CKV_AZURE_226: error in check and testcase

[tberreis]

Describe the issue
CKV_AZURE_226 checks for ephemeral disks within the "main resource" azurerm_kubernetes_cluster but the cluster itself doesn't have any argument called os_disk_type. The argument os_disk_type is part of the node pool.
The testcase here is misleading and the check itself here too.

In my opinion this must be something like

    def get_inspected_key(self) -> str:
        return "default_node_pool/[0]/os_disk_type"

otherwise it won't work?

Same for CKV_AZURE_227.

Examples

[root] # head -30 aks.tf
resource "azurerm_kubernetes_cluster" "this" {
  name                = local.name_prefix
  location            = var.resource_group.location
  resource_group_name = var.resource_group.name
  node_resource_group = "${local.name_prefix}-node-pool"
  dns_prefix          = local.name_prefix
  kubernetes_version  = local.kubernetes_version
  sku_tier            = var.sku_tier

  api_server_access_profile {
    authorized_ip_ranges = var.api_server_authorized_ip_ranges
  }

  default_node_pool {
    name = "default"

    enable_host_encryption       = true
    vm_size                      = "Standard_E4ads_v5"
    os_disk_type                 = "Ephemeral"
    zones                        = [1, 2, 3]
    only_critical_addons_enabled = true

    type                 = "VirtualMachineScaleSets"
    vnet_subnet_id       = var.subnet_id
    enable_auto_scaling  = true
    max_count            = 6
    min_count            = 2
    orchestrator_version = local.kubernetes_version

    upgrade_settings {

results in

[root] # checkov --skip-framework kubernetes --skip-framework helm --quiet --compact -o junitxml -o cli --directory .
2023-10-02 11:58:47,399 [MainThread  ] [WARNI]  The framework "sca_image" is part of the "SCA" module, which is not enabled in the platform
2023-10-02 11:58:47,399 [MainThread  ] [WARNI]  The framework "sca_package" is part of the "SCA" module, which is not enabled in the platform
terraform scan results:

Passed checks: 6, Failed checks: 11, Skipped checks: 0

[...]
Check: CKV_AZURE_226: "Ensure ephemeral disks are used for OS disks"
        FAILED for resource: azurerm_kubernetes_cluster.this
        File: /aks.tf:1-64
Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
        FAILED for resource: azurerm_kubernetes_cluster.this
        File: /aks.tf:1-64
[...]

Please also see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster for code example.

Version (please complete the following information):

• Checkov Version 2.4.58

Additional context
This is related to #5584 and #5588.

[gruebel]

hey @tberreis thanks for reaching out.

Nice catch, are you interested in contributing the needed change and adjusting the test cases?