-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): implement CKV_AZURE_97 for ARM (#5515)
* feat(arm): implement CKV_AZURE_97 for ARM * fix json * fix json * adjust logic --------- Co-authored-by: gruebel <[email protected]>
- Loading branch information
1 parent
984ef8d
commit e732e21
Showing
9 changed files
with
1,316 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
from __future__ import annotations | ||
|
||
from checkov.common.models.enums import CheckCategories, CheckResult | ||
from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
||
from typing import Any | ||
|
||
from checkov.common.util.data_structures_utils import find_in_dict | ||
|
||
|
||
class VMEncryptionAtHostEnabled(BaseResourceCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure that Virtual machine scale sets have encryption at host enabled" | ||
id = "CKV_AZURE_97" | ||
supported_resources = ("Microsoft.Compute/virtualMachineScaleSets", "Microsoft.Compute/virtualMachines") | ||
categories = (CheckCategories.ENCRYPTION,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
encryption = "" | ||
|
||
if self.entity_type == "Microsoft.Compute/virtualMachines": | ||
self.evaluated_keys = ["properties/securityProfile/encryptionAtHost"] | ||
encryption = find_in_dict(input_dict=conf, key_path="properties/securityProfile/encryptionAtHost") | ||
elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets": | ||
self.evaluated_keys = ["properties/virtualMachineProfile/securityProfile/encryptionAtHost"] | ||
encryption = find_in_dict( | ||
input_dict=conf, key_path="properties/virtualMachineProfile/securityProfile/encryptionAtHost" | ||
) | ||
|
||
if encryption == "true": | ||
return CheckResult.PASSED | ||
|
||
return CheckResult.FAILED | ||
|
||
|
||
check = VMEncryptionAtHostEnabled() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
252 changes: 252 additions & 0 deletions
252
tests/arm/checks/resource/example_VMEncryptionAtHostEnabled/scaleset-fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,252 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"vmSize": { | ||
"type": "string", | ||
"defaultValue": "Standard_DS3_V2", | ||
"metadata": { | ||
"description": "Size of VMs in the VM Scale Set." | ||
} | ||
}, | ||
"windowsOSVersion": { | ||
"type": "string", | ||
"defaultValue": "2012-R2-Datacenter", | ||
"allowedValues": [ | ||
"2008-R2-SP1", | ||
"2012-Datacenter", | ||
"2012-R2-Datacenter" | ||
], | ||
"metadata": { | ||
"description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version. Allowed values: 2008-R2-SP1, 2012-Datacenter, 2012-R2-Datacenter." | ||
} | ||
}, | ||
"vmssName": { | ||
"type": "string", | ||
"maxLength": 9 | ||
}, | ||
"instanceCount": { | ||
"type": "int", | ||
"defaultValue": 2, | ||
"metadata": { | ||
"description": "Number of VM instances (100 or less)." | ||
}, | ||
"maxValue": 100 | ||
}, | ||
"adminUsername": { | ||
"type": "string", | ||
"defaultValue": "adminUserIsTest", | ||
"metadata": { | ||
"description": "Admin username on all VMs." | ||
} | ||
}, | ||
"adminPassword": { | ||
"type": "securestring", | ||
"metadata": { | ||
"description": "Admin password on all VMs." | ||
} | ||
} | ||
, | ||
"diskEncryptionSetId": { | ||
"type": "string", | ||
"defaultValue": "" | ||
}, | ||
"region": { | ||
"type": "string", | ||
"defaultValue": "CentralUSEUAP" | ||
} | ||
}, | ||
"variables": { | ||
"namingInfix": "[toLower(parameters('vmssName'))]", | ||
"addressPrefix": "10.0.0.0/16", | ||
"subnetPrefix": "10.0.0.0/24", | ||
"virtualNetworkName": "[concat(variables('namingInfix'), 'vnet')]", | ||
"publicIPAddressName": "[concat(variables('namingInfix'), 'pip')]", | ||
"subnetName": "[concat(variables('namingInfix'), 'subnet')]", | ||
"loadBalancerName": "[concat(variables('namingInfix'), 'lb')]", | ||
"publicIPAddressID": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]", | ||
"lbID": "[resourceId('Microsoft.Network/loadBalancers',variables('loadBalancerName'))]", | ||
"natPoolName": "[concat(variables('namingInfix'), 'natpool')]", | ||
"bePoolName": "[concat(variables('namingInfix'), 'bepool')]", | ||
"natStartPort": 50000, | ||
"natEndPort": 50119, | ||
"natBackendPort": 3389, | ||
"nicName": "[concat(variables('namingInfix'), 'nic')]", | ||
"ipConfigName": "[concat(variables('namingInfix'), 'ipconfig')]", | ||
"frontEndIPConfigID": "[concat(variables('lbID'),'/frontendIPConfigurations/loadBalancerFrontEnd')]", | ||
"osType": { | ||
"publisher": "MicrosoftWindowsServer", | ||
