feat(terraform): Adding YAML based build time policies for corresponding PC runtime policies

checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml

@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AZURE_45"
+  name: "Ensure Azure SQL server is configured with private endpoint"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      operator: "within"
+      value:
+        - "azurerm_mssql_server"
+
+    - cond_type: "connection"
+      resource_types:
+        - "azurerm_mssql_server"
+      connected_resource_types:
+        - "azurerm_private_endpoint"
+      operator: "exists"

checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml

@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AZURE_43"
+  name: "Ensure Azure MariaDB server is configured with private endpoint"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      operator: "within"
+      value:
+        - "azurerm_mariadb_server"
+
+    - cond_type: "connection"
+      resource_types:
+        - "azurerm_mariadb_server"
+      connected_resource_types:
+        - "azurerm_private_endpoint"
+      operator: "exists"

checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml

@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AZURE_44"
+  name: "Ensure Azure MySQL server is configured with private endpoint"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      operator: "within"
+      value:
+        - "azurerm_mysql_server"
+
+    - cond_type: "connection"
+      resource_types:
+        - "azurerm_mysql_server"
+      connected_resource_types:
+        - "azurerm_private_endpoint"
+      operator: "exists"

checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml

@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AZURE_42"
+  name: "Ensure Azure PostgreSQL server is configured with private endpoint"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      operator: "within"
+      value:
+        - "azurerm_postgresql_server"
+
+    - cond_type: "connection"
+      resource_types:
+        - "azurerm_postgresql_server"
+      connected_resource_types:
+        - "azurerm_private_endpoint"
+      operator: "exists"

checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml

@@ -0,0 +1,33 @@
+metadata:
+  id: "CKV2_AZURE_46"
+  name: "Ensure that Azure Synapse Workspace vulnerability assessment is enabled"
+  category: "GENERAL_SECURITY"
+definition:
+    and:
+      - resource_types:
+          - azurerm_synapse_workspace_security_alert_policy
+        connected_resource_types:
+          - azurerm_synapse_workspace
+        operator: exists
+        cond_type: connection
+
+      - resource_types:
+          - azurerm_synapse_workspace_vulnerability_assessment
+        connected_resource_types:
+          - azurerm_synapse_workspace_security_alert_policy
+        operator: exists
+        cond_type: connection
+
+      - cond_type: attribute
+        resource_types:
+          - azurerm_synapse_workspace_vulnerability_assessment
+        attribute: 'recurring_scans.*.enabled'
+        operator: equals
+        value: true
+
+      - cond_type: filter
+        attribute: resource_type
+        value:
+          - azurerm_synapse_workspace_vulnerability_assessment
+        operator: within
+

checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml

@@ -0,0 +1,24 @@
+metadata:
+  id: "CKV2_IBM_1"
+  name: "Ensure application load balancer for VPC is private (disable public access)"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "attribute"
+      resource_types: "ibm_is_lb"
+      attribute: "profile"
+      operator: "not_exists"
+      # For Application Load Balancer, profile is not a required attribute.
+      # Reference: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb#profile
+
+    - cond_type: "attribute"
+      resource_types: "ibm_is_lb"
+      attribute: "type"
+      operator: "exists"
+
+    - cond_type: "attribute"
+      resource_types: "ibm_is_lb"
+      attribute: "type"
+      operator: "equals_ignore_case"
+      value: "private"

checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml

@@ -0,0 +1,24 @@
+metadata:
+  id: "CKV2_IBM_2"
+  name: "Ensure VPC classic access is disabled"
+  category: "GENERAL_SECURITY"
+
+definition:
+  or:
+    - cond_type: "attribute"
+      resource_types: "ibm_is_vpc"
+      attribute: "classic_access"
+      operator: "not_exists"
+
+    - and:
+
+        - cond_type: "attribute"
+          resource_types: "ibm_is_vpc"
+          attribute: "classic_access"
+          operator: "exists"
+
+        - cond_type: "attribute"
+          resource_types: "ibm_is_vpc"
+          attribute: "classic_access"
+          operator: "equals_ignore_case"
+          value: "false"

tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/expected.yaml

@@ -0,0 +1,4 @@
+pass:
+  - "azurerm_mssql_server.pass"
+fail:
+  - "azurerm_mssql_server.fail"

