-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): implement CKV_AZURE_130 for arm (#5485)
feat(arm) implement CKV_AZURE_130 for arm
- Loading branch information
1 parent
8b23f1d
commit 2b47840
Showing
4 changed files
with
238 additions
and
0 deletions.
There are no files selected for viewing
20 changes: 20 additions & 0 deletions
20
checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| from checkov.common.models.enums import CheckCategories | ||
| from checkov.arm.base_resource_value_check import BaseResourceValueCheck | ||
|
|
||
|
|
||
| class PostgreSQLEncryptionEnabled(BaseResourceValueCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure that PostgreSQL server enables infrastructure encryption" | ||
| id = "CKV_AZURE_130" | ||
| supported_resources = ["Microsoft.DBforPostgreSQL/servers"] | ||
| categories = [CheckCategories.ENCRYPTION] | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def get_inspected_key(self) -> str: | ||
| return "properties/infrastructureEncryption" | ||
|
|
||
| def get_expected_value(self) -> str: | ||
| return "Enabled" | ||
|
|
||
|
|
||
| check = PostgreSQLEncryptionEnabled() |
89 changes: 89 additions & 0 deletions
89
tests/arm/checks/resource/example_PostgreSQLEncryptionEnabled/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| { | ||
| "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "parameters": { | ||
| "administratorLogin": { | ||
| "type": "string" | ||
| }, | ||
| "administratorLoginPassword": { | ||
| "type": "securestring" | ||
| }, | ||
| "location": { | ||
| "type": "string" | ||
| }, | ||
| "serverName": { | ||
| "type": "string" | ||
| }, | ||
| "skuCapacity": { | ||
| "type": "int" | ||
| }, | ||
| "skuFamily": { | ||
| "type": "string" | ||
| }, | ||
| "skuName": { | ||
| "type": "string" | ||
| }, | ||
| "skuSizeMB": { | ||
| "type": "int" | ||
| }, | ||
| "skuTier": { | ||
| "type": "string" | ||
| }, | ||
| "version": { | ||
| "type": "string" | ||
| }, | ||
| "backupRetentionDays": { | ||
| "type": "int" | ||
| }, | ||
| "geoRedundantBackup": { | ||
| "type": "string" | ||
| }, | ||
| "previewFeature": { | ||
| "type": "string", | ||
| "defaultValue": "" | ||
| }, | ||
| "tags": { | ||
| "type": "object", | ||
| "defaultValue": {} | ||
| }, | ||
| "storageAutoGrow": { | ||
| "type": "string", | ||
| "defaultValue": "Disabled" | ||
| }, | ||
| "infrastructureEncryption": { | ||
| "type": "string", | ||
| "defaultValue": "Disabled" | ||
| } | ||
| }, | ||
| "resources": [ | ||
| { | ||
| "apiVersion": "2017-12-01", | ||
| "kind": "", | ||
| "location": "[parameters('location')]", | ||
| "name": "fail", | ||
| "properties": { | ||
| "version": "[parameters('version')]", | ||
| "administratorLogin": "[parameters('administratorLogin')]", | ||
| "administratorLoginPassword": "[parameters('administratorLoginPassword')]", | ||
| "storageProfile": { | ||
| "storageMB": "[parameters('skuSizeMB')]", | ||
| "backupRetentionDays": "[parameters('backupRetentionDays')]", | ||
| "geoRedundantBackup": "[parameters('geoRedundantBackup')]", | ||
| "storageAutoGrow": "[parameters('storageAutoGrow')]" | ||
| }, | ||
| "previewFeature": "[parameters('previewFeature')]", | ||
| "infrastructureEncryption": "[parameters('infrastructureEncryption')]" | ||
| }, | ||
| "sku": { | ||
| "name": "[parameters('skuName')]", | ||
| "tier": "[parameters('skuTier')]", | ||
| "capacity": "[parameters('skuCapacity')]", | ||
| "size": "[parameters('skuSizeMB')]", | ||
| "family": "[parameters('skuFamily')]" | ||
| }, | ||
| "tags": "[parameters('tags')]", | ||
| "type": "Microsoft.DBforPostgreSQL/servers" | ||
| } | ||
| ], | ||
| "variables": {} | ||
| } |
89 changes: 89 additions & 0 deletions
89
tests/arm/checks/resource/example_PostgreSQLEncryptionEnabled/pass.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| { | ||
