Skip to content

Commit

Permalink
feat(arm): MSSQLServerMinTLSVersion (#6245)
Browse files Browse the repository at this point in the history 
* MSSQLServerMinTLSVersion

* MSSQLServerMinTLSVersion

* MSSQLServerMinTLSVersion

* fix MSSQLServerMinTLSVersion

* fix2 MSSQLServerMinTLSVersion

---------

Co-authored-by: ChanochShayner <[email protected]>
  • Loading branch information
@chaniglik @ChanochShayner
chaniglik and ChanochShayner authored May 19, 2024
1 parent 4bb8d0c commit c23932d
Show file tree
Hide file tree
Showing 4 changed files with 558 additions and 0 deletions.
24 changes: 24 additions & 0 deletions checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck


class MSSQLServerMinTLSVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure MSSQL is using the latest version of TLS encryption"
id = "CKV_AZURE_52"
supported_resources = ("Microsoft.Sql/servers",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED,)

def get_inspected_key(self) -> str:
return "properties/minimalTlsVersion"

def get_expected_value(self) -> str:
return "1.2"


check = MSSQLServerMinTLSVersion()
246 changes: 246 additions & 0 deletions tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/fail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,246 @@
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apiVersion": {
"type": "string",
"defaultValue": "2021-05-01"
},
"administratorLogin": {
"type": "string"
},
"administratorLoginPassword": {
"type": "securestring"
},
"location": {
"type": "string"
},
"serverName": {
"type": "string"
},
"serverEdition": {
"type": "string"
},
"vCores": {
"type": "int",
"defaultValue": 4
},
"storageSizeGB": {
"type": "int"
},
"haEnabled": {
"type": "string",
"defaultValue": "Disabled"
},
"availabilityZone": {
"type": "string",
"defaultValue": ""
},
"standbyAvailabilityZone": {
"type": "string"
},
"version": {
"type": "string"
},
"tags": {
"type": "object",
"defaultValue": {}
},
"firewallRules": {
"type": "object",
"defaultValue": {}
},
"backupRetentionDays": {
"type": "int"
},
"geoRedundantBackup": {
"type": "string"
},
"vmName": {
"type": "string",
"defaultValue": "Standard_B1ms"
},
"storageIops": {
"type": "int"
},
"storageAutogrow": {
"type": "string",
"defaultValue": "Enabled"
},
"autoIoScaling": {
"type": "string",
"defaultValue": "Disabled"
},
"identityData": {
"type": "object",
"defaultValue": {}
},
"dataEncryptionData": {
"type": "object",
"defaultValue": {}
},
"serverParameters": {
"type": "array",
"defaultValue": []
},
"aadEnabled": {
"type": "bool",
"defaultValue": false
},
"aadData": {
"type": "object",
"defaultValue": {}
},
"guid": {
"type": "string",
"defaultValue": "[newGuid()]"
},
"network": {
"type": "object",
"defaultValue": {}
},
"firewallRulesAPIVersion": {
"type": "string",
"defaultValue": "2022-01-01"
}
},
"variables": {
"api": "[parameters('apiVersion')]",
"firewallRules": "[parameters('firewallRules').rules]",
"serverParameters": "[parameters('serverParameters')]"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2023-05-01-preview",
"name": "fail",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {}
}
},
"properties": {
"administratorLogin": "string",
"administratorLoginPassword": "string",
"administrators": {
"administratorType": "ActiveDirectory",
"azureADOnlyAuthentication": "bool",
"login": "string",
"principalType": "string",
"sid": "string",
"tenantId": "string"
},
"federatedClientId": "string",
"isIPv6Enabled": "string",
"keyId": "string",
"minimalTlsVersion": "1.1",
"primaryUserAssignedIdentityId": "string",
"publicNetworkAccess": "string",
"restrictOutboundNetworkAccess": "string",
"version": "string"
}
},
{
"condition": "[greater(length(variables('firewallRules')), 0)]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-08-01",
"name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]",
"copy": {
"count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]",
"mode": "Serial",
"name": "firewallRulesIterator"
},
"dependsOn": [
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
"[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/flexibleServers/firewallRules",
"name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]",
"apiVersion": "[parameters('firewallRulesAPIVersion')]",
"properties": {
"StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]",
"EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]"
}
}
]
}
}
},
{
"condition": "[parameters('aadEnabled')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-08-01",
"name": "[concat('addAdmins-', parameters('guid'))]",
"dependsOn": [
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/flexibleServers/administrators",
"name": "[concat(parameters('serverName'),'/ActiveDirectory')]",
"apiVersion": "[variables('api')]",
"properties": {
"administratorType": "[parameters('aadData').administratorType]",
"identityResourceId": "[parameters('aadData').identityResourceId]",
"login": "[parameters('aadData').login]",
"sid": "[parameters('aadData').sid]",
"tenantId": "[parameters('aadData').tenantId]"
}
}
]
}
}
},
{
"condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-08-01",
"copy": {
"count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]",
"mode": "serial",
"name": "serverParametersIterator"
},
"dependsOn": [
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
"[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
],
"name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/flexibleServers/configurations",
"name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]",
"apiVersion": "[variables('api')]",
"properties": {
"value": "[variables('serverParameters')[copyIndex()].value]",
"source": "[variables('serverParameters')[copyIndex()].source]"
}
}
]
}
}
}
]
}
Loading

0 comments on commit c23932d

Please sign in to comment.