fix(terraform): Fix range issue in OCI RDP check (#5832)

Fix range
bridgecrewio · Dec 6, 2023 · d15da42 · d15da42
1 parent a80ecbe
commit d15da42
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 10 deletions.
diff --git a/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml b/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml
@@ -48,11 +48,17 @@ definition:
           operator: "not_equals"
           value: 3389
 
-        - cond_type: "attribute"
-          resource_types: "oci_core_network_security_group_security_rule"
-          attribute: "tcp_options.destination_port_range.min"
-          operator: "greater_than"
-          value: 3389
+        - or: 
+            - cond_type: "attribute"
+              resource_types: "oci_core_network_security_group_security_rule"
+              attribute: "tcp_options.destination_port_range.min"
+              operator: "greater_than"
+              value: 3389
+            - cond_type: "attribute"
+              resource_types: "oci_core_network_security_group_security_rule"
+              attribute: "tcp_options.destination_port_range.max"
+              operator: "less_than"
+              value: 3389
 
     - and:
         - cond_type: "attribute"
@@ -61,8 +67,14 @@ definition:
           operator: "not_equals"
           value: 3389
 
-        - cond_type: "attribute"
-          resource_types: "oci_core_network_security_group_security_rule"
-          attribute: "udp_options.destination_port_range.min"
-          operator: "greater_than"
-          value: 3389
+        - or:
+            - cond_type: "attribute"
+              resource_types: "oci_core_network_security_group_security_rule"
+              attribute: "udp_options.destination_port_range.min"
+              operator: "greater_than"
+              value: 3389
+            - cond_type: "attribute"
+              resource_types: "oci_core_network_security_group_security_rule"
+              attribute: "udp_options.destination_port_range.max"
+              operator: "less_than"
+              value: 3389
diff --git a/tests/terraform/graph/checks/resources/OCI_NSGNotAllowRDP/expected.yaml b/tests/terraform/graph/checks/resources/OCI_NSGNotAllowRDP/expected.yaml
@@ -1,6 +1,7 @@
 pass:
   - "oci_core_network_security_group_security_rule.pass_1"
   - "oci_core_network_security_group_security_rule.pass_2"
+  - "oci_core_network_security_group_security_rule.pass_3"
 
 fail:
   - "oci_core_network_security_group_security_rule.fail_1"

diff --git a/tests/terraform/graph/checks/resources/OCI_NSGNotAllowRDP/main.tf b/tests/terraform/graph/checks/resources/OCI_NSGNotAllowRDP/main.tf
@@ -92,3 +92,21 @@ resource "oci_core_network_security_group_security_rule" "fail_2" {
 }
 
 
+resource "oci_core_network_security_group_security_rule" "pass_3" {
+  count = (var.nsg_id == "" ? 1:0)
+
+  network_security_group_id = oci_core_network_security_group.network_security_group[0].id
+  direction = "EGRESS"
+  protocol = "6" #tcp
+
+  description = "rule_allow_22_e_within"
+  destination = oci_core_network_security_group.network_security_group[0].id
+  destination_type = "NETWORK_SECURITY_GROUP"
+
+  tcp_options {
+    destination_port_range {
+      max = 22
+      min = 22
+    }
+  }
+}