From cca84698d77c07b4a94c43392b07ba412649b29f Mon Sep 17 00:00:00 2001 From: Praveen Date: Thu, 2 Nov 2023 16:06:21 +0530 Subject: [PATCH 1/7] Added 5 Azure and 2 IBM policies --- .../AzureMSSQLserverConfigPrivEndpt.yaml | 19 ++ .../AzureMariaDBserverConfigPrivEndpt.yaml | 19 ++ .../AzureMySQLserverConfigPrivEndpt.yaml | 19 ++ .../AzurePostgreSQLserverConfigPrivEndpt.yaml | 19 ++ .../AzureSynapseWorkspaceVAisEnabled.yaml | 33 ++++ .../ibm/IBM_AppLBforVPCisPrivate.yaml | 24 +++ .../ibm/IBM_VPCclassicAccessIsDisabled.yaml | 24 +++ .../expected.yaml | 4 + .../AzureMSSQLserverConfigPrivEndpt/main.tf | 73 +++++++ .../expected.yaml | 4 + .../AzureMariaDBserverConfigPrivEndpt/main.tf | 73 +++++++ .../expected.yaml | 4 + .../AzureMySQLserverConfigPrivEndpt/main.tf | 73 +++++++ .../expected.yaml | 4 + .../main.tf | 73 +++++++ .../expected.yaml | 7 + .../AzureSynapseWorkspaceVAisEnabled/main.tf | 184 ++++++++++++++++++ .../IBM_AppLBforVPCisPrivate/expected.yaml | 5 + .../IBM_AppLBforVPCisPrivate/main.tf | 26 +++ .../expected.yaml | 5 + .../IBM_VPCclassicAccessIsDisabled/main.tf | 19 ++ 21 files changed, 711 insertions(+) create mode 100644 checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml create mode 100644 checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml create mode 100644 checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml create mode 100644 checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml create mode 100644 checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml create mode 100644 checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml create mode 100644 checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml create mode 100644 tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf create mode 100644 tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf create mode 100644 tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf create mode 100644 tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf create mode 100644 tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf create mode 100644 tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/main.tf create mode 100644 tests/terraform/graph/checks/resources/IBM_VPCclassicAccessIsDisabled/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/IBM_VPCclassicAccessIsDisabled/main.tf diff --git a/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml b/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml new file mode 100644 index 00000000000..3c00cf9f1a1 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml @@ -0,0 +1,19 @@ +metadata: + id: "CKV2_AZURE_45" + name: "Ensure Azure SQL server is configured with private endpoint" + category: "GENERAL_SECURITY" + +definition: + and: + - cond_type: "filter" + attribute: "resource_type" + operator: "within" + value: + - "azurerm_mssql_server" + + - cond_type: "connection" + resource_types: + - "azurerm_mssql_server" + connected_resource_types: + - "azurerm_private_endpoint" + operator: "exists" diff --git a/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml b/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml new file mode 100644 index 00000000000..0a9ee4f7232 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml @@ -0,0 +1,19 @@ +metadata: + id: "CKV2_AZURE_43" + name: "Ensure Azure MariaDB server is configured with private endpoint" + category: "GENERAL_SECURITY" + +definition: + and: + - cond_type: "filter" + attribute: "resource_type" + operator: "within" + value: + - "azurerm_mariadb_server" + + - cond_type: "connection" + resource_types: + - "azurerm_mariadb_server" + connected_resource_types: + - "azurerm_private_endpoint" + operator: "exists" diff --git a/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml b/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml new file mode 100644 index 00000000000..18ef9ff038a --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml @@ -0,0 +1,19 @@ +metadata: + id: "CKV2_AZURE_44" + name: "Ensure Azure MySQL server is configured with private endpoint" + category: "GENERAL_SECURITY" + +definition: + and: + - cond_type: "filter" + attribute: "resource_type" + operator: "within" + value: + - "azurerm_mysql_server" + + - cond_type: "connection" + resource_types: + - "azurerm_mysql_server" + connected_resource_types: + - "azurerm_private_endpoint" + operator: "exists" diff --git a/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml b/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml new file mode 100644 index 00000000000..cc128e97a66 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml @@ -0,0 +1,19 @@ +metadata: + id: "CKV2_AZURE_42" + name: "Ensure Azure PostgreSQL server is configured with private endpoint" + category: "GENERAL_SECURITY" + +definition: + and: + - cond_type: "filter" + attribute: "resource_type" + operator: "within" + value: + - "azurerm_postgresql_server" + + - cond_type: "connection" + resource_types: + - "azurerm_postgresql_server" + connected_resource_types: + - "azurerm_private_endpoint" + operator: "exists" diff --git a/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml b/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml new file mode 100644 index 00000000000..096f210adc6 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml @@ -0,0 +1,33 @@ +metadata: + id: "CKV2_AZURE_46" + name: "Ensure that Azure Synapse Workspace vulnerability assessment is enabled" + category: "GENERAL_SECURITY" +definition: + and: + - resource_types: + - azurerm_synapse_workspace_security_alert_policy + connected_resource_types: + - azurerm_synapse_workspace + operator: exists + cond_type: connection + + - resource_types: + - azurerm_synapse_workspace_vulnerability_assessment + connected_resource_types: + - azurerm_synapse_workspace_security_alert_policy + operator: exists + cond_type: connection + + - cond_type: attribute + resource_types: + - azurerm_synapse_workspace_vulnerability_assessment + attribute: 'recurring_scans.