"offer": "WindowsServer", | ||
"sku": "[parameters('windowsOSVersion')]", | ||
"version": "latest" | ||
}, | ||
"imageReference": "[variables('osType')]" | ||
}, | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.Network/virtualNetworks", | ||
"name": "[variables('virtualNetworkName')]", | ||
"location": "[parameters('region')]", | ||
"apiVersion": "2019-06-01", | ||
"properties": { | ||
"addressSpace": { | ||
"addressPrefixes": [ | ||
"[variables('addressPrefix')]" | ||
] | ||
}, | ||
"subnets": [ | ||
{ | ||
"name": "[variables('subnetName')]", | ||
"properties": { | ||
"addressPrefix": "[variables('subnetPrefix')]" | ||
} | ||
} | ||
] | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Network/publicIPAddresses", | ||
"name": "[variables('publicIPAddressName')]", | ||
"location": "[parameters('region')]", | ||
"apiVersion": "2019-06-01", | ||
"sku": { | ||
"name": "Basic", | ||
"tier": "Regional" | ||
}, | ||
"properties": { | ||
"publicIPAllocationMethod": "Dynamic", | ||
"dnsSettings": { | ||
"domainNameLabel": "[variables('namingInfix')]" | ||
} | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Network/loadBalancers", | ||
"name": "[variables('loadBalancerName')]", | ||
"location": "[parameters('region')]", | ||
"apiVersion": "2020-03-01", | ||
"dependsOn": [ | ||
"[concat('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]" | ||
], | ||
"properties": { | ||
"frontendIPConfigurations": [ | ||
{ | ||
"name": "LoadBalancerFrontEnd", | ||
"properties": { | ||
"publicIPAddress": { | ||
"id": "[variables('publicIPAddressID')]" | ||
} | ||
} | ||
} | ||
], | ||
"backendAddressPools": [ | ||
{ | ||
"name": "[variables('bePoolName')]" | ||
} | ||
], | ||
"inboundNatPools": [ | ||
{ | ||
"name": "[variables('natPoolName')]", | ||
"properties": { | ||
"frontendIPConfiguration": { | ||
"id": "[variables('frontEndIPConfigID')]" | ||
}, | ||
"protocol": "Tcp", | ||
"frontendPortRangeStart": "[variables('natStartPort')]", | ||
"frontendPortRangeEnd": "[variables('natEndPort')]", | ||
"backendPort": "[variables('natBackendPort')]" | ||
} | ||
} | ||
] | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Compute/virtualMachineScaleSets", | ||
"name": "fail", | ||
"location": "[parameters('region')]", | ||
"apiVersion": "2020-06-01", | ||
"dependsOn": [ | ||
"[concat('Microsoft.Network/loadBalancers/', variables('loadBalancerName'))]", | ||
"[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]" | ||
], | ||
"sku": { | ||
"name": "[parameters('vmSize')]", | ||
"tier": "Standard", | ||
"capacity": "[parameters('instanceCount')]" | ||
}, | ||
"properties": { | ||
"overprovision": "true", | ||
"upgradePolicy": { | ||
"mode": "Manual" | ||
}, | ||
"virtualMachineProfile": { | ||
"storageProfile": { | ||
"osDisk": { | ||
"createOption": "FromImage", | ||
"caching": "ReadWrite", | ||
"managedDisk": { | ||
"diskEncryptionSet": { | ||
"id": "[parameters('diskEncryptionSetId')]" | ||
}, | ||
"storageAccountType": "Premium_LRS" | ||
} | ||
}, | ||
"dataDisks": [ | ||
{ | ||
"lun": 0, | ||
"createOption": "Empty", | ||
"caching": "None", | ||
"managedDisk": { | ||
"diskEncryptionSet": { | ||
"id": "[parameters('diskEncryptionSetId')]" | ||
}, | ||
"storageAccountType": "Premium_LRS" | ||
}, | ||
"diskSizeGB": 64 | ||
} | ||
], | ||
"imageReference": "[variables('imageReference')]" | ||
}, | ||
"securityProfile":{ | ||
"encryptionAtHost": "false" | ||
}, | ||
"osProfile": { | ||
"computerNamePrefix": "[variables('namingInfix')]", | ||
"adminUsername": "[parameters('adminUsername')]", | ||
"adminPassword": "[parameters('adminPassword')]" | ||
}, | ||
"networkProfile": { | ||
"networkInterfaceConfigurations": [ | ||
{ | ||
"name": "[variables('nicName')]", | ||
"properties": { | ||
"primary": true, | ||
"ipConfigurations": [ | ||
{ | ||
"name": "[variables('ipConfigName')]", | ||
"properties": { | ||
"subnet": { | ||
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'), '/subnets/', variables('subnetName'))]" | ||
}, | ||
"loadBalancerBackendAddressPools": [ | ||
{ | ||
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('loadBalancerName'), '/backendAddressPools/', variables('bePoolName'))]" | ||
} | ||
], | ||
"loadBalancerInboundNatPools": [ | ||
{ | ||
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('loadBalancerName'), '/inboundNatPools/', variables('natPoolName'))]" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} | ||
] | ||
} |
Oops, something went wrong.