-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): implement CKV_AZURE_95 for ARM (#5500)
* feat(arm): implement CKV_AZURE_95 for ARM * fix logic * flexible doesnt manage updates * adjust check logic --------- Co-authored-by: gruebel <[email protected]>
- Loading branch information
1 parent
225edea
commit b76f3f9
Showing
8 changed files
with
1,437 additions
and
0 deletions.
There are no files selected for viewing
42 changes: 42 additions & 0 deletions
42
checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| from __future__ import annotations | ||
|
|
||
| from typing import Any | ||
|
|
||
| from checkov.common.models.enums import CheckCategories, CheckResult | ||
| from checkov.arm.base_resource_check import BaseResourceCheck | ||
| from checkov.common.util.data_structures_utils import find_in_dict | ||
|
|
||
|
|
||
| class VMScaleSetsAutoOSImagePatchingEnabled(BaseResourceCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets" | ||
| id = "CKV_AZURE_95" | ||
| supported_resources = ("Microsoft.Compute/virtualMachineScaleSets",) | ||
| categories = (CheckCategories.GENERAL_SECURITY,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
| properties = conf.get("properties") | ||
| if properties and isinstance(properties, dict): | ||
| if properties.get("orchestrationMode") == "Flexible": | ||
| self.evaluated_keys = ["properties/orchestrationMode"] | ||
| return CheckResult.FAILED | ||
|
|
||
| self.evaluated_keys = ["properties/virtualMachineProfile/extensionProfile/extensions"] | ||
| extensions = find_in_dict( | ||
| input_dict=properties, | ||
| key_path="virtualMachineProfile/extensionProfile/extensions", | ||
| ) | ||
| if extensions: | ||
| for extension in extensions: | ||
| extension_properties = extension.get("properties") | ||
| if extension_properties and isinstance(extension_properties, dict): | ||
| if extension_properties.get("enableAutomaticUpgrade") is True: | ||
| return CheckResult.PASSED | ||
|
|
||
| return CheckResult.FAILED | ||
|
|
||
| return CheckResult.UNKNOWN | ||
|
|
||
|
|
||
| check = VMScaleSetsAutoOSImagePatchingEnabled() |
231 changes: 231 additions & 0 deletions
231
tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail-windows.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,231 @@ | ||
| { | ||
| "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "parameters": { | ||
| "location": { | ||
| "type": "string" | ||
| }, | ||
| "osDiskType": { | ||
| "type": "string" | ||
| }, | ||
| "addressPrefixes": { | ||
| "type": "array" | ||
| }, | ||
| "subnets": { | ||
| "type": "array" | ||
| }, | ||
| "virtualNetworkId": { | ||
| "type": "string" | ||
| }, | ||
| "virtualNetworkName": { | ||
| "type": "string" | ||
| }, | ||
| "networkSecurityGroups": { | ||
| "type": "array" | ||
| }, | ||
| "networkInterfaceConfigurations": { | ||
| "type": "array" | ||
| }, | ||
| "vmName": { | ||
| "type": "string" | ||
| }, | ||
| "virtualMachineScaleSetName": { | ||
| "type": "string" | ||
| }, | ||
| "singlePlacementGroup": { | ||
| "type": "string" | ||
| }, | ||
| "instanceCount": { | ||
| "type": "string" | ||
| }, | ||
| "instanceSize": { | ||
| "type": "string" | ||
| }, | ||
| "scaleInPolicy": { | ||
| "type": "object" | ||
| }, | ||
| "overprovision": { | ||
| "type": "bool" | ||
| }, | ||
| "upgradePolicy": { | ||
| "type": "string" | ||
| }, | ||
| "adminUsername": { | ||
| "type": "string" | ||
| }, | ||
| "adminPassword": { | ||
| "type": "secureString" | ||
| }, | ||
| "securityType": { | ||
| "type": "string" | ||
| }, | ||
| "secureBoot": { | ||
| "type": "bool" | ||
| }, | ||
| "vTPM": { | ||
| "type": "bool" | ||
| }, | ||
| "platformFaultDomainCount": { | ||
| "type": "string" | ||
| } | ||
| }, | ||
| "variables": { | ||
| "storageApiVersion": "2021-01-01", | ||
| "virtualMachineScaleSetApiVersion": "2023-03-01", | ||
| "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" | ||
| }, | ||
| "resources": [ | ||
| { | ||
| "name": "[parameters('virtualNetworkName')]", | ||
| "type": "Microsoft.Network/virtualNetworks", | ||
| "apiVersion": "2021-05-01", | ||
| "location": "[parameters('location')]", | ||
| "properties": { | ||
| "addressSpace": { | ||
| "addressPrefixes": "[parameters('addressPrefixes')]" | ||
| }, | ||
| "subnets": "[parameters('subnets')]" | ||
| } | ||
| }, | ||
| { | ||
| "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", | ||