tests/terraform/graph/checks/resources/AzureMSSQLserverConfigPrivEndpt/main.tf

@@ -0,0 +1,73 @@
+
+variable "resource_group_name" {
+  default = "pud_mssql_rg"
+}
+
+variable "location" {
+  default = "East US 2"
+}
+
+variable "subnet_id" {
+  default = "pud-az-subnet"
+}
+
+# case 1: PASS: azurerm_private_endpoint exists and is connected
+
+resource "azurerm_mssql_server" "pass" {
+  name                = "pass_mssql_server"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  administrator_login          = "pud"
+  administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret
+
+  sku_name   = "GP_Gen5_4"
+  version    = "11"
+  storage_mb = 5120
+
+  backup_retention_days        = 7
+  geo_redundant_backup_enabled = true
+  auto_grow_enabled            = false
+
+  public_network_access_enabled    = false
+  ssl_enforcement_enabled          = true
+  ssl_minimal_tls_version_enforced = "TLS1_2"
+}
+
+resource "azurerm_private_endpoint" "pass_priendpt" {
+  name                = "pass_priendpt"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.subnet_id
+
+  private_service_connection {
+    name                           = "dep-privservcon"
+    private_connection_resource_id = azurerm_mssql_server.pass.id
+    subresource_names              = ["sqlServer"]
+    is_manual_connection           = false
+  }
+}
+
+
+# case 2: FAIL: azurerm_private_endpoint does not exist
+
+resource "azurerm_mssql_server" "fail" {
+  name                = "fail_mssql_server"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  administrator_login          = "pud"
+  administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret
+
+  sku_name   = "GP_Gen5_4"
+  version    = "11"
+  storage_mb = 5120
+
+  backup_retention_days        = 7
+  geo_redundant_backup_enabled = true
+  auto_grow_enabled            = false
+
+  public_network_access_enabled    = false
+  ssl_enforcement_enabled          = true
+  ssl_minimal_tls_version_enforced = "TLS1_2"
+}

tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/expected.yaml

@@ -0,0 +1,4 @@
+pass:
+  - "azurerm_mariadb_server.pass"
+fail:
+  - "azurerm_mariadb_server.fail"

tests/terraform/graph/checks/resources/AzureMariaDBserverConfigPrivEndpt/main.tf

@@ -0,0 +1,73 @@
+
+variable "resource_group_name" {
+  default = "pud_maria_rg"
+}
+
+variable "location" {
+  default = "East US 2"
+}
+
+variable "subnet_id" {
+  default = "pud-az-subnet"
+}
+
+# case 1: PASS: azurerm_private_endpoint exists and is connected
+
+resource "azurerm_mariadb_server" "pass" {
+  name                = "pass_mariadb_server"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  administrator_login          = "pud"
+  administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret
+
+  sku_name   = "GP_Gen5_4"
+  version    = "11"
+  storage_mb = 5120
+
+  backup_retention_days        = 7
+  geo_redundant_backup_enabled = true
+  auto_grow_enabled            = false
+
+  public_network_access_enabled    = false
+  ssl_enforcement_enabled          = true
+  ssl_minimal_tls_version_enforced = "TLS1_2"
+}
+
+resource "azurerm_private_endpoint" "pass_priendpt" {
+  name                = "pass_priendpt"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.subnet_id
+
+  private_service_connection {
+    name                           = "dep-privservcon"
+    private_connection_resource_id = azurerm_mariadb_server.pass.id
+    subresource_names              = ["mariadbServer"]
+    is_manual_connection           = false
+  }
+}
+
+
+# case 2: FAIL: azurerm_private_endpoint does not exist
+
+resource "azurerm_mariadb_server" "fail" {
+  name                = "fail_mariadb_server"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  administrator_login          = "pud"
+  administrator_login_password = "P@ssw0rd@1" # checkov:skip=CKV_SECRET_80 test secret
+
+  sku_name   = "GP_Gen5_4"
+  version    = "11"
+  storage_mb = 5120
+
+  backup_retention_days        = 7
+  geo_redundant_backup_enabled = true
+  auto_grow_enabled            = false
+
+  public_network_access_enabled    = false
+  ssl_enforcement_enabled          = true
+  ssl_minimal_tls_version_enforced = "TLS1_2"
+}

tests/terraform/graph/checks/resources/AzureMySQLserverConfigPrivEndpt/expected.yaml

@@ -0,0 +1,4 @@
+pass:
+  - "azurerm_mysql_server.pass"
+fail:
+  - "azurerm_mysql_server.fail"