_resources = ("Microsoft.Automation/automationAccounts/variables",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/isEncrypted"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = AutomationEncrypted()
diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/fail.json b/tests/arm/checks/resource/example_AutomationEncrypted/fail.json
@@ -0,0 +1,22 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {},
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Automation/automationAccounts/variables",
+            "apiVersion": "2020-01-13-preview",
+            "name": "fail",
+            "properties": {
+                "name": "tfex-example-var",
+                "value": "Hello, Arm Basic Test.",
+                "isEncrypted": false
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Automation/automationAccounts', 'example')]"
+            ]
+        }
+    ],
+    "outputs": {}
+}
diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/fail1.json b/tests/arm/checks/resource/example_AutomationEncrypted/fail1.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {},
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Automation/automationAccounts/variables",
+            "apiVersion": "2020-01-13-preview",
+            "name": "fail1",
+            "properties": {
+                "name": "tfex-example-var",
+                "value": "Hello, Arm Basic Test."
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Automation/automationAccounts', 'example')]"
+            ]
+        }
+    ],
+    "outputs": {}
+}
diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/pass.json b/tests/arm/checks/resource/example_AutomationEncrypted/pass.json
@@ -0,0 +1,22 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {},
+  "variables": {},
+  "resources": [
+    {
+      "type": "Microsoft.Automation/automationAccounts/variables",
+      "apiVersion": "2020-01-13-preview",
+      "name": "pass",
+      "properties": {
+        "name": "tfex-example-var",
+        "value": "Hello, Arm Basic Test.",
+        "isEncrypted": true
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Automation/automationAccounts', 'example')]"
+      ]
+    }
+  ],
+  "outputs": {}
+}
diff --git a/tests/arm/checks/resource/test_AutomationEncrypted.py b/tests/arm/checks/resource/test_AutomationEncrypted.py
@@ -0,0 +1,36 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.AutomationEncrypted import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAutomationEncrypted(unittest.TestCase):
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_AutomationEncrypted"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Automation/automationAccounts/variables.pass",
+        }
+
+        failing_resources = {
+            "Microsoft.Automation/automationAccounts/variables.fail",
+            "Microsoft.Automation/automationAccounts/variables.fail1",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)