*.enabled' + operator: equals + value: true + + - cond_type: filter + attribute: resource_type + value: + - azurerm_synapse_workspace_vulnerability_assessment + operator: within + diff --git a/checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml b/checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml new file mode 100644 index 00000000000..e3d91f0faf2 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml @@ -0,0 +1,24 @@ +metadata: + id: "CKV2_IBM_1" + name: "Ensure application load balancer for VPC is private (disable public access)" + category: "GENERAL_SECURITY" + +definition: + and: + - cond_type: "attribute" + resource_types: "ibm_is_lb" + attribute: "profile" + operator: "not_exists" + # For Application Load Balancer, profile is not a required attribute. + # Reference: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb#profile + + - cond_type: "attribute" + resource_types: "ibm_is_lb" + attribute: "type" + operator: "exists" + + - cond_type: "attribute" + resource_types: "ibm_is_lb" + attribute: "type" + operator: "equals_ignore_case" + value: "private" \ No newline at end of file diff --git a/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml b/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml new file mode 100644 index 00000000000..d961ad6a1e4 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml @@ -0,0 +1,24 @@ +metadata: + id: "CKV2_IBM_2" + name: "Ensure VPC classic access is disabled" + category: "GENERAL_SECURITY" + +definition: + or: + - cond_type: "attribute" + resource_types: "ibm_is_vpc" + attribute: "classic_access" + operator: "not_exists" + + - and: + + - cond_type: "attribute" + resource_types: "ibm_is_vpc" + attribute: "classic_access" + operator: "exists" + + - cond_type: "attribute" + resource_types: "ibm_is_vpc" + attribute: "classic_access" + operator: "equals_ignore_case" + value: "false" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/expected.yaml b/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/expected.yaml new file mode 100644 index 00000000000..a12224d5afb --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/expected.yaml @@ -0,0 +1,4 @@ +pass: + - "azurerm_mssql_server.pass" +fail: + - "azurerm_mssql_server.fail" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf new file mode 100644 index 00000000000..03f42222724 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf @@ -0,0 +1,73 @@ + +variable "resource_group_name" { + default = "pud_mssql_rg" +} + +variable "location" { + default = "East US 2" +} + +variable "subnet_id" { + default = "pud-az-subnet" +} + +# case 1: PASS: azurerm_private_endpoint exists and is connected + +resource "azurerm_mssql_server" "pass" { + name = "pass_mssql_server" + location = var.location + resource_group_name = var.resource_group_name + + administrator_login = "pud" + administrator_login_password = "P@ssw0rd@1" + + sku_name = "GP_Gen5_4" + version = "11" + storage_mb = 5120 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = false + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +resource "azurerm_private_endpoint" "pass_priendpt" { + name = "pass_priendpt" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.subnet_id + + private_service_connection { + name = "dep-privservcon" + private_connection_resource_id = azurerm_mssql_server.pass.id + subresource_names = ["sqlServer"] + is_manual_connection = false + } +} + + +# case 2: FAIL: azurerm_private_endpoint does not exist + +resource "azurerm_mssql_server" "fail" { + name = "fail_mssql_server" + location = var.location + resource_group_name = var.resource_group_name + + administrator_login = "pud" + administrator_login_password = "P@ssw0rd@1" + + sku_name = "GP_Gen5_4" + version = "11" + storage_mb = 5120 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = false + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/expected.yaml b/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/expected.yaml new file mode 100644 index 00000000000..76fdcbfbd31 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/expected.yaml @@ -0,0 +1,4 @@ +pass: + - "azurerm_mariadb_server.pass" +fail: + - "azurerm_mariadb_server.fail" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf new file mode 100644 index 00000000000..a2fc4355c83 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf @@ -0,0 +1,73 @@ + +variable "resource_group_name" { + default = "pud_maria_rg" +} + +variable "location" { + default = "East US 2" +} + +variable "subnet_id" { + default = "pud-az-subnet" +} + +# case 1: PASS: azurerm_private_endpoint exists