diff --git a/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py b/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py new file mode 100644 index 00000000000..0486a77717c --- /dev/null +++ b/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py @@ -0,0 +1,20 @@ +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class PostgreSQLEncryptionEnabled(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that PostgreSQL server enables infrastructure encryption" + id = "CKV_AZURE_130" + supported_resources = ["Microsoft.DBforPostgreSQL/servers"] + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "properties/infrastructureEncryption" + + def get_expected_value(self) -> str: + return "Enabled" + + +check = PostgreSQLEncryptionEnabled() diff --git a/tests/arm/checks/resource/example_PostgreSQLEncryptionEnabled/fail.json b/tests/arm/checks/resource/example_PostgreSQLEncryptionEnabled/fail.json new file mode 100644 index 00000000000..95d1d735ada --- /dev/null +++ b/tests/arm/checks/resource/example_PostgreSQLEncryptionEnabled/fail.json @@ -0,0 +1,89 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "skuCapacity": { + "type": "int" + }, + "skuFamily": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "skuSizeMB": { + "type": "int" + }, + "skuTier": { + "type": "string" + }, + "version": { + "type": "string" + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string" + }, + "previewFeature": { + "type": "string", + "defaultValue": "" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "storageAutoGrow": { + "type": "string", + "defaultValue": "Disabled" + }, + "infrastructureEncryption": { + "type": "string", + "defaultValue": "Disabled" + } + }, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[parameters('location')]", + "name": "fail", + "properties": { + "version": "[parameters('version')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "storageProfile": { + "storageMB": "[parameters('skuSizeMB')]", + "backupRetentionDays": "[parameters('backupRetentionDays')]", + "geoRedundantBackup": "[parameters('geoRedundantBackup')]", + "storageAutoGrow": "[parameters('storageAutoGrow')]" + }, + "previewFeature": "[parameters('previewFeature')]", + "infrastructureEncryption": "[parameters('infrastructureEncryption')]" + }, + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]", + "capacity": "[parameters('skuCapacity')]", + "size": "[parameters('skuSizeMB')]", + "family": "[parameters('skuFamily')]" + }, + "tags": "[parameters('tags')]", + "type": "Microsoft.DBforPostgreSQL/servers" + } + ], + "variables": {} +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_PostgreSQLEncryptionEnabled/pass.json b/tests/arm/checks/resource/example_PostgreSQLEncryptionEnabled/pass.json new file mode 100644 index 00000000000..dfead5b063c --- /dev/null +++ b/tests/arm/checks/resource/example_PostgreSQLEncryptionEnabled/pass.json @@ -0,0 +1,89 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "skuCapacity": { + "type": "int" + }, + "skuFamily": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "skuSizeMB": { + "type": "int" + }, + "skuTier": { + "type": "string" + }, + "version": { + "type": "string" + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string" + }, + "previewFeature": { + "type": "string", + "defaultValue": "" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "storageAutoGrow": { + "type": "string", + "defaultValue": "Disabled" + }, + "infrastructureEncryption": { + "type": "string", + "defaultValue": "Enabled" + } + }, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[parameters('location')]", + "name": "pass", + "properties": { + "version": "[parameters('version')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "storageProfile": { + "storageMB": "[parameters('skuSizeMB')]", + "backupRetentionDays": "[parameters('backupRetentionDays')]", + "geoRedundantBackup": "[parameters('geoRedundantBackup')]", + "storageAutoGrow": "[parameters('storageAutoGrow')]" + }, + "previewFeature": "[parameters('previewFeature')]", + "infrastructureEncryption": "[parameters('infrastructureEncryption')]" + }, + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]", + "capacity": "[parameters('skuCapacity')]", + "size": "[parameters('skuSizeMB')]", + "family": "[parameters('skuFamily')]" + }, + "tags": "[parameters('tags')]", + "type": "Microsoft.DBforPostgreSQL/servers" + } + ], + "variables": {} +} \ No newline at end of file diff --git a/tests/arm/checks/resource/test_PostgreSQLEncryptionEnabled.py b/tests/arm/checks/resource/test_PostgreSQLEncryptionEnabled.py new file mode 100644 index 00000000000..944b98e3c20 --- /dev/null +++ b/tests/arm/checks/resource/test_PostgreSQLEncryptionEnabled.py @@ -0,0 +1,40 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.PostgreSQLEncryptionEnabled import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestPostgreSQLEncryptionEnabled(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_PostgreSQLEncryptionEnabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.DBforPostgreSQL/servers.pass", + } + failing_resources = { + "Microsoft.DBforPostgreSQL/servers.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main()