fix(terraform): extend CKV2_AWS_5 to include DMS Serverless (#6628) (#…

…6630) Co-authored-by: mannai_syncron <[email protected]> Co-authored-by: itai1357 <[email protected]>
bridgecrewio · Sep 19, 2024 · 5f7a3ec · 5f7a3ec
1 parent 45164cd
commit 5f7a3ec
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml
@@ -22,6 +22,7 @@ definition:
         - aws_dax_cluster
         - aws_db_instance
         - aws_dms_replication_instance
+        - aws_dms_replication_config
         - aws_docdb_cluster
         - aws_ec2_client_vpn_endpoint
         - aws_ec2_client_vpn_network_association

diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml
@@ -8,6 +8,7 @@ pass:
   - "aws_security_group.pass_codestar"
   - "aws_security_group.pass_dax_cluster"
   - "aws_security_group.pass_dms"
+  - "aws_security_group.pass_dms_serverless"
   - "aws_security_group.pass_docdb"
   - "aws_security_group.pass_ec2"
   - "aws_security_group.pass_ec2_client_vpn"

diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf
@@ -141,6 +141,36 @@ resource "aws_dms_replication_instance" "pass_dms" {
   vpc_security_group_ids     = [aws_security_group.pass_dms.id]
 }
 
+#DMS Serverless
+
+resource "aws_security_group" "pass_dms_serverless" {
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_dms_replication_config" "pass_dms_serverless" {
+  replication_config_identifier = "dms"
+  resource_identifier           = "dms"
+  replication_type              = "cdc"
+  source_endpoint_arn           = "aws_dms_endpoint.source.endpoint_arn"
+  target_endpoint_arn           = "aws_dms_endpoint.target.endpoint_arn"
+  table_mappings                = <<EOF
+  {
+    "rules":[{"rule-type":"selection","rule-id":"1","rule-name":"1","rule-action":"include","object-locator":{"schema-name":"%%","table-name":"%%"}}]
+  }
+EOF
+
+  compute_config {
+    max_capacity_units           = "1"
+    vpc_security_group_ids       = [aws_security_group.pass_dms_serverless.id]
+  }
+}
+
 # DocDB
 
 resource "aws_security_group" "pass_docdb" {