and is connected + +resource "azurerm_mariadb_server" "pass" { + name = "pass_mariadb_server" + location = var.location + resource_group_name = var.resource_group_name + + administrator_login = "pud" + administrator_login_password = "P@ssw0rd@1" + + sku_name = "GP_Gen5_4" + version = "11" + storage_mb = 5120 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = false + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +resource "azurerm_private_endpoint" "pass_priendpt" { + name = "pass_priendpt" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.subnet_id + + private_service_connection { + name = "dep-privservcon" + private_connection_resource_id = azurerm_mariadb_server.pass.id + subresource_names = ["mariadbServer"] + is_manual_connection = false + } +} + + +# case 2: FAIL: azurerm_private_endpoint does not exist + +resource "azurerm_mariadb_server" "fail" { + name = "fail_mariadb_server" + location = var.location + resource_group_name = var.resource_group_name + + administrator_login = "pud" + administrator_login_password = "P@ssw0rd@1" + + sku_name = "GP_Gen5_4" + version = "11" + storage_mb = 5120 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = false + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/expected.yaml b/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/expected.yaml new file mode 100644 index 00000000000..bed395ba6c0 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/expected.yaml @@ -0,0 +1,4 @@ +pass: + - "azurerm_mysql_server.pass" +fail: + - "azurerm_mysql_server.fail" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf new file mode 100644 index 00000000000..78ce0e2ef25 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf @@ -0,0 +1,73 @@ + +variable "resource_group_name" { + default = "pud_mysql_rg" +} + +variable "location" { + default = "East US 2" +} + +variable "subnet_id" { + default = "pud-az-subnet" +} + +# case 1: PASS: azurerm_private_endpoint exists and is connected + +resource "azurerm_mysql_server" "pass" { + name = "pass_mysql_server" + location = var.location + resource_group_name = var.resource_group_name + + administrator_login = "pud" + administrator_login_password = "P@ssw0rd@1" + + sku_name = "GP_Gen5_4" + version = "11" + storage_mb = 5120 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = false + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +resource "azurerm_private_endpoint" "pass_priendpt" { + name = "pass_priendpt" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.subnet_id + + private_service_connection { + name = "dep-privservcon" + private_connection_resource_id = azurerm_mysql_server.pass.id + subresource_names = ["mysqlServer"] + is_manual_connection = false + } +} + + +# case 2: FAIL: azurerm_private_endpoint does not exist + +resource "azurerm_mysql_server" "fail" { + name = "fail_mysql_server" + location = var.location + resource_group_name = var.resource_group_name + + administrator_login = "pud" + administrator_login_password = "P@ssw0rd@1" + + sku_name = "GP_Gen5_4" + version = "11" + storage_mb = 5120 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = false + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/expected.yaml b/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/expected.yaml new file mode 100644 index 00000000000..42e4cd2a088 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/expected.yaml @@ -0,0 +1,4 @@ +pass: + - "azurerm_postgresql_server.pass" +fail: + - "azurerm_postgresql_server.fail" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf new file mode 100644 index 00000000000..ded871053fe --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf @@ -0,0 +1,73 @@ + +variable "resource_group_name" { + default = "pud_pgres_rg" +} + +variable "location" { + default = "East US 2" +} + +variable "subnet_id" { + default = "pud-az-subnet" +} + +# case 1: PASS: azurerm_private_endpoint exists and is connected + +resource "azurerm_postgresql_server" "pass" { + name = "pass_pgres_server" + location = var.location + resource_group_name = var.resource_group_name + + administrator_login = "pud" + administrator_login_password = "P@ssw0rd@1" + + sku_name = "GP_Gen5_4" + version = "11" + storage_mb = 5120 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = false + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +resource "azurerm_private_endpoint" "pass_priendpt" { + name = "pass_priendpt" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.subnet_id + + private_service_connection { + name = "dep-privservcon" + private_connection_resource_id = azurerm_postgresql_server.pass.id + subresource_names = ["postgresqlServer"] + is_manual_connection = false + } +} + + +# case 2: FAIL: azurerm_private_endpoint does not exist + +resource "azurerm_postgresql_server" "fail" { + name = "fail_pgres_server" + location = var.location + resource_group_name = var.resource_group_name + + administrator_login = "pud" + administrator_login_password = "P@ssw0rd@1" + + sku_name = "GP_Gen5_4" + version = "11" + storage_mb = 5120 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = false + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml new file mode 100644 index 00000000000..c84268410ce --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml @@ -0,0 +1,7 @@ +pass: + - "resource: azurerm_synapse_workspace_vulnerability_assessment.va_pass" + +fail: + - "azurerm_synapse_workspace_vulnerability_assessment.va_fail_1" + - "azurerm_synapse_workspace_vulnerability_assessment.va_fail_2" + - "azurerm_synapse_workspace_vulnerability_assessment.va_fail_3" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf new file mode 100644 index 00000000000..d4b0b2bd57b --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf @@ -0,0 +1,184 @@ +variable "default_var" { + default = "pud-default" +} + +# Case 1: Pass: Connection exists and recurring_scans.