diff --git a/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py b/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py new file mode 100644 index 00000000000..e1cedfc61e7 --- /dev/null +++ b/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py @@ -0,0 +1,51 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_check import BaseResourceCheck + + +class VMDisablePasswordAuthentication(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure that Virtual machine does not enable password authentication" + id = "CKV_AZURE_149" + supported_resources = ( + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachines", + ) + categories = (CheckCategories.ENCRYPTION,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + os_profile = None + + properties = conf.get("properties") + if properties and isinstance(properties, dict): + if self.entity_type == "Microsoft.Compute/virtualMachines": + tmp_os_profile = properties.get("osProfile") + if tmp_os_profile and isinstance(tmp_os_profile, dict): + os_profile = tmp_os_profile + elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets": + vm_profile = properties.get("virtualMachineProfile") + if vm_profile and isinstance(vm_profile, dict): + tmp_os_profile = vm_profile.get("osProfile") + if tmp_os_profile and isinstance(tmp_os_profile, dict): + os_profile = tmp_os_profile + + if os_profile is None: + return CheckResult.UNKNOWN + + linux_config = os_profile.get("linuxConfiguration") + if linux_config and isinstance(linux_config, dict): + pass_auth = linux_config.get("disablePasswordAuthentication") + if pass_auth and isinstance(pass_auth, bool): + return CheckResult.PASSED if pass_auth and isinstance(pass_auth, bool) else CheckResult.FAILED + return CheckResult.FAILED + + return CheckResult.UNKNOWN + + return CheckResult.FAILED + + +check = VMDisablePasswordAuthentication() diff --git a/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed-vm.json b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed-vm.json new file mode 100644 index 00000000000..64de7a2d7c7 --- /dev/null +++ b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed-vm.json @@ -0,0 +1,235 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "networkInterfaceName1": { + "type": "string" + }, + "enableAcceleratedNetworking": { + "type": "bool" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "networkSecurityGroupRules": { + "type": "array" + }, + "subnetName": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "publicIpAddressName1": { + "type": "string" + }, + "publicIpAddressType": { + "type": "string" + }, + "publicIpAddressSku": { + "type": "string" + }, + "pipDeleteOption": { + "type": "string" + }, + "virtualMachineName": { + "type": "string" + }, + "virtualMachineName1": { + "type": "string" + }, + "virtualMachineComputerName1": { + "type": "string" + }, + "virtualMachineRG": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "osDiskDeleteOption": { + "type": "string" + }, + "virtualMachineSize": { + "type": "string" + }, + "nicDeleteOption": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "virtualMachine1Zone": { + "type": "string" + } + }, + "variables": { + "nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "vnetName": "[parameters('virtualNetworkName')]", + "vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]" + }, + "resources": [ + { + "name": "[parameters('networkInterfaceName1')]", + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2022-11-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName1'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + }, + "privateIPAllocationMethod": "Dynamic", + "publicIpAddress": { + "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName1'))]", + "properties": { + "deleteOption": "[parameters('pipDeleteOption')]" + } + } + } + } + ], + "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]", + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + } + } + }, + { + "name": "[parameters('networkSecurityGroupName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroupRules')]" + } + }, + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('publicIpAddressName1')]", + "type": "Microsoft.Network/publicIpAddresses", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "properties": { + "publicIpAllocationMethod": "[parameters('publicIpAddressType')]" + }, + "sku": { + "name": "[parameters('publicIpAddressSku')]" + }, + "zones": [ + "[parameters('virtualMachine1Zone')]" + ] + }, + { + "name": "failed", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-03-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName1'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('virtualMachineSize')]" + }, + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + }, + "deleteOption": "[parameters('osDiskDeleteOption')]" + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName1'))]", + "properties": { + "deleteOption": "[parameters('nicDeleteOption')]" + } + } + ] + }, + "osProfile": { + "computerName": "[parameters('virtualMachineComputerName1')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "linuxConfiguration": { + "patchSettings": { + "patchMode": "ImageDefault" + } + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + } + }, + "zones": [ + "[parameters('virtualMachine1Zone')]" + ] + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed.json b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed.json new file