feat(terraform): New bedrock check (#6892)

New bedrock check
bridgecrewio · Dec 5, 2024 · 89a88bd · 89a88bd
1 parent 51a1d35
commit 89a88bd
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 0 deletions.
diff --git a/checkov/terraform/checks/resource/aws/BedrockGuardrails.py b/checkov/terraform/checks/resource/aws/BedrockGuardrails.py
@@ -0,0 +1,23 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+
+
+class BedrockGuardrails(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure AWS Bedrock agent is associated with Bedrock guardrails"
+        id = "CKV_AWS_383"
+        supported_resources = ("aws_bedrockagent_agent",)
+        categories = (CheckCategories.AI_AND_ML,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "guardrail_configuration/[0]/guardrail_identifier"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = BedrockGuardrails()
diff --git a/tests/terraform/checks/resource/aws/example_BedrockGuardrails/main.tf b/tests/terraform/checks/resource/aws/example_BedrockGuardrails/main.tf
@@ -0,0 +1,18 @@
+resource "aws_bedrockagent_agent" "fail" {
+  agent_name                  = "my-agent-name"
+  agent_resource_role_arn     = aws_iam_role.example.arn
+  idle_session_ttl_in_seconds = 500
+  foundation_model            = "anthropic.claude-v2"
+}
+
+resource "aws_bedrockagent_agent" "pass" {
+  agent_name                  = "my-agent-name"
+  agent_resource_role_arn     = aws_iam_role.example.arn
+  idle_session_ttl_in_seconds = 500
+  foundation_model            = "anthropic.claude-v2"
+
+  guardrail_configuration {
+    guardrail_identifier = "foo"
+    guardrail_version = 1
+  }
+}
diff --git a/tests/terraform/checks/resource/aws/test_BedrockGuardrails.py b/tests/terraform/checks/resource/aws/test_BedrockGuardrails.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.BedrockGuardrails import check
+from checkov.terraform.runner import Runner
+
+
+class TestBedrockGuardrails(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_BedrockGuardrails"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_bedrockagent_agent.pass",
+        }
+        failing_resources = {
+            "aws_bedrockagent_agent.fail"
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()