*.enabled = true + +resource "azurerm_synapse_workspace" "synapse_ws_pass_1" { + name = "synapse_ws_pass_1" + resource_group_name = var.default_var + location = var.default_var + storage_data_lake_gen2_filesystem_id = var.default_var + sql_administrator_login = "pudsqladminuser" + sql_administrator_login_password = "P@ssw0rd@1" + + aad_admin { + login = "AzureAD Admin" + object_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Env = "production" + } +} + +resource "azurerm_synapse_workspace_security_alert_policy" "synapse_ws_policy_1" { + synapse_workspace_id = azurerm_synapse_workspace.synapse_ws_pass_1.id + policy_state = "Enabled" + + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 +} + +resource "azurerm_synapse_workspace_vulnerability_assessment" "va_pass" { + workspace_security_alert_policy_id = azurerm_synapse_workspace_security_alert_policy.synapse_ws_policy_1.id + storage_container_path = var.default_var + + recurring_scans { + enabled = true + } +} + +# Case 2: Fail: Connection doesn't exist but recurring_scans.*.enabled = true + +resource "azurerm_synapse_workspace" "synapse_ws_fail_1" { + name = "synapse_ws_fail_1" + resource_group_name = var.default_var + location = var.default_var + storage_data_lake_gen2_filesystem_id = var.default_var + sql_administrator_login = "pudsqladminuser" + sql_administrator_login_password = "P@ssw0rd@1" + + aad_admin { + login = "AzureAD Admin" + object_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Env = "production" + } +} + +resource "azurerm_synapse_workspace_security_alert_policy" "synapse_ws_policy_2" { + synapse_workspace_id = azurerm_synapse_workspace.synapse_ws_fail_1.id + policy_state = "Enabled" + + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 +} + +resource "azurerm_synapse_workspace_vulnerability_assessment" "va_fail_1" { + workspace_security_alert_policy_id = var.default_var + storage_container_path = var.default_var + + recurring_scans { + enabled = true + } +} + +# Case 3: Fail: Connection exists but recurring_scans.*.enabled = false + +resource "azurerm_synapse_workspace" "synapse_ws_fail_2" { + name = "synapse_ws_fail_2" + resource_group_name = var.default_var + location = var.default_var + storage_data_lake_gen2_filesystem_id = var.default_var + sql_administrator_login = "pudsqladminuser" + sql_administrator_login_password = "P@ssw0rd@1" + + aad_admin { + login = "AzureAD Admin" + object_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Env = "production" + } +} + +resource "azurerm_synapse_workspace_security_alert_policy" "synapse_ws_policy_3" { + synapse_workspace_id = azurerm_synapse_workspace.synapse_ws_fail_2.id + policy_state = "Enabled" + + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 +} + +resource "azurerm_synapse_workspace_vulnerability_assessment" "va_fail_2" { + workspace_security_alert_policy_id = azurerm_synapse_workspace_security_alert_policy.synapse_ws_policy_3.id + storage_container_path = var.default_var + + recurring_scans { + enabled = false + } +} + + +# Case 4: Fail: 'azurerm_synapse_workspace_security_alert_policy' not connected to 'azurerm_synapse_workspace' but recurring_scans.*.enabled = true + +resource "azurerm_synapse_workspace" "synapse_ws_fail_3" { + name = "synapse_ws_fail_3" + resource_group_name = var.default_var + location = var.default_var + storage_data_lake_gen2_filesystem_id = var.default_var + sql_administrator_login = "pudsqladminuser" + sql_administrator_login_password = "P@ssw0rd@1" + + aad_admin { + login = "AzureAD Admin" + object_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Env = "production" + } +} + +resource "azurerm_synapse_workspace_security_alert_policy" "synapse_ws_policy_4" { + synapse_workspace_id = var.default_var + policy_state = "Enabled" + + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 +} + +resource "azurerm_synapse_workspace_vulnerability_assessment" "va_fail_3" { + workspace_security_alert_policy_id = azurerm_synapse_workspace_security_alert_policy.synapse_ws_policy_4.id + storage_container_path = var.default_var + + recurring_scans { + enabled = true + } +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/expected.yaml b/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/expected.yaml new file mode 100644 index 00000000000..d3e327af28d --- /dev/null +++ b/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/expected.yaml @@ -0,0 +1,5 @@ +pass: + - "ibm_is_lb.pass" +fail: + - "ibm_is_lb.fail_1" + - "ibm_is_lb.fail_2" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/main.tf b/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/main.tf new file mode 100644 index 00000000000..3d793d24f8f --- /dev/null +++ b/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/main.tf @@ -0,0 +1,26 @@ +variable "pud-subnet" { + subnet = "192.168.20.0/24" +} + +# Case 1: Pass: type = "private" and profile does not exist + +resource "ibm_is_lb" "pass" { + name = "pud-load-balancer" + subnets = [var.pud-subnet] + type = "private" +} + +# Case 2: FAIL: profile = 'network-fixed' + +resource "ibm_is_lb" "fail_1" { + name = "pud-load-balancer" + subnets = [var.pud-subnet] + profile = "network-fixed" +} + +# Case 3: FAIL: 'type' does not exist. By default type = 'public' + +resource "ibm_is_lb" "fail_2" { + name = "pud-load-balancer" + subnets = [var.pud-subnet] +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/IBM_VPCclassicAccessIsDisabled/expected.yaml b/tests/terraform/graph/checks/resources/IBM_VPCclassicAccessIsDisabled/expected.yaml new file mode 100644 index 00000000000..45493f1e678 --- /dev/null +++ b/tests/terraform/graph/checks/resources/IBM_VPCclassicAccessIsDisabled/expected.yaml @@ -0,0 +1,5 @@ +pass: + - "ibm_is_vpc.pass_1" + - "ibm_is_vpc.pass_2" +fail: + - "ibm_is_vpc.fail" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/IBM_VPCclassicAccessIsDisabled/main.tf b/tests/terraform/graph/checks/resources/IBM_VPCclassicAccessIsDisabled/main.tf new file mode 100644 index 00000000000..90e9d632b72 --- /dev/null +++ b/tests/terraform/graph/checks/resources/IBM_VPCclassicAccessIsDisabled/main.tf @@ -0,0 +1,19 @@ +# Case 1: Pass: Default value for 'classic_access' is false + +resource "ibm_is_vpc" "pass_1" { + name = "pud-vpc" +} + +# Case 2: Pass: 'classic_access' = 'false' +resource "ibm_is_vpc" "pass_2" { + name = "pud-vpc" + classic_access = false +} + +# Case 3: Fail: 'classic_access' = 'true' + +resource "ibm_is_vpc" "fail" { + name = "pud-vpc" + classic_access = true +} + From 5a5df74200b853a37379360288d5e5db53bb328b Mon Sep 17 00:00:00 2001 From: Praveen Date: Tue, 7 Nov 2023 12:20:06 +0530 Subject: [PATCH 2/7] Updated the 'test_yaml_policies.py' file with new policies --- .../graph/checks/test_yaml_policies.py | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py index 7e484093aeb..dbb3c24ad8e 100644 --- a/tests/terraform/graph/checks/test_yaml_policies.py +++ b/tests/terraform/graph/checks/test_yaml_policies.py @@ -427,6 +427,27 @@ def test_AzureStorageAccConfig_SAS_expirePolicy(self): def test_AzureVMconfigPublicIP_SerialConsoleAccess(self): self.go("AzureVMconfigPublicIP_SerialConsoleAccess") + def test_AzurePostgreSQLserverConfigPrivEndpt(self): + self.go("AzurePostgreSQLserverConfigPrivEndpt") + + def test_AzureMariaDBserverConfigPrivEndpt(self): + self.go("AzureMariaDBserverConfigPrivEndpt") + + def test_AzureMySQLserverConfigPrivEndpt(self): + self.go("AzureMySQLserverConfigPrivEndpt") + + def test_AzureMSSQLserverConfigPrivEndpt(self): + self.go("AzureMSSQLserverConfigPrivEndpt") + + def test_AzureSynapseWorkspaceVAisEnabled(self): + self.go("AzureSynapseWorkspaceVAisEnabled") + + def test_IBM_AppLBforVPCisPrivate(self): + self.go("IBM_AppLBforVPCisPrivate") + + def test_IBM_VPCclassicAccessIsDisabled(self): + self.go("IBM_VPCclassicAccessIsDisabled") + def test_registry_load(self): registry = Registry(parser=GraphCheckParser(), checks_dir=str( Path(__file__).parent.parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks")) From db4d0e53caac442f89657ed506c21bfd8b6edd0e Mon Sep 17 00:00:00 2001 From: Praveen Date: Thu, 9 Nov 2023 11:55:22 +0530 Subject: [PATCH 3/7] Updated Terraform files with skip secrets comments --- .../checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf | 2 ++ .../resources/AzureMariaDBserverConfigPrivEndpt/main.tf | 2 ++ .../checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf | 2 ++ .../resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf | 2 ++ .../checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf | 4 ++++ 5 files changed, 12 insertions(+) diff --git a/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf index 03f42222724..fe86deb33a6 100644 --- a/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf +++ b/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf @@ -19,6 +19,7 @@ resource "azurerm_mssql_server" "pass" { resource_group_name = var.resource_group_name administrator_login = "pud" + # checkov:skip=CKV_SECRET_6 test secret administrator_login_password = "P@ssw0rd@1" sku_name = "GP_Gen5_4" @@ -57,6 +58,7 @@ resource "azurerm_mssql_server" "fail" { resource_group_name = var.resource_group_name administrator_login = "pud" + # checkov:skip=CKV_SECRET_6 test secret administrator_login_password = "P@ssw0rd@1" sku_name = "GP_Gen5_4" diff --git a/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf index a2fc4355c83..2301730a3ff 100644 --- a/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf +++ b/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf @@ -19,6 +19,7 @@ resource "azurerm_mariadb_server" "pass" { resource_group_name = var.resource_group_name administrator_login = "pud" + # checkov:skip=CKV_SECRET_6 test secret administrator_login_password = "P@ssw0rd@1" sku_name = "GP_Gen5_4" @@ -57,6 +58,7 @@ resource "azurerm_mariadb_server" "fail" { resource_group_name = var.resource_group_name administrator_login = "pud" + # checkov:skip=CKV_SECRET_6 test secret administrator_login_password = "P@ssw0rd@1" sku_name = "GP_Gen5_4" diff --git a/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf index 78ce0e2ef25..699a2582782 100644 --- a/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf +++ b/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf @@ -19,6 +19,7 @@ resource "azurerm_mysql_server" "pass" { resource_group_name = var.resource_group_name administrator_login = "pud" + # checkov:skip=CKV_SECRET_6 test secret administrator_login_password = "P@ssw0rd@1" sku_name = "GP_Gen5_4" @@ -57,6 +58,7 @@ resource "azurerm_mysql_server" "fail" { resource_group_name = var.resource_group_name administrator_login = "pud" + # checkov:skip=CKV_SECRET_6 test secret administrator_login_password = "P@ssw0rd@1" sku_name = "GP_Gen5_4" diff --git a/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf index ded871053fe..c4e82099860 100644 --- a/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf +++ b/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf @@ -19,6 +19,7 @@ resource "azurerm_postgresql_server" "pass" { resource_group_name = var.resource_group_name administrator_login = "pud" + # checkov:skip=CKV_SECRET_6 test secret administrator_login_password = "P@ssw0rd@1" sku_name = "GP_Gen5_4" @@ -57,6 +58,7 @@ resource "azurerm_postgresql_server" "fail" { resource_group_name = var.resource_group_name administrator_login = "pud" + # checkov:skip=CKV_SECRET_6 test secret administrator_login_password = "P@ssw0rd@1" sku_name = "GP_Gen5_4" diff --git a/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf index d4b0b2bd57b..9b4340f5ce3 100644 --- a/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf +++ b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf @@ -10,6 +10,7 @@ resource "azurerm_synapse_workspace" "synapse_ws_pass_1" { location = var.default_var storage_data_lake_gen2_filesystem_id = var.default_var sql_administrator_login = "pudsqladminuser" + # checkov:skip=CKV_SECRET_6 test secret sql_administrator_login_password = "P@ssw0rd@1" aad_admin { @@ -55,6 +56,7 @@ resource "azurerm_synapse_workspace" "synapse_ws_fail_1" { location = var.default_var storage_data_lake_gen2_filesystem_id = var.default_var sql_administrator_login = "pudsqladminuser" + # checkov:skip=CKV_SECRET_6 test secret sql_administrator_login_password = "P@ssw0rd@1" aad_admin { @@ -100,6 +102,7 @@ resource "azurerm_synapse_workspace" "synapse_ws_fail_2" { location = var.default_var storage_data_lake_gen2_filesystem_id = var.default_var sql_administrator_login = "pudsqladminuser" + # checkov:skip=CKV_SECRET_6 test secret sql_administrator_login_password = "P@ssw0rd@1" aad_admin { @@ -146,6 +149,7 @@ resource "azurerm_synapse_workspace" "synapse_ws_fail_3" { location = var.default_var storage_data_lake_gen2_filesystem_id = var.default_var sql_administrator_login = "pudsqladminuser" + # checkov:skip=CKV_SECRET_6 test secret sql_administrator_login_password = "P@ssw0rd@1" aad_admin { From 38f99c48737856c73e5277769bca148c7c779026 Mon Sep 17 00:00:00 2001 From: Praveen Date: Wed, 15 Nov 2023 18:30:41 +0530 Subject: [PATCH 4/7] Added comments to skip secrets validation --- .../AzureMSSQLserverConfigPrivEndpt/main.tf | 6 ++---- .../AzureMariaDBserverConfigPrivEndpt/main.tf | 6 ++---- .../AzureMySQLserverConfigPrivEndpt/main.tf | 6 ++---- .../AzurePostgreSQLserverConfigPrivEndpt/main.tf | 6 ++---- .../AzureSynapseWorkspaceVAisEnabled/main.tf | 12 ++++-------- 5 files changed, 12 insertions(+), 24 deletions(-) diff --git a/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf index fe86deb33a6..d293aa9c914 100644 --- a/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf +++ b/tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf @@ -19,8 +19,7 @@ resource "azurerm_mssql_server" "pass" { resource_group_name = var.resource_group_name administrator_login = "pud" - # checkov:skip=CKV_SECRET_6 test secret - administrator_login_password = "P@ssw0rd@1" + administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret sku_name = "GP_Gen5_4" version = "11" @@ -58,8 +57,7 @@ resource "azurerm_mssql_server" "fail" { resource_group_name = var.resource_group_name administrator_login = "pud" - # checkov:skip=CKV_SECRET_6 test secret - administrator_login_password = "P@ssw0rd@1" + administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret sku_name = "GP_Gen5_4" version = "11" diff --git a/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf index 2301730a3ff..e5b2abc4292 100644 --- a/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf +++ b/tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf @@ -19,8 +19,7 @@ resource "azurerm_mariadb_server" "pass" { resource_group_name = var.resource_group_name administrator_login = "pud" - # checkov:skip=CKV_SECRET_6 test secret - administrator_login_password = "P@ssw0rd@1" + administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret sku_name = "GP_Gen5_4" version = "11" @@ -58,8 +57,7 @@ resource "azurerm_mariadb_server" "fail" { resource_group_name = var.resource_group_name administrator_login = "pud" - # checkov:skip=CKV_SECRET_6 test secret - administrator_login_password = "P@ssw0rd@1" + administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret sku_name = "GP_Gen5_4" version = "11" diff --git a/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf index 699a2582782..e9107bd9324 100644 --- a/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf +++ b/tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/main.tf @@ -19,8 +19,7 @@ resource "azurerm_mysql_server" "pass" { resource_group_name = var.resource_group_name administrator_login = "pud" - # checkov:skip=CKV_SECRET_6 test secret - administrator_login_password = "P@ssw0rd@1" + administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret sku_name = "GP_Gen5_4" version = "11" @@ -58,8 +57,7 @@ resource "azurerm_mysql_server" "fail" { resource_group_name = var.resource_group_name administrator_login = "pud" - # checkov:skip=CKV_SECRET_6 test secret - administrator_login_password = "P@ssw0rd@1" + administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret sku_name = "GP_Gen5_4" version = "11" diff --git a/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf b/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf index c4e82099860..e6bf03057dd 100644 --- a/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf +++ b/tests/terraform/graph/checks/resources/AzurePostgreSQLserverConfigPrivEndpt/main.tf @@ -19,8 +19,7 @@ resource "azurerm_postgresql_server" "pass" { resource_group_name = var.resource_group_name administrator_login = "pud" - # checkov:skip=CKV_SECRET_6 test secret - administrator_login_password = "P@ssw0rd@1" + administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret sku_name = "GP_Gen5_4" version = "11" @@ -58,8 +57,7 @@ resource "azurerm_postgresql_server" "fail" { resource_group_name = var.resource_group_name administrator_login = "pud" - # checkov:skip=CKV_SECRET_6 test secret - administrator_login_password = "P@ssw0rd@1" + administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret sku_name = "GP_Gen5_4" version = "11" diff --git a/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf index 9b4340f5ce3..afcbda62001 100644 --- a/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf +++ b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/main.tf @@ -10,8 +10,7 @@ resource "azurerm_synapse_workspace" "synapse_ws_pass_1" { location = var.default_var storage_data_lake_gen2_filesystem_id = var.default_var sql_administrator_login = "pudsqladminuser" - # checkov:skip=CKV_SECRET_6 test secret - sql_administrator_login_password = "P@ssw0rd@1" + sql_administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret aad_admin { login = "AzureAD Admin" @@ -56,8 +55,7 @@ resource "azurerm_synapse_workspace" "synapse_ws_fail_1" { location = var.default_var storage_data_lake_gen2_filesystem_id = var.default_var sql_administrator_login = "pudsqladminuser" - # checkov:skip=CKV_SECRET_6 test secret - sql_administrator_login_password = "P@ssw0rd@1" + sql_administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret aad_admin { login = "AzureAD Admin" @@ -102,8 +100,7 @@ resource "azurerm_synapse_workspace" "synapse_ws_fail_2" { location = var.default_var storage_data_lake_gen2_filesystem_id = var.default_var sql_administrator_login = "pudsqladminuser" - # checkov:skip=CKV_SECRET_6 test secret - sql_administrator_login_password = "P@ssw0rd@1" + sql_administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret aad_admin { login = "AzureAD Admin" @@ -149,8 +146,7 @@ resource "azurerm_synapse_workspace" "synapse_ws_fail_3" { location = var.default_var storage_data_lake_gen2_filesystem_id = var.default_var sql_administrator_login = "pudsqladminuser" - # checkov:skip=CKV_SECRET_6 test secret - sql_administrator_login_password = "P@ssw0rd@1" + sql_administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret aad_admin { login = "AzureAD Admin" From 280c0f0203711af6be8728a2eeb1ce68895ce25a Mon Sep 17 00:00:00 2001 From: Praveen Date: Wed, 15 Nov 2023 18:39:17 +0530 Subject: [PATCH 5/7] Fixed expected.yaml of AzureSynapseWorkspaceVAisEnabled policy --- .../resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml index c84268410ce..d7f3a2ef109 100644 --- a/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml +++ b/tests/terraform/graph/checks/resources/AzureSynapseWorkspaceVAisEnabled/expected.yaml @@ -1,5 +1,5 @@ pass: - - "resource: azurerm_synapse_workspace_vulnerability_assessment.va_pass" + - "azurerm_synapse_workspace_vulnerability_assessment.va_pass" fail: - "azurerm_synapse_workspace_vulnerability_assessment.va_fail_1" From ffc0e19393cb7a86f4b2e53f15da9e0086f4f4fc Mon Sep 17 00:00:00 2001 From: Praveen Date: Thu, 16 Nov 2023 08:50:20 +0530 Subject: [PATCH 6/7] Updated title for CKV2_IBM_1 and modified it to work for any type of load balancer --- .../ibm/IBM_AppLBforVPCisPrivate.yaml | 24 ----------------- .../ibm/IBM_LoadBalancerforVPCisPrivate.yaml | 18 +++++++++++++ .../IBM_AppLBforVPCisPrivate/expected.yaml | 5 ---- .../IBM_AppLBforVPCisPrivate/main.tf | 26 ------------------- .../expected.yaml | 4 +++ .../IBM_LoadBalancerforVPCisPrivate/main.tf | 19 ++++++++++++++ .../graph/checks/test_yaml_policies.py | 2 +- 7 files changed, 42 insertions(+), 56 deletions(-) delete mode 100644 checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml create mode 100644 checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml delete mode 100644 tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/expected.yaml delete