mode 100644 index 00000000000..e178de9da41 --- /dev/null +++ b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed.json @@ -0,0 +1,217 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "networkApiVersion": "2020-11-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "failed", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkApiVersion": "[variables('networkApiVersion')]", + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "linuxConfiguration": { + "disablePasswordAuthentication": false, + "patchSettings": { + "patchMode": "ImageDefault" + } + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Flexible", + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed-vm.json b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed-vm.json new file mode 100644 index 00000000000..ccfe42d90d5 --- /dev/null +++ b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed-vm.json @@ -0,0 +1,229 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "networkInterfaceName1": { + "type": "string" + }, + "enableAcceleratedNetworking": { + "type": "bool" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "networkSecurityGroupRules": { + "type": "array" + }, + "subnetName": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "publicIpAddressName1": { + "type": "string" + }, + "publicIpAddressType": { + "type": "string" + }, + "publicIpAddressSku": { + "type": "string" + }, + "pipDeleteOption": { + "type": "string" + }, + "virtualMachineName": { + "type": "string" + }, + "virtualMachineName1": { + "type": "string" + }, + "virtualMachineComputerName1": { + "type": "string" + }, + "virtualMachineRG": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "osDiskDeleteOption": { + "type": "string" + }, + "virtualMachineSize": { + "type": "string" + }, + "nicDeleteOption": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "virtualMachine1Zone": { + "type": "string" + } + }, + "variables": { + "nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "vnetName": "[parameters('virtualNetworkName')]", + "vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]" + }, + "resources": [ + { + "name": "[parameters('networkInterfaceName1')]", + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2022-11-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName1'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + }, + "privateIPAllocationMethod": "Dynamic", + "publicIpAddress": { + "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName1'))]", + "properties": { + "deleteOption": "[parameters('pipDeleteOption')]" + } + } + } + } + ], + "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]", + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + } + } + }, + { + "name": "[parameters('networkSecurityGroupName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroupRules')]" + } + }, + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('publicIpAddressName1')]", + "type": "Microsoft.Network/publicIpAddresses", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "properties": { + "publicIpAllocationMethod": "[parameters('publicIpAddressType')]" + }, + "sku": { + "name": "[parameters('publicIpAddressSku')]" + }, + "zones": [ + "[parameters('virtualMachine1Zone')]" + ] + }, + { + "name": "passed", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-03-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName1'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('virtualMachineSize')]" + }, + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + }, + "deleteOption": "[parameters('osDiskDeleteOption')]" + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName1'))]", + "properties": { + "deleteOption": "[parameters('nicDeleteOption')]" + } + } + ] + }, + "osProfile": { + "computerName": "[parameters('virtualMachineComputerName1')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + } + }, + "zones": [ + "[parameters('virtualMachine1Zone')]" + ] + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed.json b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed.json new file mode 100644 index 00000000000..28bc9a58790 --- /dev/null +++ b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed.json @@ -0,0 +1,210 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "networkApiVersion": "2020-11-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "passed", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkApiVersion": "[variables('networkApiVersion')]", + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Flexible", + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/test_VMDisablePasswordAuthentication.py b/tests/arm/checks/resource/test_VMDisablePasswordAuthentication.py new file mode 100644 index 00000000000..489a1e2ccf2 --- /dev/null +++ b/tests/arm/checks/resource/test_VMDisablePasswordAuthentication.py @@ -0,0 +1,42 @@ +import os +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.VMDisablePasswordAuthentication import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestVMDisablePasswordAuthentication(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_VMDisablePasswordAuthentication" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Compute/virtualMachineScaleSets.passed", + "Microsoft.Compute/virtualMachines.passed" + } + failing_resources = { + "Microsoft.Compute/virtualMachineScaleSets.failed", + "Microsoft.Compute/virtualMachines.failed" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + +