-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): implement CKV_AZURE_96 for ARM (#5506)
* feat(arm): implement CKV_AZURE_96 for ARM * feat(arm): implement CKV_AZURE_96 for ARM * use another var not type * use another var not type * straw cluthcing * straw cluthcing * adjust logic --------- Co-authored-by: gruebel <[email protected]>
- Loading branch information
1 parent
02528c3
commit 984ef8d
Showing
6 changed files
with
816 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
from __future__ import annotations | ||
|
||
from typing import Any | ||
from checkov.common.models.enums import CheckCategories, CheckResult | ||
from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
||
|
||
class MySQLEncryptionEnabled(BaseResourceCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure that MySQL server enables infrastructure encryption" | ||
id = "CKV_AZURE_96" | ||
supported_resources = ("Microsoft.DBforMySQL/flexibleServers",) | ||
categories = (CheckCategories.ENCRYPTION,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def scan_resource_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult: | ||
properties = conf.get("properties") | ||
if properties and isinstance(properties, dict): | ||
self.evaluated_keys = ["properties/dataencryption"] | ||
data_encryption = properties.get("dataencryption") | ||
if data_encryption and isinstance(data_encryption, dict): | ||
if data_encryption is None: | ||
return CheckResult.FAILED | ||
return CheckResult.PASSED | ||
# unparsed | ||
elif data_encryption and isinstance(data_encryption, str): | ||
return CheckResult.UNKNOWN | ||
return CheckResult.FAILED | ||
return CheckResult.UNKNOWN | ||
|
||
|
||
check = MySQLEncryptionEnabled() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
245 changes: 245 additions & 0 deletions
245
tests/arm/checks/resource/example_MySQLEncryptionEnabled/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,245 @@ | ||
{ | ||
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"apiVersion": { | ||
"type": "string", | ||
"defaultValue": "2021-05-01" | ||
}, | ||
"administratorLogin": { | ||
"type": "string" | ||
}, | ||
"administratorLoginPassword": { | ||
"type": "securestring" | ||
}, | ||
"location": { | ||
"type": "string" | ||
}, | ||
"serverName": { | ||
"type": "string" | ||
}, | ||
"serverEdition": { | ||
"type": "string" | ||
}, | ||
"vCores": { | ||
"type": "int", | ||
"defaultValue": 4 | ||
}, | ||
"storageSizeGB": { | ||
"type": "int" | ||
}, | ||
"haEnabled": { | ||
"type": "string", | ||
"defaultValue": "Disabled" | ||
}, | ||
"availabilityZone": { | ||
"type": "string", | ||
"defaultValue": "" | ||
}, | ||
"standbyAvailabilityZone": { | ||
"type": "string" | ||
}, | ||
"version": { | ||
"type": "string" | ||
}, | ||
"tags": { | ||
"type": "object", | ||
"defaultValue": {} | ||
}, | ||
"firewallRules": { | ||
"type": "object", | ||
"defaultValue": {} | ||
}, | ||
"backupRetentionDays": { | ||
"type": "int" | ||
}, | ||
"geoRedundantBackup": { | ||
"type": "string" | ||
}, | ||
"vmName": { | ||
"type": "string", | ||
"defaultValue": "Standard_B1ms" | ||
}, | ||
"storageIops": { | ||
"type": "int" | ||
}, | ||
"storageAutogrow": { | ||
"type": "string", | ||
"defaultValue": "Enabled" | ||
}, | ||
"autoIoScaling": { | ||
"type": "string", | ||
"defaultValue": "Disabled" | ||
}, | ||
"identityData": { | ||
"type": "object", | ||
"defaultValue": {} | ||
}, | ||
"dataEncryptionData": { | ||
"type": "object", | ||
"defaultValue": {} | ||
}, | ||
"serverParameters": { | ||
"type": "array", | ||
"defaultValue": [] | ||
}, | ||
"aadEnabled": { | ||
"type": "bool", | ||
"defaultValue": false | ||
}, | ||
"aadData": { | ||
"type": "object", | ||
"defaultValue": {} | ||
}, | ||
"guid": { | ||
"type": "string", | ||
"defaultValue": "[newGuid()]" | ||
}, | ||
"network": { | ||
"type": "object", | ||
"defaultValue": {} | ||
}, | ||
"firewallRulesAPIVersion": { | ||
"type": "string", | ||
"defaultValue": "2022-01-01" | ||
} | ||
}, | ||
"variables": { | ||
"api": "[parameters('apiVersion')]", | ||
"firewallRules": "[parameters('firewallRules').rules]", | ||
"serverParameters": "[parameters('serverParameters')]" | ||
}, | ||
"resources": [ | ||
{ | ||
"apiVersion": "[variables('api')]", | ||
