From 112e558040fe333b51c86785fd9a90f0ddb71dff Mon Sep 17 00:00:00 2001
From: Omry Mendelovich <16597193+omryMen@users.noreply.github.com>
Date: Sun, 10 Sep 2023 18:56:17 +0300
Subject: [PATCH] feat(terraform): add check for Neptune DB clusters  IAM
 database auth enabled (#5545)

* add check for Neptune DB clusters should have IAM database authentication enabled

* another test

* another test

* update ckv num
---
 ...lustersIAMDatabaseAuthenticationEnabled.py | 17 ++++++++
 ...lustersIAMDatabaseAuthenticationEnabled.tf | 20 +++++++++
 ...lustersIAMDatabaseAuthenticationEnabled.py | 42 +++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
 create mode 100644 tests/terraform/checks/resource/aws/example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.tf
 create mode 100644 tests/terraform/checks/resource/aws/test_NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py

diff --git a/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py b/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
new file mode 100644
index 00000000000..ddda691fe41
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
@@ -0,0 +1,17 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class NeptuneDBClustersIAMDatabaseAuthenticationEnabled(BaseResourceValueCheck):
+    def __init__(self):
+        description = "Neptune DB clusters should have IAM database authentication enabled"
+        id = "CKV_AWS_359"
+        supported_resources = ['aws_neptune_cluster']
+        categories = [CheckCategories.IAM]
+        super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "iam_database_authentication_enabled"
+
+
+check = NeptuneDBClustersIAMDatabaseAuthenticationEnabled()
diff --git a/tests/terraform/checks/resource/aws/example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.tf b/tests/terraform/checks/resource/aws/example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.tf
new file mode 100644
index 00000000000..16f21de1a0f
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.tf
@@ -0,0 +1,20 @@
+## SHOULD PASS: iam_database_authentication_enabled set to true
+resource "aws_neptune_cluster" "ckv_unittest_pass" {
+    ## Your test here
+  cluster_identifier = "bla"
+  iam_database_authentication_enabled = true
+}
+
+## SHOULD FAIL: iam_database_authentication_enabled set to false
+resource "aws_neptune_cluster" "ckv_unittest_fail" {
+    ## Your test here
+  cluster_identifier = "bla_fail"
+  iam_database_authentication_enabled = false
+}
+
+
+## SHOULD FAIL: iam_database_authentication_enabled doesn't exist
+resource "aws_neptune_cluster" "ckv_unittest2_fail" {
+    ## Your test here
+  cluster_identifier = "bla_fail"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/test_NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py b/tests/terraform/checks/resource/aws/test_NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
new file mode 100644
index 00000000000..c8d67a82f5d
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
@@ -0,0 +1,42 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+from checkov.terraform.checks.resource.aws.NeptuneDBClustersIAMDatabaseAuthenticationEnabled import check
+
+
+class TestNeptuneDBClustersIAMDatabaseAuthenticationEnabled(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'aws_neptune_cluster.ckv_unittest_pass'
+        }
+        failing_resources = {
+            'aws_neptune_cluster.ckv_unittest_fail',
+            'aws_neptune_cluster.ckv_unittest2_fail',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file