fix(terraform): Update CKV_AZURE_228 for automatic calculation (#6714)

* Update check * fix lint
bridgecrewio · Sep 12, 2024 · f26e570 · f26e570
1 parent 6aac833
commit f26e570
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 26 deletions.
diff --git a/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py b/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py
@@ -3,19 +3,25 @@
 from checkov.common.models.enums import CheckCategories
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
+LOCATIONS_W_REDUNDANCY = [
+    "Brazil South", "France Central", "Qatar Central", "South Africa North", "Australia East",
+    "Canada Central", "Italy North", "UAE North", "Central India",
+    "Central US", "Germany West Central", "Israel Central", "Japan East",
+    "East US", "Norway East", "Japan West",
+    "East US 2", "North Europe", "Southeast Asia",
+    "South Central US", "UK South", "East Asia",
+    "US Gov Virginia", "West Europe", "China North 3",
+    "West US 2", "Sweden Central", "Korea Central",
+    "West US 3", "Switzerland North", "New Zealand North",
+    "Mexico Central", "Poland Central",
+    "Spain Central"
+]
+
 
 class EventHubNamespaceZoneRedundant(BaseResourceValueCheck):
     def __init__(self) -> None:
         """
-        This is a best practice as the all-active Azure Event Hubs cluster model with availability zone support provides
-        resiliency against grave hardware failures and even catastrophic loss of entire datacenter facilities.
-        If an Event Hubs namespace is created in a region with availability zones,
-        the outage risk is further spread across three physically separated facilities, and the service has enough
-        capacity reserves to instantly cope up with the complete, catastrophic loss of the entire facility.
-
-        When a client application sends events to an Event Hubs without specifying a partition, events are automatically
-        distributed among partitions in the event hub. If a partition isn't available for some reason, events are
-        distributed among the remaining partitions. This behavior allows for the greatest amount of up time.
+        Zone Redundancy is now determined automatically based on region.
         """
         name = "Ensure the Azure Event Hub Namespace is zone redundant"
         id = "CKV_AZURE_228"
@@ -24,7 +30,10 @@ def __init__(self) -> None:
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def get_inspected_key(self) -> str:
-        return "zone_redundant"
+        return "location"
+
+    def get_expected_values(self):
+        return LOCATIONS_W_REDUNDANCY
 
 
 check = EventHubNamespaceZoneRedundant()
diff --git a/tests/terraform/checks/resource/azure/example_EventHubNamespaceZoneRedundant/main.tf b/tests/terraform/checks/resource/azure/example_EventHubNamespaceZoneRedundant/main.tf
@@ -1,29 +1,46 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "pass" {
+  name     = "pass-resources"
+  location = "West Europe"
+}
+
 resource "azurerm_eventhub_namespace" "pass" {
-  name                = "example-namespace"
-  location            = azurerm_resource_group.example.location
-  resource_group_name = azurerm_resource_group.example.name
+  name                = "pass-eventhubns"
+  location            = azurerm_resource_group.pass.location
+  resource_group_name = azurerm_resource_group.pass.name
   sku                 = "Standard"
   capacity            = 2
-  minimum_tls_version = 1.2
-  zone_redundant = true
-
   tags = {
     environment = "Production"
   }
 }
 
-resource "azurerm_eventhub_namespace" "fail2" {
-  name                = "eventhub-primary"
-  location            = azurerm_resource_group.example.location
-  resource_group_name = azurerm_resource_group.example.name
+resource "azurerm_eventhub_namespace" "unknown" {
+  name                = "unknown-eventhubns"
+  location            = azurerm_resource_group.foo.location
+  resource_group_name = azurerm_resource_group.foo.name
   sku                 = "Standard"
+  capacity            = 2
+  tags = {
+    environment = "Production"
+  }
+}
+
+resource "azurerm_resource_group" "fail" {
+  name     = "fail-resources"
+  location = "South Africa West"
 }
 
 resource "azurerm_eventhub_namespace" "fail" {
-  name                = "eventhub-primary"
-  location            = azurerm_resource_group.example.location
-  resource_group_name = azurerm_resource_group.example.name
+  name                = "fail-eventhubns"
+  location            = azurerm_resource_group.fail.location
+  resource_group_name = azurerm_resource_group.fail.name
   sku                 = "Standard"
-  minimum_tls_version = "1.1"
-  zone_redundant = false
+  capacity            = 2
+  tags = {
+    environment = "Production"
+  }
 }
diff --git a/tests/terraform/checks/resource/azure/test_EventHubNamespaceZoneRedundant.py b/tests/terraform/checks/resource/azure/test_EventHubNamespaceZoneRedundant.py
@@ -22,7 +22,6 @@ def test(self):
         }
         failing_resources = {
             'azurerm_eventhub_namespace.fail',
-            'azurerm_eventhub_namespace.fail2',
         }
         skipped_resources = {}