"location": "[parameters('location')]", | ||
"name": "fail", | ||
"identity": "[if(empty(parameters('identityData')), json('null'), parameters('identityData'))]", | ||
"properties": { | ||
"createMode": "Default", | ||
"version": "[parameters('version')]", | ||
"administratorLogin": "[parameters('administratorLogin')]", | ||
"administratorLoginPassword": "[parameters('administratorLoginPassword')]", | ||
"Network": "[if(empty(parameters('network')), json('null'), parameters('network'))]", | ||
"Storage": { | ||
"StorageSizeGB": "[parameters('storageSizeGB')]", | ||
"Iops": "[parameters('storageIops')]", | ||
"Autogrow": "[parameters('storageAutogrow')]", | ||
"AutoIoScaling": "[parameters('autoIoScaling')]" | ||
}, | ||
"Backup": { | ||
"backupRetentionDays": "[parameters('backupRetentionDays')]", | ||
"geoRedundantBackup": "[parameters('geoRedundantBackup')]" | ||
}, | ||
"availabilityZone": "[parameters('availabilityZone')]", | ||
"highAvailability": { | ||
"mode": "[parameters('haEnabled')]", | ||
"standbyAvailabilityZone": "[parameters('standbyAvailabilityZone')]" | ||
} | ||
}, | ||
"sku": { | ||
"name": "[parameters('vmName')]", | ||
"tier": "[parameters('serverEdition')]", | ||
"capacity": "[parameters('vCores')]" | ||
}, | ||
"tags": "[parameters('tags')]", | ||
"type": "Microsoft.DBforMySQL/flexibleServers" | ||
}, | ||
{ | ||
"condition": "[greater(length(variables('firewallRules')), 0)]", | ||
"type": "Microsoft.Resources/deployments", | ||
"apiVersion": "2019-08-01", | ||
"name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]", | ||
"copy": { | ||
"count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]", | ||
"mode": "Serial", | ||
"name": "firewallRulesIterator" | ||
}, | ||
"dependsOn": [ | ||
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", | ||
"[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" | ||
], | ||
"properties": { | ||
"mode": "Incremental", | ||
"template": { | ||
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", | ||
"name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]", | ||
"apiVersion": "[parameters('firewallRulesAPIVersion')]", | ||
"properties": { | ||
"StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]", | ||
"EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
}, | ||
{ | ||
"condition": "[parameters('aadEnabled')]", | ||
"type": "Microsoft.Resources/deployments", | ||
"apiVersion": "2019-08-01", | ||
"name": "[concat('addAdmins-', parameters('guid'))]", | ||
"dependsOn": [ | ||
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]" | ||
], | ||
"properties": { | ||
"mode": "Incremental", | ||
"template": { | ||
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.DBforMySQL/flexibleServers/administrators", | ||
"name": "[concat(parameters('serverName'),'/ActiveDirectory')]", | ||
"apiVersion": "[variables('api')]", | ||
"properties": { | ||
"administratorType": "[parameters('aadData').administratorType]", | ||
"identityResourceId": "[parameters('aadData').identityResourceId]", | ||
"login": "[parameters('aadData').login]", | ||
"sid": "[parameters('aadData').sid]", | ||
"tenantId": "[parameters('aadData').tenantId]" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
}, | ||
{ | ||
"condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]", | ||
"type": "Microsoft.Resources/deployments", | ||
"apiVersion": "2019-08-01", | ||
"copy": { | ||
"count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]", | ||
"mode": "serial", | ||
"name": "serverParametersIterator" | ||
}, | ||
"dependsOn": [ | ||
"[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", | ||
"[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" | ||
], | ||
"name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]", | ||
"properties": { | ||
"mode": "Incremental", | ||
"template": { | ||
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.DBforMySQL/flexibleServers/configurations", | ||
"name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]", | ||
"apiVersion": "[variables('api')]", | ||
"properties": { | ||
"value": "[variables('serverParameters')[copyIndex()].value]", | ||
"source": "[variables('serverParameters')[copyIndex()].source]" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} | ||
] | ||
} |
Oops, something went wrong.