Skip to content

Commit

Permalink
feat(arm): implement CKV_AZURE_96 for ARM (#5506)
Browse files Browse the repository at this point in the history 
* feat(arm): implement CKV_AZURE_96 for ARM

* feat(arm): implement CKV_AZURE_96 for ARM

* use another var not type

* use another var not type

* straw cluthcing

* straw cluthcing

* adjust logic

---------

Co-authored-by: gruebel <[email protected]>
  • Loading branch information
@JamesWoolfenden @gruebel
JamesWoolfenden and gruebel committed Oct 18, 2023
1 parent 02528c3 commit 984ef8d
Show file tree
Hide file tree
Showing 6 changed files with 816 additions and 2 deletions.
32 changes: 32 additions & 0 deletions checkov/arm/checks/resource/MySQLEncryptionEnabled.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
from __future__ import annotations

from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck


class MySQLEncryptionEnabled(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that MySQL server enables infrastructure encryption"
id = "CKV_AZURE_96"
supported_resources = ("Microsoft.DBforMySQL/flexibleServers",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult:
properties = conf.get("properties")
if properties and isinstance(properties, dict):
self.evaluated_keys = ["properties/dataencryption"]
data_encryption = properties.get("dataencryption")
if data_encryption and isinstance(data_encryption, dict):
if data_encryption is None:
return CheckResult.FAILED
return CheckResult.PASSED
# unparsed
elif data_encryption and isinstance(data_encryption, str):
return CheckResult.UNKNOWN
return CheckResult.FAILED
return CheckResult.UNKNOWN


check = MySQLEncryptionEnabled()
4 changes: 2 additions & 2 deletions ...s/resource/azure/MySQLEncryptionEnaled.py → .../resource/azure/MySQLEncryptionEnabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck


class MySQLEncryptionEnaled(BaseResourceValueCheck):
class MySQLEncryptionEnabled(BaseResourceValueCheck):
def __init__(self):
name = "Ensure that MySQL server enables infrastructure encryption"
id = "CKV_AZURE_96"
Expand All @@ -14,4 +14,4 @@ def get_inspected_key(self):
return 'infrastructure_encryption_enabled'


check = MySQLEncryptionEnaled()
check = MySQLEncryptionEnabled()
245 changes: 245 additions & 0 deletions tests/arm/checks/resource/example_MySQLEncryptionEnabled/fail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,245 @@
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apiVersion": {
"type": "string",
"defaultValue": "2021-05-01"
},
"administratorLogin": {
"type": "string"
},
"administratorLoginPassword": {
"type": "securestring"
},
"location": {
"type": "string"
},
"serverName": {
"type": "string"
},
"serverEdition": {
"type": "string"
},
"vCores": {
"type": "int",
"defaultValue": 4
},
"storageSizeGB": {
"type": "int"
},
"haEnabled": {
"type": "string",
"defaultValue": "Disabled"
},
"availabilityZone": {
"type": "string",
"defaultValue": ""
},
"standbyAvailabilityZone": {
"type": "string"
},
"version": {
"type": "string"
},
"tags": {
"type": "object",
"defaultValue": {}
},
"firewallRules": {
"type": "object",
"defaultValue": {}
},
"backupRetentionDays": {
"type": "int"
},
"geoRedundantBackup": {
"type": "string"
},
"vmName": {
"type": "string",
"defaultValue": "Standard_B1ms"
},
"storageIops": {
"type": "int"
},
"storageAutogrow": {
"type": "string",
"defaultValue": "Enabled"
},
"autoIoScaling": {
"type": "string",
"defaultValue": "Disabled"
},
"identityData": {
"type": "object",
"defaultValue": {}
},
"dataEncryptionData": {
"type": "object",
"defaultValue": {}
},
"serverParameters": {
"type": "array",
"defaultValue": []
},
"aadEnabled": {
"type": "bool",
"defaultValue": false
},
"aadData": {
"type": "object",
"defaultValue": {}
},
"guid": {
"type": "string",
"defaultValue": "[newGuid()]"
},
"network": {
"type": "object",
"defaultValue": {}
},
"firewallRulesAPIVersion": {
"type": "string",
"defaultValue": "2022-01-01"
}
},
"variables": {
"api": "[parameters('apiVersion')]",
"firewallRules": "[parameters('firewallRules').rules]",
"serverParameters": "[parameters('serverParameters')]"
},
"resources": [
{
"apiVersion": "[variables('api')]",
"location": "[parameters('location')]",
"name": "fail",
"identity": "[if(empty(parameters('identityData')), json('null'), parameters('identityData'))]",
"properties": {
"createMode": "Default",
"version": "[parameters('version')]",
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"Network": "[if(empty(parameters('network')), json('null'), parameters('network'))]",
"Storage": {
"StorageSizeGB": "[parameters('storageSizeGB')]",
"Iops": "[parameters('storageIops')]",
"Autogrow": "[parameters('storageAutogrow')]",
"AutoIoScaling": "[parameters('autoIoScaling')]"
},
"Backup": {
"backupRetentionDays": "[parameters('backupRetentionDays')]",
"geoRedundantBackup": "[parameters('geoRedundantBackup')]"
},
"availabilityZone": "[parameters('availabilityZone')]",
"highAvailability": {
"mode": "[parameters('haEnabled')]",
"standbyAvailabilityZone": "[parameters('standbyAvailabilityZone')]"
}
},
"sku": {
"name": "[parameters('vmName')]",
"tier": "[parameters('serverEdition')]",
"capacity": "[parameters('vCores')]"
},
"tags": "[parameters('tags')]",
"type": "Microsoft.DBforMySQL/flexibleServers"
},
{
"condition": "[greater(length(variables('firewallRules')), 0)]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-08-01",
"name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]",
"copy": {
"count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]",
"mode": "Serial",
"name": "firewallRulesIterator"
},
"dependsOn": [
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
"[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/flexibleServers/firewallRules",
"name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]",
"apiVersion": "[parameters('firewallRulesAPIVersion')]",
"properties": {
"StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]",
"EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]"
}
}
]
}
}
},
{
"condition": "[parameters('aadEnabled')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-08-01",
"name": "[concat('addAdmins-', parameters('guid'))]",
"dependsOn": [
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/flexibleServers/administrators",
"name": "[concat(parameters('serverName'),'/ActiveDirectory')]",
"apiVersion": "[variables('api')]",
"properties": {
"administratorType": "[parameters('aadData').administratorType]",
"identityResourceId": "[parameters('aadData').identityResourceId]",
"login": "[parameters('aadData').login]",
"sid": "[parameters('aadData').sid]",
"tenantId": "[parameters('aadData').tenantId]"
}
}
]
}
}
},
{
"condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-08-01",
"copy": {
"count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]",
"mode": "serial",
"name": "serverParametersIterator"
},
"dependsOn": [
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
"[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
],
"name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/flexibleServers/configurations",
"name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]",
"apiVersion": "[variables('api')]",
"properties": {
"value": "[variables('serverParameters')[copyIndex()].value]",
"source": "[variables('serverParameters')[copyIndex()].source]"
}
}
]
}
}
}
]
}
Loading

0 comments on commit 984ef8d

Please sign in to comment.