diff --git a/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py b/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py index be8642d5aa4..54487e7901d 100644 --- a/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py +++ b/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py @@ -25,8 +25,8 @@ def __init__(self) -> None: super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def get_inspected_key(self) -> str: - return "os_disk_type" - + return "default_node_pool/[0]/os_disk_type" + def get_expected_value(self) -> Any: return "Ephemeral" diff --git a/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf b/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf index bbeff501177..21d1100b97d 100644 --- a/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf +++ b/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf @@ -1,23 +1,26 @@ resource "azurerm_kubernetes_cluster" "pass" { - name = "example-aks1" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - dns_prefix = "exampleaks1" - enable_host_encryption = true + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_D2_v2" + name = "default" + + enable_host_encryption = true + vm_size = "Standard_E4ads_v5" + os_disk_type = "Ephemeral" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version } - identity { - type = "SystemAssigned" - } - - tags = { - Environment = "Production" - } } resource "azurerm_kubernetes_cluster_node_pool" "pass" { @@ -25,72 +28,84 @@ resource "azurerm_kubernetes_cluster_node_pool" "pass" { kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id vm_size = "Standard_DS2_v2" node_count = 1 - enable_host_encryption = true + enable_host_encryption = true tags = { Environment = "Production" } } -resource "azurerm_kubernetes_cluster" "fail" { - name = "example-aks1" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - dns_prefix = "exampleaks1" - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_D2_v2" - } - - identity { - type = "SystemAssigned" - } +resource "azurerm_kubernetes_cluster" "fail1" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 tags = { Environment = "Production" } + + default_node_pool { + name = "default" + + enable_host_encryption = false + vm_size = "Standard_E4ads_v5" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + } -resource "azurerm_kubernetes_cluster_node_pool" "fail" { +resource "azurerm_kubernetes_cluster_node_pool" "fail1" { name = "internal" kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id vm_size = "Standard_DS2_v2" node_count = 1 + enable_host_encryption = false + tags = { Environment = "Production" } } -resource "azurerm_kubernetes_cluster" "fail1" { - name = "example-aks1" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - dns_prefix = "exampleaks1" - enable_host_encryption = false - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_D2_v2" - } +resource "azurerm_kubernetes_cluster" "fail2" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 - identity { - type = "SystemAssigned" + default_node_pool { + name = "default" + + vm_size = "Standard_E4ads_v5" + os_disk_type = "Ephemeral" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version } - tags = { - Environment = "Production" - } } -resource "azurerm_kubernetes_cluster_node_pool" "fail1" { +resource "azurerm_kubernetes_cluster_node_pool" "fail2" { name = "internal" kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id vm_size = "Standard_DS2_v2" node_count = 1 - enable_host_encryption = false tags = { Environment = "Production" diff --git a/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf b/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf index d3fb6ca0a9b..e813035097a 100644 --- a/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf +++ b/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf @@ -3,11 +3,24 @@ resource "azurerm_kubernetes_cluster" "pass" { kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id vm_size = "Standard_DS2_v2" node_count = 1 - os_disk_type = "Ephemeral" - tags = { - Environment = "Production" + default_node_pool { + name = "default" + + enable_host_encryption = true + vm_size = "Standard_E4ads_v5" + os_disk_type = "Ephemeral" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version } + } resource "azurerm_kubernetes_cluster" "fail" { @@ -19,6 +32,23 @@ resource "azurerm_kubernetes_cluster" "fail" { tags = { Environment = "Production" } + + default_node_pool { + name = "default" + + enable_host_encryption = true + vm_size = "Standard_E4ads_v5" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + } resource "azurerm_kubernetes_cluster" "fail2" { @@ -31,4 +61,23 @@ resource "azurerm_kubernetes_cluster" "fail2" { tags = { Environment = "Production" } + + default_node_pool { + name = "default" + + enable_host_encryption = true + vm_size = "Standard_E4ads_v5" + os_disk_type = "Managed" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + + } \ No newline at end of file