From 984ef8d1b48ab7e72158a65b03cd0868fa767efc Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Wed, 18 Oct 2023 15:10:04 +0100 Subject: [PATCH] feat(arm): implement CKV_AZURE_96 for ARM (#5506) * feat(arm): implement CKV_AZURE_96 for ARM * feat(arm): implement CKV_AZURE_96 for ARM * use another var not type * use another var not type * straw cluthcing * straw cluthcing * adjust logic --------- Co-authored-by: gruebel --- .../checks/resource/MySQLEncryptionEnabled.py | 32 +++ ...ionEnaled.py => MySQLEncryptionEnabled.py} | 4 +- .../example_MySQLEncryptionEnabled/fail.json | 245 +++++++++++++++++ .../example_MySQLEncryptionEnabled/pass.json | 250 ++++++++++++++++++ .../unknown.json | 246 +++++++++++++++++ .../resource/test_MySQLEncryptionEnabled.py | 41 +++ 6 files changed, 816 insertions(+), 2 deletions(-) create mode 100644 checkov/arm/checks/resource/MySQLEncryptionEnabled.py rename checkov/terraform/checks/resource/azure/{MySQLEncryptionEnaled.py => MySQLEncryptionEnabled.py} (86%) create mode 100644 tests/arm/checks/resource/example_MySQLEncryptionEnabled/fail.json create mode 100644 tests/arm/checks/resource/example_MySQLEncryptionEnabled/pass.json create mode 100644 tests/arm/checks/resource/example_MySQLEncryptionEnabled/unknown.json create mode 100644 tests/arm/checks/resource/test_MySQLEncryptionEnabled.py diff --git a/checkov/arm/checks/resource/MySQLEncryptionEnabled.py b/checkov/arm/checks/resource/MySQLEncryptionEnabled.py new file mode 100644 index 00000000000..9f86afdf572 --- /dev/null +++ b/checkov/arm/checks/resource/MySQLEncryptionEnabled.py @@ -0,0 +1,32 @@ +from __future__ import annotations + +from typing import Any +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_check import BaseResourceCheck + + +class MySQLEncryptionEnabled(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure that MySQL server enables infrastructure encryption" + id = "CKV_AZURE_96" + supported_resources = ("Microsoft.DBforMySQL/flexibleServers",) + categories = (CheckCategories.ENCRYPTION,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult: + properties = conf.get("properties") + if properties and isinstance(properties, dict): + self.evaluated_keys = ["properties/dataencryption"] + data_encryption = properties.get("dataencryption") + if data_encryption and isinstance(data_encryption, dict): + if data_encryption is None: + return CheckResult.FAILED + return CheckResult.PASSED + # unparsed + elif data_encryption and isinstance(data_encryption, str): + return CheckResult.UNKNOWN + return CheckResult.FAILED + return CheckResult.UNKNOWN + + +check = MySQLEncryptionEnabled() diff --git a/checkov/terraform/checks/resource/azure/MySQLEncryptionEnaled.py b/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py similarity index 86% rename from checkov/terraform/checks/resource/azure/MySQLEncryptionEnaled.py rename to checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py index 46fbbeaf5b1..ddc8d461646 100644 --- a/checkov/terraform/checks/resource/azure/MySQLEncryptionEnaled.py +++ b/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py @@ -2,7 +2,7 @@ from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck -class MySQLEncryptionEnaled(BaseResourceValueCheck): +class MySQLEncryptionEnabled(BaseResourceValueCheck): def __init__(self): name = "Ensure that MySQL server enables infrastructure encryption" id = "CKV_AZURE_96" @@ -14,4 +14,4 @@ def get_inspected_key(self): return 'infrastructure_encryption_enabled' -check = MySQLEncryptionEnaled() +check = MySQLEncryptionEnabled() diff --git a/tests/arm/checks/resource/example_MySQLEncryptionEnabled/fail.json b/tests/arm/checks/resource/example_MySQLEncryptionEnabled/fail.json new file mode 100644 index 00000000000..55da06c4cee --- /dev/null +++ b/tests/arm/checks/resource/example_MySQLEncryptionEnabled/fail.json @@ -0,0 +1,245 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiVersion": { + "type": "string", + "defaultValue": "2021-05-01" + }, + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "serverEdition": { + "type": "string" + }, + "vCores": { + "type": "int", + "defaultValue": 4 + }, + "storageSizeGB": { + "type": "int" + }, + "haEnabled": { + "type": "string", + "defaultValue": "Disabled" + }, + "availabilityZone": { + "type": "string", + "defaultValue": "" + }, + "standbyAvailabilityZone": { + "type": "string" + }, + "version": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "firewallRules": { + "type": "object", + "defaultValue": {} + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string" + }, + "vmName": { + "type": "string", + "defaultValue": "Standard_B1ms" + }, + "storageIops": { + "type": "int" + }, + "storageAutogrow": { + "type": "string", + "defaultValue": "Enabled" + }, + "autoIoScaling": { + "type": "string", + "defaultValue": "Disabled" + }, + "identityData": { + "type": "object", + "defaultValue": {} + }, + "dataEncryptionData": { + "type": "object", + "defaultValue": {} + }, + "serverParameters": { + "type": "array", + "defaultValue": [] + }, + "aadEnabled": { + "type": "bool", + "defaultValue": false + }, + "aadData": { + "type": "object", + "defaultValue": {} + }, + "guid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "network": { + "type": "object", + "defaultValue": {} + }, + "firewallRulesAPIVersion": { + "type": "string", + "defaultValue": "2022-01-01" + } + }, + "variables": { + "api": "[parameters('apiVersion')]", + "firewallRules": "[parameters('firewallRules').rules]", + "serverParameters": "[parameters('serverParameters')]" + }, + "resources": [ + { + "apiVersion": "[variables('api')]", + "location": "[parameters('location')]", + "name": "fail", + "identity": "[if(empty(parameters('identityData')), json('null'), parameters('identityData'))]", + "properties": { + "createMode": "Default", + "version": "[parameters('version')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "Network": "[if(empty(parameters('network')), json('null'), parameters('network'))]", + "Storage": { + "StorageSizeGB": "[parameters('storageSizeGB')]", + "Iops": "[parameters('storageIops')]", + "Autogrow": "[parameters('storageAutogrow')]", + "AutoIoScaling": "[parameters('autoIoScaling')]" + }, + "Backup": { + "backupRetentionDays": "[parameters('backupRetentionDays')]", + "geoRedundantBackup": "[parameters('geoRedundantBackup')]" + }, + "availabilityZone": "[parameters('availabilityZone')]", + "highAvailability": { + "mode": "[parameters('haEnabled')]", + "standbyAvailabilityZone": "[parameters('standbyAvailabilityZone')]" + } + }, + "sku": { + "name": "[parameters('vmName')]", + "tier": "[parameters('serverEdition')]", + "capacity": "[parameters('vCores')]" + }, + "tags": "[parameters('tags')]", + "type": "Microsoft.DBforMySQL/flexibleServers" + }, + { + "condition": "[greater(length(variables('firewallRules')), 0)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]", + "copy": { + "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]", + "mode": "Serial", + "name": "firewallRulesIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", + "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]", + "apiVersion": "[parameters('firewallRulesAPIVersion')]", + "properties": { + "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]", + "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]" + } + } + ] + } + } + }, + { + "condition": "[parameters('aadEnabled')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('addAdmins-', parameters('guid'))]", + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/administrators", + "name": "[concat(parameters('serverName'),'/ActiveDirectory')]", + "apiVersion": "[variables('api')]", + "properties": { + "administratorType": "[parameters('aadData').administratorType]", + "identityResourceId": "[parameters('aadData').identityResourceId]", + "login": "[parameters('aadData').login]", + "sid": "[parameters('aadData').sid]", + "tenantId": "[parameters('aadData').tenantId]" + } + } + ] + } + } + }, + { + "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "copy": { + "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]", + "mode": "serial", + "name": "serverParametersIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/configurations", + "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]", + "apiVersion": "[variables('api')]", + "properties": { + "value": "[variables('serverParameters')[copyIndex()].value]", + "source": "[variables('serverParameters')[copyIndex()].source]" + } + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_MySQLEncryptionEnabled/pass.json b/tests/arm/checks/resource/example_MySQLEncryptionEnabled/pass.json new file mode 100644 index 00000000000..a672a9b8359 --- /dev/null +++ b/tests/arm/checks/resource/example_MySQLEncryptionEnabled/pass.json @@ -0,0 +1,250 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiVersion": { + "type": "string", + "defaultValue": "2021-05-01" + }, + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "serverEdition": { + "type": "string" + }, + "vCores": { + "type": "int", + "defaultValue": 4 + }, + "storageSizeGB": { + "type": "int" + }, + "haEnabled": { + "type": "string", + "defaultValue": "Disabled" + }, + "availabilityZone": { + "type": "string", + "defaultValue": "" + }, + "standbyAvailabilityZone": { + "type": "string" + }, + "version": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "firewallRules": { + "type": "object", + "defaultValue": {} + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string" + }, + "vmName": { + "type": "string", + "defaultValue": "Standard_B1ms" + }, + "storageIops": { + "type": "int" + }, + "storageAutogrow": { + "type": "string", + "defaultValue": "Enabled" + }, + "autoIoScaling": { + "type": "string", + "defaultValue": "Disabled" + }, + "identityData": { + "type": "object", + "defaultValue": {} + }, + "dataEncryptionData": { + "type": "object", + "defaultValue": { + "type": "AzureKeyVault", + "primaryUserAssignedIdentityId": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pike", + "primaryKeyURI": "https://pike3.vault.azure.net/keys/pike/ae9a3b26e89445c49fe2b92091017ba2" + } + }, + "serverParameters": { + "type": "array", + "defaultValue": [] + }, + "aadEnabled": { + "type": "bool", + "defaultValue": false + }, + "aadData": { + "type": "object", + "defaultValue": {} + }, + "guid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "network": { + "type": "object", + "defaultValue": {} + }, + "firewallRulesAPIVersion": { + "type": "string", + "defaultValue": "2022-01-01" + } + }, + "variables": { + "api": "[parameters('apiVersion')]", + "firewallRules": "[parameters('firewallRules').rules]", + "serverParameters": "[parameters('serverParameters')]" + }, + "resources": [ + { + "apiVersion": "[variables('api')]", + "location": "[parameters('location')]", + "name": "pass", + "identity": "[if(empty(parameters('identityData')), json('null'), parameters('identityData'))]", + "properties": { + "createMode": "Default", + "version": "[parameters('version')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "Network": "[if(empty(parameters('network')), json('null'), parameters('network'))]", + "Storage": { + "StorageSizeGB": "[parameters('storageSizeGB')]", + "Iops": "[parameters('storageIops')]", + "Autogrow": "[parameters('storageAutogrow')]", + "AutoIoScaling": "[parameters('autoIoScaling')]" + }, + "Backup": { + "backupRetentionDays": "[parameters('backupRetentionDays')]", + "geoRedundantBackup": "[parameters('geoRedundantBackup')]" + }, + "availabilityZone": "[parameters('availabilityZone')]", + "highAvailability": { + "mode": "[parameters('haEnabled')]", + "standbyAvailabilityZone": "[parameters('standbyAvailabilityZone')]" + }, + "dataencryption": "[parameters('dataEncryptionData')]" + }, + "sku": { + "name": "[parameters('vmName')]", + "tier": "[parameters('serverEdition')]", + "capacity": "[parameters('vCores')]" + }, + "tags": "[parameters('tags')]", + "type": "Microsoft.DBforMySQL/flexibleServers" + }, + { + "condition": "[greater(length(variables('firewallRules')), 0)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]", + "copy": { + "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]", + "mode": "Serial", + "name": "firewallRulesIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", + "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]", + "apiVersion": "[parameters('firewallRulesAPIVersion')]", + "properties": { + "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]", + "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]" + } + } + ] + } + } + }, + { + "condition": "[parameters('aadEnabled')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('addAdmins-', parameters('guid'))]", + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/administrators", + "name": "[concat(parameters('serverName'),'/ActiveDirectory')]", + "apiVersion": "[variables('api')]", + "properties": { + "administratorType": "[parameters('aadData').administratorType]", + "identityResourceId": "[parameters('aadData').identityResourceId]", + "login": "[parameters('aadData').login]", + "sid": "[parameters('aadData').sid]", + "tenantId": "[parameters('aadData').tenantId]" + } + } + ] + } + } + }, + { + "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "copy": { + "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]", + "mode": "serial", + "name": "serverParametersIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/configurations", + "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]", + "apiVersion": "[variables('api')]", + "properties": { + "value": "[variables('serverParameters')[copyIndex()].value]", + "source": "[variables('serverParameters')[copyIndex()].source]" + } + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_MySQLEncryptionEnabled/unknown.json b/tests/arm/checks/resource/example_MySQLEncryptionEnabled/unknown.json new file mode 100644 index 00000000000..8a3d643ac0e --- /dev/null +++ b/tests/arm/checks/resource/example_MySQLEncryptionEnabled/unknown.json @@ -0,0 +1,246 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiVersion": { + "type": "string", + "defaultValue": "2021-05-01" + }, + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "serverEdition": { + "type": "string" + }, + "vCores": { + "type": "int", + "defaultValue": 4 + }, + "storageSizeGB": { + "type": "int" + }, + "haEnabled": { + "type": "string", + "defaultValue": "Disabled" + }, + "availabilityZone": { + "type": "string", + "defaultValue": "" + }, + "standbyAvailabilityZone": { + "type": "string" + }, + "version": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "firewallRules": { + "type": "object", + "defaultValue": {} + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string" + }, + "vmName": { + "type": "string", + "defaultValue": "Standard_B1ms" + }, + "storageIops": { + "type": "int" + }, + "storageAutogrow": { + "type": "string", + "defaultValue": "Enabled" + }, + "autoIoScaling": { + "type": "string", + "defaultValue": "Disabled" + }, + "identityData": { + "type": "object", + "defaultValue": {} + }, + "dataEncryptionData": { + "type": "object", + "defaultValue": {} + }, + "serverParameters": { + "type": "array", + "defaultValue": [] + }, + "aadEnabled": { + "type": "bool", + "defaultValue": false + }, + "aadData": { + "type": "object", + "defaultValue": {} + }, + "guid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "network": { + "type": "object", + "defaultValue": {} + }, + "firewallRulesAPIVersion": { + "type": "string", + "defaultValue": "2022-01-01" + } + }, + "variables": { + "api": "[parameters('apiVersion')]", + "firewallRules": "[parameters('firewallRules').rules]", + "serverParameters": "[parameters('serverParameters')]" + }, + "resources": [ + { + "apiVersion": "[variables('api')]", + "location": "[parameters('location')]", + "name": "unknown", + "identity": "[if(empty(parameters('identityData')), json('null'), parameters('identityData'))]", + "properties": { + "createMode": "Default", + "version": "[parameters('version')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "Network": "[if(empty(parameters('network')), json('null'), parameters('network'))]", + "Storage": { + "StorageSizeGB": "[parameters('storageSizeGB')]", + "Iops": "[parameters('storageIops')]", + "Autogrow": "[parameters('storageAutogrow')]", + "AutoIoScaling": "[parameters('autoIoScaling')]" + }, + "Backup": { + "backupRetentionDays": "[parameters('backupRetentionDays')]", + "geoRedundantBackup": "[parameters('geoRedundantBackup')]" + }, + "availabilityZone": "[parameters('availabilityZone')]", + "highAvailability": { + "mode": "[parameters('haEnabled')]", + "standbyAvailabilityZone": "[parameters('standbyAvailabilityZone')]" + }, + "dataencryption": "[if(empty(parameters('dataEncryptionData')), json('null'), parameters('dataEncryptionData'))]" + }, + "sku": { + "name": "[parameters('vmName')]", + "tier": "[parameters('serverEdition')]", + "capacity": "[parameters('vCores')]" + }, + "tags": "[parameters('tags')]", + "type": "Microsoft.DBforMySQL/flexibleServers" + }, + { + "condition": "[greater(length(variables('firewallRules')), 0)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]", + "copy": { + "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]", + "mode": "Serial", + "name": "firewallRulesIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", + "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]", + "apiVersion": "[parameters('firewallRulesAPIVersion')]", + "properties": { + "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]", + "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]" + } + } + ] + } + } + }, + { + "condition": "[parameters('aadEnabled')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('addAdmins-', parameters('guid'))]", + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/administrators", + "name": "[concat(parameters('serverName'),'/ActiveDirectory')]", + "apiVersion": "[variables('api')]", + "properties": { + "administratorType": "[parameters('aadData').administratorType]", + "identityResourceId": "[parameters('aadData').identityResourceId]", + "login": "[parameters('aadData').login]", + "sid": "[parameters('aadData').sid]", + "tenantId": "[parameters('aadData').tenantId]" + } + } + ] + } + } + }, + { + "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "copy": { + "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]", + "mode": "serial", + "name": "serverParametersIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/configurations", + "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]", + "apiVersion": "[variables('api')]", + "properties": { + "value": "[variables('serverParameters')[copyIndex()].value]", + "source": "[variables('serverParameters')[copyIndex()].source]" + } + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/test_MySQLEncryptionEnabled.py b/tests/arm/checks/resource/test_MySQLEncryptionEnabled.py new file mode 100644 index 00000000000..5d9ffba527f --- /dev/null +++ b/tests/arm/checks/resource/test_MySQLEncryptionEnabled.py @@ -0,0 +1,41 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.MySQLEncryptionEnabled import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestMySQLEncryptionEnabled(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_MySQLEncryptionEnabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.DBforMySQL/flexibleServers.pass", + } + + failing_resources = { + "Microsoft.DBforMySQL/flexibleServers.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertSetEqual(passing_resources, passed_check_resources) + self.assertSetEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main()