| "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "parameters": { | ||
| "administratorLogin": { | ||
| "type": "string" | ||
| }, | ||
| "administratorLoginPassword": { | ||
| "type": "securestring" | ||
| }, | ||
| "location": { | ||
| "type": "string" | ||
| }, | ||
| "serverName": { | ||
| "type": "string" | ||
| }, | ||
| "skuCapacity": { | ||
| "type": "int" | ||
| }, | ||
| "skuFamily": { | ||
| "type": "string" | ||
| }, | ||
| "skuName": { | ||
| "type": "string" | ||
| }, | ||
| "skuSizeMB": { | ||
| "type": "int" | ||
| }, | ||
| "skuTier": { | ||
| "type": "string" | ||
| }, | ||
| "version": { | ||
| "type": "string" | ||
| }, | ||
| "backupRetentionDays": { | ||
| "type": "int" | ||
| }, | ||
| "geoRedundantBackup": { | ||
| "type": "string" | ||
| }, | ||
| "previewFeature": { | ||
| "type": "string", | ||
| "defaultValue": "" | ||
| }, | ||
| "tags": { | ||
| "type": "object", | ||
| "defaultValue": {} | ||
| }, | ||
| "storageAutoGrow": { | ||
| "type": "string", | ||
| "defaultValue": "Disabled" | ||
| }, | ||
| "infrastructureEncryption": { | ||
| "type": "string", | ||
| "defaultValue": "Enabled" | ||
| } | ||
| }, | ||
| "resources": [ | ||
| { | ||
| "apiVersion": "2017-12-01", | ||
| "kind": "", | ||
| "location": "[parameters('location')]", | ||
| "name": "pass", | ||
| "properties": { | ||
| "version": "[parameters('version')]", | ||
| "administratorLogin": "[parameters('administratorLogin')]", | ||
| "administratorLoginPassword": "[parameters('administratorLoginPassword')]", | ||
| "storageProfile": { | ||
| "storageMB": "[parameters('skuSizeMB')]", | ||
| "backupRetentionDays": "[parameters('backupRetentionDays')]", | ||
| "geoRedundantBackup": "[parameters('geoRedundantBackup')]", | ||
| "storageAutoGrow": "[parameters('storageAutoGrow')]" | ||
| }, | ||
| "previewFeature": "[parameters('previewFeature')]", | ||
| "infrastructureEncryption": "[parameters('infrastructureEncryption')]" | ||
| }, | ||
| "sku": { | ||
| "name": "[parameters('skuName')]", | ||
| "tier": "[parameters('skuTier')]", | ||
| "capacity": "[parameters('skuCapacity')]", | ||
| "size": "[parameters('skuSizeMB')]", | ||
| "family": "[parameters('skuFamily')]" | ||
| }, | ||
| "tags": "[parameters('tags')]", | ||
| "type": "Microsoft.DBforPostgreSQL/servers" | ||
| } | ||
| ], | ||
| "variables": {} | ||
| } |
40 changes: 40 additions & 0 deletions
40
tests/arm/checks/resource/test_PostgreSQLEncryptionEnabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| import unittest | ||
| from pathlib import Path | ||
|
|
||
| from checkov.arm.checks.resource.PostgreSQLEncryptionEnabled import check | ||
| from checkov.arm.runner import Runner | ||
| from checkov.runner_filter import RunnerFilter | ||
|
|
||
|
|
||
| class TestPostgreSQLEncryptionEnabled(unittest.TestCase): | ||
| def test_summary(self): | ||
| # given | ||
| test_files_dir = Path(__file__).parent / "example_PostgreSQLEncryptionEnabled" | ||
|
|
||
| # when | ||
| report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) | ||
|
|
||
| # then | ||
| summary = report.get_summary() | ||
|
|
||
| passing_resources = { | ||
| "Microsoft.DBforPostgreSQL/servers.pass", | ||
| } | ||
| failing_resources = { | ||
| "Microsoft.DBforPostgreSQL/servers.fail", | ||
| } | ||
|
|
||
| passed_check_resources = {c.resource for c in report.passed_checks} | ||
| failed_check_resources = {c.resource for c in report.failed_checks} | ||
|
|
||
| self.assertEqual(summary["passed"], len(passing_resources)) | ||
| self.assertEqual(summary["failed"], len(failing_resources)) | ||
| self.assertEqual(summary["skipped"], 0) | ||
| self.assertEqual(summary["parsing_errors"], 0) | ||
|
|
||
| self.assertEqual(passing_resources, passed_check_resources) | ||
| self.assertEqual(failing_resources, failed_check_resources) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| unittest.main() |