Fixing CKV_AZURE_226

bridgecrewio · Oct 12, 2023 · 6039e9f · 6039e9f
1 parent c469868
commit 6039e9f
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 54 deletions.
diff --git a/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py b/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py
@@ -25,8 +25,8 @@ def __init__(self) -> None:
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def get_inspected_key(self) -> str:
-        return "os_disk_type"
-
+        return "default_node_pool/[0]/os_disk_type"
+    
     def get_expected_value(self) -> Any:
         return "Ephemeral"
 

diff --git a/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf b/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf
@@ -1,96 +1,111 @@
 resource "azurerm_kubernetes_cluster" "pass" {
-  name                = "example-aks1"
-  location            = azurerm_resource_group.example.location
-  resource_group_name = azurerm_resource_group.example.name
-  dns_prefix          = "exampleaks1"
-  enable_host_encryption  = true
+  name                  = "internal"
+  kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id
+  vm_size               = "Standard_DS2_v2"
+  node_count            = 1
 
   default_node_pool {
-    name       = "default"
-    node_count = 1
-    vm_size    = "Standard_D2_v2"
+    name = "default"
+
+    enable_host_encryption       = true
+    vm_size                      = "Standard_E4ads_v5"
+    os_disk_type                 = "Ephemeral"
+    zones                        = [1, 2, 3]
+    only_critical_addons_enabled = true
+
+    type                 = "VirtualMachineScaleSets"
+    vnet_subnet_id       = var.subnet_id
+    enable_auto_scaling  = true
+    max_count            = 6
+    min_count            = 2
+    orchestrator_version = local.kubernetes_version
   }
 
-  identity {
-    type = "SystemAssigned"
-  }
-
-  tags = {
-    Environment = "Production"
-  }
 }
 
 resource "azurerm_kubernetes_cluster_node_pool" "pass" {
   name                  = "internal"
   kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id
   vm_size               = "Standard_DS2_v2"
   node_count            = 1
-  enable_host_encryption  = true
+  enable_host_encryption = true
 
   tags = {
     Environment = "Production"
   }
 }
 
-resource "azurerm_kubernetes_cluster" "fail" {
-  name                = "example-aks1"
-  location            = azurerm_resource_group.example.location
-  resource_group_name = azurerm_resource_group.example.name
-  dns_prefix          = "exampleaks1"
 
-  default_node_pool {
-    name       = "default"
-    node_count = 1
-    vm_size    = "Standard_D2_v2"
-  }
-
-  identity {
-    type = "SystemAssigned"
-  }
+resource "azurerm_kubernetes_cluster" "fail1" {
+  name                  = "internal"
+  kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id
+  vm_size               = "Standard_DS2_v2"
+  node_count            = 1
 
   tags = {
     Environment = "Production"
   }
+
+  default_node_pool {
+    name = "default"
+
+    enable_host_encryption       = false
+    vm_size                      = "Standard_E4ads_v5"
+    zones                        = [1, 2, 3]
+    only_critical_addons_enabled = true
+
+    type                 = "VirtualMachineScaleSets"
+    vnet_subnet_id       = var.subnet_id
+    enable_auto_scaling  = true
+    max_count            = 6
+    min_count            = 2
+    orchestrator_version = local.kubernetes_version
+  }
+
 }
 
-resource "azurerm_kubernetes_cluster_node_pool" "fail" {
+resource "azurerm_kubernetes_cluster_node_pool" "fail1" {
   name                  = "internal"
   kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id
   vm_size               = "Standard_DS2_v2"
   node_count            = 1
+  enable_host_encryption = false
+
   tags = {
     Environment = "Production"
   }
 }
 
-resource "azurerm_kubernetes_cluster" "fail1" {
-  name                = "example-aks1"
-  location            = azurerm_resource_group.example.location
-  resource_group_name = azurerm_resource_group.example.name
-  dns_prefix          = "exampleaks1"
-  enable_host_encryption  = false
 
-  default_node_pool {
-    name       = "default"
-    node_count = 1
-    vm_size    = "Standard_D2_v2"
-  }
+resource "azurerm_kubernetes_cluster" "fail2" {
+  name                  = "internal"
+  kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id
+  vm_size               = "Standard_DS2_v2"
+  node_count            = 1
 
-  identity {
-    type = "SystemAssigned"
+  default_node_pool {
+    name = "default"
+
+    vm_size                      = "Standard_E4ads_v5"
+    os_disk_type                 = "Ephemeral"
+    zones                        = [1, 2, 3]
+    only_critical_addons_enabled = true
+
+    type                 = "VirtualMachineScaleSets"
+    vnet_subnet_id       = var.subnet_id
+    enable_auto_scaling  = true
+    max_count            = 6
+    min_count            = 2
+    orchestrator_version = local.kubernetes_version
   }
 
-  tags = {
-    Environment = "Production"
-  }
 }
 
-resource "azurerm_kubernetes_cluster_node_pool" "fail1" {
+resource "azurerm_kubernetes_cluster_node_pool" "fail2" {
   name                  = "internal"
   kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id
   vm_size               = "Standard_DS2_v2"
   node_count            = 1
-  enable_host_encryption  = false
 
   tags = {
     Environment = "Production"

diff --git a/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf b/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf
@@ -3,11 +3,24 @@ resource "azurerm_kubernetes_cluster" "pass" {
   kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id
   vm_size               = "Standard_DS2_v2"
   node_count            = 1
-  os_disk_type          = "Ephemeral"
 
-  tags = {
-    Environment = "Production"
+  default_node_pool {
+    name = "default"
+
+    enable_host_encryption       = true
+    vm_size                      = "Standard_E4ads_v5"
+    os_disk_type                 = "Ephemeral"
+    zones                        = [1, 2, 3]
+    only_critical_addons_enabled = true
+
+    type                 = "VirtualMachineScaleSets"
+    vnet_subnet_id       = var.subnet_id
+    enable_auto_scaling  = true
+    max_count            = 6
+    min_count            = 2
+    orchestrator_version = local.kubernetes_version
   }
+
 }
 
 resource "azurerm_kubernetes_cluster" "fail" {
@@ -19,6 +32,23 @@ resource "azurerm_kubernetes_cluster" "fail" {
   tags = {
     Environment = "Production"
   }
+
+  default_node_pool {
+    name = "default"
+
+    enable_host_encryption       = true
+    vm_size                      = "Standard_E4ads_v5"
+    zones                        = [1, 2, 3]
+    only_critical_addons_enabled = true
+
+    type                 = "VirtualMachineScaleSets"
+    vnet_subnet_id       = var.subnet_id
+    enable_auto_scaling  = true
+    max_count            = 6
+    min_count            = 2
+    orchestrator_version = local.kubernetes_version
+  }
+
 }
 
 resource "azurerm_kubernetes_cluster" "fail2" {
@@ -31,4 +61,23 @@ resource "azurerm_kubernetes_cluster" "fail2" {
   tags = {
     Environment = "Production"
   }
+
+  default_node_pool {
+    name = "default"
+
+    enable_host_encryption       = true
+    vm_size                      = "Standard_E4ads_v5"
+    os_disk_type                 = "Managed"
+    zones                        = [1, 2, 3]
+    only_critical_addons_enabled = true
+
+    type                 = "VirtualMachineScaleSets"
+    vnet_subnet_id       = var.subnet_id
+    enable_auto_scaling  = true
+    max_count            = 6
+    min_count            = 2
+    orchestrator_version = local.kubernetes_version
+  }
+
+
 }