feat(terraform): Adding YAML based build time policies for correspond…

…ing PC runtime policies (#5637) * Added new Azure policy CKV_AZURE_228 * Added 2 new policies CKV_AZURE_229 & CKV_AZURE_230 * Updated test_yaml_policies.py * Modifications made as per mentioned * Optimised CKV2_AZURE_41 --------- Co-authored-by: Anton Grübel <[email protected]>
bridgecrewio · Nov 2, 2023 · 84206a3 · 84206a3
1 parent 09c060a
commit 84206a3
Show file tree

Hide file tree

Showing 10 changed files with 373 additions and 0 deletions.
diff --git a/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml
@@ -0,0 +1,17 @@
+metadata:
+  id: "CKV2_AZURE_40"
+  name: "Ensure storage account is not configured with Shared Key authorization"
+  category: "IAM"
+
+definition:
+  and:
+    - cond_type: "attribute"
+      resource_types: "azurerm_storage_account"
+      attribute: "shared_access_key_enabled"
+      operator: "exists"
+
+    - cond_type: "attribute"
+      resource_types: "azurerm_storage_account"
+      attribute: "shared_access_key_enabled"
+      operator: "equals_ignore_case"
+      value: "false"
diff --git a/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml
@@ -0,0 +1,38 @@
+metadata:
+  id: "CKV2_AZURE_41"
+  name: "Ensure storage account is configured with SAS expiration policy"
+  category: "IAM"
+
+definition:
+  or:
+
+    - cond_type: "attribute"
+      resource_types: "azurerm_storage_account"
+      attribute: "shared_access_key_enabled"
+      operator: "equals_ignore_case"
+      value: "false"
+
+    - and:
+        - cond_type: "attribute"
+          resource_types: "azurerm_storage_account"
+          attribute: "shared_access_key_enabled"
+          operator: "exists"
+
+        - cond_type: "attribute"
+          resource_types: "azurerm_storage_account"
+          attribute: "shared_access_key_enabled"
+          operator: "equals_ignore_case"
+          value: "true"
+
+        - cond_type: "attribute"
+          resource_types: "azurerm_storage_account"
+          attribute: "sas_policy"
+          operator: "exists"
+
+        - cond_type: "attribute"
+          resource_types: "azurerm_storage_account"
+          attribute: "sas_policy.expiration_period"
+          operator: "length_greater_than"
+          value: "0"
+
+
diff --git a/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml b/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml
@@ -0,0 +1,52 @@
+metadata:
+  id: "CKV2_AZURE_39"
+
+  name: "Ensure Azure VM is not configured with public IP and serial console access"
+  category: "NETWORKING"
+
+definition:
+  or:
+    - and:
+        - cond_type: filter
+          attribute: resource_type
+          value:
+            - azurerm_network_interface
+          operator: within
+
+        - resource_types:
+            - azurerm_network_interface
+          connected_resource_types:
+            - azurerm_linux_virtual_machine
+            - azurerm_windows_virtual_machine
+            - azurerm_virtual_machine
+          operator: exists
+          cond_type: connection
+
+        - cond_type: attribute
+          resource_types:
+             - azurerm_network_interface
+          attribute: ip_configuration.public_ip_address_id
+          operator: length_greater_than
+          value: 0
+
+        - cond_type: attribute
+          resource_types:
+            - azurerm_linux_virtual_machine
+            - azurerm_windows_virtual_machine
+            - azurerm_virtual_machine
+          attribute: boot_diagnostics
+          operator: not_exists
+
+    - cond_type: attribute
+      resource_types:
+        - azurerm_network_interface
+      attribute: ip_configuration.public_ip_address_id
+      operator: not_exists
+
+    - cond_type: attribute
+      resource_types:
+        - azurerm_network_interface
+      attribute: ip_configuration.public_ip_address_id
+      operator: length_less_than_or_equal
+      value: 0
+
diff --git a/tests/terraform/graph/checks/resources/AzureStorageAccConfigSharedKeyAuth/expected.yaml b/tests/terraform/graph/checks/resources/AzureStorageAccConfigSharedKeyAuth/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "azurerm_storage_account.pass"
+fail:
+  - "azurerm_storage_account.fail_1"
+  - "azurerm_storage_account.fail_2"
diff --git a/tests/terraform/graph/checks/resources/AzureStorageAccConfigSharedKeyAuth/main.tf b/tests/terraform/graph/checks/resources/AzureStorageAccConfigSharedKeyAuth/main.tf
@@ -0,0 +1,52 @@
+variable "rg-name" {
+  default = "pud-bc-rg"
+}
+
+variable "location" {
+  default = "northeurope"
+}
+
+# Case 1: Pass: shared_access_key_enabled = False
+
+resource "azurerm_storage_account" "pass" {
+  name                     = "pud-storage2023abc1"
+  resource_group_name      = var.rg-name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  shared_access_key_enabled = false
+
+  tags = {
+    bc_status = "pass"
+  }
+}
+
+# Case 2: Fail: shared_access_key_enabled does NOT exist
+
+resource "azurerm_storage_account" "fail_1" {
+  name                     = "pud-storage2023abc2"
+  resource_group_name      = var.rg-name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  tags = {
+    bc_status = "fail_1"
+  }
+}
+
+# Case 3: Fail: shared_access_key_enabled = True
+
+resource "azurerm_storage_account" "fail_2" {
+  name                     = "pud-storage2023abc3"
+  resource_group_name      = var.rg-name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  shared_access_key_enabled = true
+
+
+  tags = {
+    bc_status = "fail_2"
+  }
+}
diff --git a/tests/terraform/graph/checks/resources/AzureStorageAccConfig_SAS_expirePolicy/expected.yaml b/tests/terraform/graph/checks/resources/AzureStorageAccConfig_SAS_expirePolicy/expected.yaml
@@ -0,0 +1,7 @@
+pass:
+  - "azurerm_storage_account.pass_1"
+  - "azurerm_storage_account.pass_2"
+  - "azurerm_storage_account.pass_3"
+fail:
+  - "azurerm_storage_account.fail_1"
+  - "azurerm_storage_account.fail_2"
diff --git a/tests/terraform/graph/checks/resources/AzureStorageAccConfig_SAS_expirePolicy/main.tf b/tests/terraform/graph/checks/resources/AzureStorageAccConfig_SAS_expirePolicy/main.tf
@@ -0,0 +1,87 @@
+variable "rg-name" {
+  default = "pud-bc-rg"
+}
+
+variable "location" {
+  default = "northeurope"
+}
+
+# Case 1: Pass: shared_access_key_enabled = false doesn't matter if sas_policy exists or not
+
+resource "azurerm_storage_account" "pass_1" {
+  name                     = "pud-storage2023abc1"
+  resource_group_name      = var.rg-name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  shared_access_key_enabled = false
+
+  sas_policy {
+    expiration_period = "90.00:00:00"
+    expiration_action = "Log"
+  }
+
+  tags = {
+    bc_status = "pass"
+  }
+}
+
+# Case 2: Pass: shared_access_key_enabled is False and it's okay if sas_policy.expiration_period is empty
+
+resource "azurerm_storage_account" "pass_2" {
+  name                     = "pud-storage2023abc4"
+  resource_group_name      = var.rg-name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  shared_access_key_enabled = false
+
+  sas_policy {
+    expiration_period = ""
+  }
+
+}
+
+# Case 3: Pass: shared_access_key_enabled is True but expiration_period is configured.
+
+resource "azurerm_storage_account" "pass_3" {
+  name                     = "pud-storage2023abc4"
+  resource_group_name      = var.rg-name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  shared_access_key_enabled = true
+
+  sas_policy {
+    expiration_period = "90.00:00:00"
+  }
+
+}
+
+# Case 4: Fail: None of the arguments exist, so by default "sas_policy.expiration_period" is true
+
+resource "azurerm_storage_account" "fail_1" {
+  name                     = "pud-storage2023abc2"
+  resource_group_name      = var.rg-name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+}
+
+# Case 5: FAIL: shared_access_key_enabled is True and "sas_policy.expiration_period" is NOT configured
+
+resource "azurerm_storage_account" "fail_2" {
+  name                     = "pud-storage2023abc3"
+  resource_group_name      = var.rg-name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  shared_access_key_enabled = true
+
+  sas_policy {
+    expiration_period = ""
+
+  }
+
+}
+
diff --git a/.../terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml b/.../terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "azurerm_network_interface.pass_int_1"
+  - "azurerm_network_interface.pass_int_2"
+fail:
+  - "azurerm_network_interface.fail_int"
diff --git a/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf b/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf
@@ -0,0 +1,101 @@
+variable "prefix" {
+  default = "pud_bc"
+}
+
+variable "pub-ip-id" {
+  default = "/subscriptions/61pudrpd-6234-7856-a98e-09pu7dep65h2/resourceGroups/pud-rg/providers/Microsoft.Network/publicIPAddresses/pud-bc-checkov-ip"
+}
+
+data "azurerm_network_interface" "pud-id" {
+  name                 = "existing"
+  resource_group_name  = "pud-rg"
+}
+
+resource "azurerm_resource_group" "pud-rg" {
+  name     = "${var.prefix}-rg"
+  location = "West Europe"
+}
+
+# Case 1: FAIL case: "ip_configuration.public_ip_address_id" exists and boot_diagnostics also exists
+
+resource "azurerm_network_interface" "fail_int" {
+  name                = "pass-nic"
+  location            = azurerm_resource_group.pud-rg.location
+  resource_group_name = azurerm_resource_group.pud-rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = var.prefix
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id = var.pub-ip-id
+  }
+}
+
+resource "azurerm_virtual_machine" "pass_vm" {
+  name                  = "${var.prefix}-vm"
+  location              = azurerm_resource_group.pud-rg.location
+  resource_group_name   = azurerm_resource_group.pud-rg.name
+  network_interface_ids = [azurerm_network_interface.fail_int.id]
+  vm_size               = "Standard_DS1_v2"
+
+  boot_diagnostics {
+    storage_account_uri = null # null enables managed storage account for boot diagnostics
+    enabled             = true
+    storage_uri         = ""
+  }
+}
+
+# Case 2: Pass case: "ip_configuration.public_ip_address_id" does NOT exist
+
+resource "azurerm_network_interface" "pass_int_1" {
+  name                = "pass-nic"
+  location            = azurerm_resource_group.pud-rg.location
+  resource_group_name = azurerm_resource_group.pud-rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = var.prefix
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+resource "azurerm_linux_virtual_machine" "pud-linux-vm" {
+  name                = "pud-linux-vm"
+  resource_group_name = azurerm_resource_group.pud-rg.name
+  location            = azurerm_resource_group.pud-rg.location
+  size                = "Standard_F2"
+  admin_username      = "pud-admin"
+  network_interface_ids = [
+    azurerm_network_interface.pass_int_1.id,
+  ]
+
+}
+
+# Case 3: Pass case: "ip_configuration.public_ip_address_id" exists but boot_diagnostics does not exist
+
+resource "azurerm_network_interface" "pass_int_2" {
+  name                = "pass-nic"
+  location            = azurerm_resource_group.pud-rg.location
+  resource_group_name = azurerm_resource_group.pud-rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = var.prefix
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id = var.pub-ip-id
+  }
+}
+
+resource "azurerm_virtual_machine" "pass_vm" {
+  name                  = "${var.prefix}-vm"
+  location              = azurerm_resource_group.pud-rg.location
+  resource_group_name   = azurerm_resource_group.pud-rg.name
+  network_interface_ids = [azurerm_network_interface.pass_int_2.id]
+  vm_size               = "Standard_DS1_v2"
+
+#  boot_diagnostics {
+#    storage_account_uri = null # null enables managed storage account for boot diagnostics
+#    enabled             = true
+#    storage_uri         = ""
+#  }
+}
diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py
@@ -418,6 +418,15 @@ def test_AWSdisableS3ACL(self):
     def test_AWS_private_MWAA_environment(self):
         self.go("AWS_private_MWAA_environment")
 
+    def test_AzureStorageAccConfigSharedKeyAuth(self):
+        self.go("AzureStorageAccConfigSharedKeyAuth")
+
+    def test_AzureStorageAccConfig_SAS_expirePolicy(self):
+        self.go("AzureStorageAccConfig_SAS_expirePolicy")
+
+    def test_AzureVMconfigPublicIP_SerialConsoleAccess(self):
+        self.go("AzureVMconfigPublicIP_SerialConsoleAccess")
+
     def test_registry_load(self):
         registry = Registry(parser=GraphCheckParser(), checks_dir=str(
             Path(__file__).parent.parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks"))