feat(terraform): Ensure that the SQL database is zone-redundant (brid…

…gecrewio#5540)

* Added the check

* Removed useless space

* Fixed flake8 findings

* adjust check ID

---------

Co-authored-by: Thomas Defise <[email protected]>
Co-authored-by: Anton Grübel <[email protected]>

checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py

@@ -0,0 +1,43 @@
+from __future__ import annotations
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class SQLDatabaseZoneRedundant(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        """
+        This is a best practise which helps to:
+        - Improved High Availability: Zone redundancy ensures that your database is replicated
+          across Availability Zones within an Azure region. If one Availability Zone experiences an outage,
+          your database continues to operate from the other zones, minimizing downtime.
+        - Reduced Maintenance Downtime: Zone-redundant configurations often require
+          less planned maintenance downtime because updates and patches can be applied to
+          one zone at a time while the other zones continue to serve traffic.
+        - Improved Scalability: Zone-redundant configurations are designed to scale with your workload.
+          You can take advantage of features like Hyperscale to dynamically adjust resources based on
+          your database's performance needs.
+        - Improved SLA: Azure SQL Database zone-redundant configurations typically offer
+          a higher service-level agreement (SLA) for availability compared to non-zone-redundant configurations.
+
+        However, it's critical to note that:
+        Note that:
+        - Zone-redundant availability is available to databases in the
+          General Purpose, Premium, Business Critical and Hyperscale service tiers of the vCore purchasing model,
+          and not the Basic and Standard service tiers of the DTU-based purchasing model.
+        - This may not be required for:
+           - Databases that supports applications which doesn't a high maturity in terms of "High Availability"
+           - Databases that are very sensitive to network latency that may increase the transaction commit time,
+             and thus impact the performance of some OLTP workloads.
+        """
+        name = "Ensure the Azure SQL Database Namespace is zone redundant"
+        id = "CKV_AZURE_229"
+        supported_resources = ("azurerm_mssql_database",)
+        categories = (CheckCategories.BACKUP_AND_RECOVERY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "zone_redundant"
+
+
+check = SQLDatabaseZoneRedundant()

tests/terraform/checks/resource/azure/example_SQLDatabaseZoneRedundant/main.tf

@@ -0,0 +1,44 @@
+resource "azurerm_mssql_database" "pass" {
+  name           = "example-database"
+  server_id      = azurerm_mssql_server.example.id
+  collation      = "SQL_Latin1_General_CP1_CI_AS"
+  license_type   = "LicenseIncluded"
+  max_size_gb    = 4
+  read_scale     = true
+  sku_name       = "S0"
+  zone_redundant = true
+
+  tags = {
+    environment = "Production"
+  }
+}
+
+resource "azurerm_mssql_database" "fail2" {
+    name           = "example-database"
+    server_id      = azurerm_mssql_server.example.id
+    collation      = "SQL_Latin1_General_CP1_CI_AS"
+    license_type   = "LicenseIncluded"
+    max_size_gb    = 4
+    read_scale     = true
+    sku_name       = "S0"
+    zone_redundant = false
+
+    tags = {
+        environment = "Production"
+    }
+}
+
+resource "azurerm_mssql_database" "fail" {
+    name           = "example-database"
+    server_id      = azurerm_mssql_server.example.id
+    collation      = "SQL_Latin1_General_CP1_CI_AS"
+    license_type   = "LicenseIncluded"
+    max_size_gb    = 4
+    read_scale     = true
+    sku_name       = "S0"
+
+    tags = {
+        environment = "Production"
+    }
+
+}

tests/terraform/checks/resource/azure/test_SQLDatabaseZoneRedundant.py

@@ -0,0 +1,42 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+from checkov.terraform.checks.resource.azure.SQLDatabaseZoneRedundant import check
+
+
+class TestSQLDatabaseZoneRedundant (unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_SQLDatabaseZoneRedundant")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'azurerm_mssql_database.pass',
+        }
+        failing_resources = {
+            'azurerm_mssql_database.fail',
+            'azurerm_mssql_database.fail2',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()