mode 100644 tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/main.tf create mode 100644 tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/main.tf diff --git a/checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml b/checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml deleted file mode 100644 index e3d91f0faf2..00000000000 --- a/checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml +++ /dev/null @@ -1,24 +0,0 @@ -metadata: - id: "CKV2_IBM_1" - name: "Ensure application load balancer for VPC is private (disable public access)" - category: "GENERAL_SECURITY" - -definition: - and: - - cond_type: "attribute" - resource_types: "ibm_is_lb" - attribute: "profile" - operator: "not_exists" - # For Application Load Balancer, profile is not a required attribute. - # Reference: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb#profile - - - cond_type: "attribute" - resource_types: "ibm_is_lb" - attribute: "type" - operator: "exists" - - - cond_type: "attribute" - resource_types: "ibm_is_lb" - attribute: "type" - operator: "equals_ignore_case" - value: "private" \ No newline at end of file diff --git a/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml b/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml new file mode 100644 index 00000000000..ec78b31a900 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml @@ -0,0 +1,18 @@ +metadata: + id: "CKV2_IBM_1" + name: "Ensure load balancer for VPC is private (disable public access)" + category: "GENERAL_SECURITY" + +definition: + and: + + - cond_type: "attribute" + resource_types: "ibm_is_lb" + attribute: "type" + operator: "exists" + + - cond_type: "attribute" + resource_types: "ibm_is_lb" + attribute: "type" + operator: "equals_ignore_case" + value: "private" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/expected.yaml b/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/expected.yaml deleted file mode 100644 index d3e327af28d..00000000000 --- a/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/expected.yaml +++ /dev/null @@ -1,5 +0,0 @@ -pass: - - "ibm_is_lb.pass" -fail: - - "ibm_is_lb.fail_1" - - "ibm_is_lb.fail_2" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/main.tf b/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/main.tf deleted file mode 100644 index 3d793d24f8f..00000000000 --- a/tests/terraform/graph/checks/resources/IBM_AppLBforVPCisPrivate/main.tf +++ /dev/null @@ -1,26 +0,0 @@ -variable "pud-subnet" { - subnet = "192.168.20.0/24" -} - -# Case 1: Pass: type = "private" and profile does not exist - -resource "ibm_is_lb" "pass" { - name = "pud-load-balancer" - subnets = [var.pud-subnet] - type = "private" -} - -# Case 2: FAIL: profile = 'network-fixed' - -resource "ibm_is_lb" "fail_1" { - name = "pud-load-balancer" - subnets = [var.pud-subnet] - profile = "network-fixed" -} - -# Case 3: FAIL: 'type' does not exist. By default type = 'public' - -resource "ibm_is_lb" "fail_2" { - name = "pud-load-balancer" - subnets = [var.pud-subnet] -} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/expected.yaml b/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/expected.yaml new file mode 100644 index 00000000000..52a7855045d --- /dev/null +++ b/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/expected.yaml @@ -0,0 +1,4 @@ +pass: + - "ibm_is_lb.pass" +fail: + - "ibm_is_lb.fail" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/main.tf b/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/main.tf new file mode 100644 index 00000000000..1acb004f103 --- /dev/null +++ b/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/main.tf @@ -0,0 +1,19 @@ +variable "pud-subnet" { + subnet = "192.168.20.0/24" +} + +# Case 1: Pass: type = "private" + +resource "ibm_is_lb" "pass" { + name = "pud-load-balancer" + subnets = [var.pud-subnet] + type = "private" +} + +# Case 2: FAIL: 'type' does not exist. By default, type = 'public' + +resource "ibm_is_lb" "fail" { + name = "pud-load-balancer" + subnets = [var.pud-subnet] + profile = "network-fixed" +} diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py index dbb3c24ad8e..137b7691309 100644 --- a/tests/terraform/graph/checks/test_yaml_policies.py +++ b/tests/terraform/graph/checks/test_yaml_policies.py @@ -443,7 +443,7 @@ def test_AzureSynapseWorkspaceVAisEnabled(self): self.go("AzureSynapseWorkspaceVAisEnabled") def test_IBM_AppLBforVPCisPrivate(self): - self.go("IBM_AppLBforVPCisPrivate") + self.go("IBM_LoadBalancerforVPCisPrivate") def test_IBM_VPCclassicAccessIsDisabled(self): self.go("IBM_VPCclassicAccessIsDisabled") From 7f2404455d2c6eca893288e019048a6bc7b940cf Mon Sep 17 00:00:00 2001 From: Praveen Date: Thu, 16 Nov 2023 08:54:04 +0530 Subject: [PATCH 7/7] Updated title of CKV2_AZURE_45 as per request --- .../graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml b/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml index 3c00cf9f1a1..3a113dfd511 100644 --- a/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml +++ b/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml @@ -1,6 +1,6 @@ metadata: id: "CKV2_AZURE_45" - name: "Ensure Azure SQL server is configured with private endpoint" + name: "Ensure Microsoft SQL server is configured with private endpoint" category: "GENERAL_SECURITY" definition: