From 99730d1757ae18caa46c33b3adba4166b0a33168 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pascal=20H=C3=B6hnel?= <20238923+phoehnel@users.noreply.github.com> Date: Mon, 12 Aug 2024 20:28:29 +0200 Subject: [PATCH] fix(terraform): add null as allowed value, when checking for presence of public IP in CKV2_AZURE_39 (#6094) * add null as allowed value for public-ips * add tests for empty/null list in AzureVMconfigPublicIP_SerialConsoleAccess * correct type of "ip_configuration.public_ip_address_id" to string --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> --- ...eVMconfigPublicIP_SerialConsoleAccess.yaml | 7 +++ .../expected.yaml | 2 + .../main.tf | 52 +++++++++++++++++++ 3 files changed, 61 insertions(+) diff --git a/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml b/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml index 60d13f14041..24a28d00ae1 100644 --- a/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml +++ b/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml @@ -50,3 +50,10 @@ definition: operator: length_less_than_or_equal value: 0 + - cond_type: attribute + resource_types: + - azurerm_network_interface + attribute: ip_configuration.public_ip_address_id + operator: equals + value: null + diff --git a/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml b/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml index a672f5c82d2..2a5415bb1c9 100644 --- a/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml +++ b/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml @@ -1,5 +1,7 @@ pass: - "azurerm_network_interface.pass_int_1" - "azurerm_network_interface.pass_int_2" + - "azurerm_network_interface.pass_int_3" + - "azurerm_network_interface.pass_int_4" fail: - "azurerm_network_interface.fail_int" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf b/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf index 9ba187dbc7e..c299e624346 100644 --- a/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf +++ b/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf @@ -98,4 +98,56 @@ resource "azurerm_virtual_machine" "pass_vm" { # enabled = true # storage_uri = "" # } +} + +# Case 4: Pass case: "ip_configuration.public_ip_address_id" does exist but is empty + +resource "azurerm_network_interface" "pass_int_3" { + name = "pass-nic" + location = azurerm_resource_group.pud-rg.location + resource_group_name = azurerm_resource_group.pud-rg.name + + ip_configuration { + name = "internal" + subnet_id = var.prefix + private_ip_address_allocation = "Dynamic" + public_ip_address_id = "" + } +} + +resource "azurerm_linux_virtual_machine" "pass_vm_3" { + name = "pud-linux-vm" + resource_group_name = azurerm_resource_group.pud-rg.name + location = azurerm_resource_group.pud-rg.location + size = "Standard_F2" + admin_username = "pud-admin" + network_interface_ids = [ + azurerm_network_interface.pass_int_3.id, + ] +} + +# Case 5: Pass case: "ip_configuration.public_ip_address_id" does exist but is null + +resource "azurerm_network_interface" "pass_int_4" { + name = "pass-nic" + location = azurerm_resource_group.pud-rg.location + resource_group_name = azurerm_resource_group.pud-rg.name + + ip_configuration { + name = "internal" + subnet_id = var.prefix + private_ip_address_allocation = "Dynamic" + public_ip_address_id = null + } +} + +resource "azurerm_linux_virtual_machine" "pass_vm_4" { + name = "pud-linux-vm" + resource_group_name = azurerm_resource_group.pud-rg.name + location = azurerm_resource_group.pud-rg.location + size = "Standard_F2" + admin_username = "pud-admin" + network_interface_ids = [ + azurerm_network_interface.pass_int_4.id, + ] } \ No newline at end of file