| "type": "Microsoft.Network/networkSecurityGroups", | ||
| "apiVersion": "2019-02-01", | ||
| "location": "[parameters('location')]", | ||
| "properties": { | ||
| "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" | ||
| }, | ||
| "copy": { | ||
| "name": "networkSecurityGroups", | ||
| "count": "[length(parameters('networkSecurityGroups'))]" | ||
| } | ||
| }, | ||
| { | ||
| "name": "fail-windows", | ||
| "type": "Microsoft.Compute/virtualMachineScaleSets", | ||
| "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", | ||
| "location": "[parameters('location')]", | ||
| "dependsOn": [ | ||
| "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", | ||
| "networkSecurityGroups", | ||
| "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" | ||
| ], | ||
| "properties": { | ||
| "singlePlacementGroup": "[parameters('singlePlacementGroup')]", | ||
| "virtualMachineProfile": { | ||
| "storageProfile": { | ||
| "osDisk": { | ||
| "createOption": "fromImage", | ||
| "caching": "ReadWrite", | ||
| "managedDisk": { | ||
| "storageAccountType": "[parameters('osDiskType')]" | ||
| } | ||
| }, | ||
| "imageReference": { | ||
| "publisher": "MicrosoftWindowsServer", | ||
| "offer": "WindowsServer", | ||
| "sku": "2019-datacenter-gensecond", | ||
| "version": "latest" | ||
| } | ||
| }, | ||
| "networkProfile": { | ||
| "copy": [ | ||
| { | ||
| "name": "networkInterfaceConfigurations", | ||
| "count": "[length(parameters('networkInterfaceConfigurations'))]", | ||
| "input": { | ||
| "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", | ||
| "properties": { | ||
| "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", | ||
| "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", | ||
| "ipConfigurations": [ | ||
| { | ||
| "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", | ||
| "properties": { | ||
| "subnet": { | ||
| "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" | ||
| }, | ||
| "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", | ||
| "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", | ||
| "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", | ||
| "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]", | ||
| "loadBalancerInboundNatPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerInboundNatPools]" | ||
| } | ||
| } | ||
| ], | ||
| "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| "extensionProfile": { | ||
| "extensions": [ | ||
| { | ||
| "name": "GuestAttestation", | ||
| "properties": { | ||
| "publisher": "Microsoft.Azure.Security.WindowsAttestation", | ||
| "type": "GuestAttestation", | ||
| "typeHandlerVersion": "1.0", | ||
| "autoUpgradeMinorVersion": true, | ||
| "enableAutomaticUpgrade": false, | ||
| "settings": { | ||
| "AttestationConfig": { | ||
| "MaaSettings": { | ||
| "maaEndpoint": "", | ||
| "maaTenantName": "GuestAttestation" | ||
| }, | ||
| "AscSettings": { | ||
| "ascReportingEndpoint": "", | ||
| "ascReportingFrequency": "" | ||
| }, | ||
| "useCustomToken": "false", | ||
| "disableAlerts": "false" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| "diagnosticsProfile": { | ||
| "bootDiagnostics": { | ||
| "enabled": true | ||
| } | ||
| }, | ||
| "osProfile": { | ||
| "computerNamePrefix": "[variables('namingInfix')]", | ||
| "adminUsername": "[parameters('adminUsername')]", | ||
| "adminPassword": "[parameters('adminPassword')]", | ||
| "windowsConfiguration": { | ||
| "provisionVmAgent": true | ||
| } | ||
| }, | ||
| "securityProfile": { | ||
| "securityType": "[parameters('securityType')]", | ||
| "uefiSettings": { | ||
| "secureBootEnabled": "[parameters('secureBoot')]", | ||
| "vTpmEnabled": "[parameters('vTPM')]" | ||
| } | ||
| } | ||
| }, | ||
| "orchestrationMode": "Uniform", | ||
| "scaleInPolicy": "[parameters('scaleInPolicy')]", | ||
| "overprovision": "[parameters('overprovision')]", | ||
| "upgradePolicy": { | ||
| "mode": "[parameters('upgradePolicy')]" | ||
| }, | ||
| "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" | ||
| }, | ||
| "sku": { | ||
| "name": "[parameters('instanceSize')]", | ||
| "capacity": "[int(parameters('instanceCount'))]" | ||
| } | ||
| } | ||
| ], | ||
| "outputs": { | ||
| "adminUsername": { | ||
| "type": "string", | ||
| "value": "[parameters('adminUsername')]" | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.