Skip to content

Commit

Permalink
add rule ckv_azure_143
Browse files Browse the repository at this point in the history
  • Loading branch information
@lonegunmanb
lonegunmanb committed Mar 7, 2025
1 parent eb2a7c3 commit 260db8c
Show file tree
Hide file tree
Showing 6 changed files with 219 additions and 74 deletions.
84 changes: 84 additions & 0 deletions policy/checkov/AKSNodePublicIpDisabled.azapi.mock.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
{
"mock": {
"disabled": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"name": "res",
"type": "azapi_resource",
"changes": {
"actions": [
"create"
],
"after": {
"body": {
"properties": {
"agentPoolProfiles": [
{
"enableNodePublicIP": false
}
]
}
},
"type": "Microsoft.ContainerService/managedClusters/2024-05-01"
}
}
}
]
},
"omitted": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"name": "res",
"type": "azapi_resource",
"changes": {
"actions": [
"create"
],
"after": {
"body": {
"properties": {
"agentPoolProfiles": [
{
}
]
}
},
"type": "Microsoft.ContainerService/managedClusters/2024-05-01"
}
}
}
]
},
"invalid_enabled": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"name": "res",
"type": "azapi_resource",
"changes": {
"actions": [
"create"
],
"after": {
"body": {
"properties": {
"agentPoolProfiles": [
{
"enableNodePublicIP": true
}
]
}
},
"type": "Microsoft.ContainerService/managedClusters/2024-05-01"
}
}
}
]
}
}
}
15 changes: 15 additions & 0 deletions policy/checkov/AKSNodePublicIpDisabled.azapi.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
package checkov

import rego.v1

valid_azapi_kubernetes_cluster_node_public_ip_disabled(resource) if {
resource.values.body.properties.agentPoolProfiles.enableNodePublicIP != true
}

deny_CKV_AZURE_143 contains reason if {
resource := data.utils.resource(input, "azapi_resource")[_]
data.utils.is_azure_type(resource.values, "Microsoft.ContainerService/managedClusters")
not valid_azapi_kubernetes_cluster_node_public_ip_disabled(resource)

reason := sprintf("checkov/CKV_AZURE_143: Ensure AKS cluster nodes do not have public IP addresses %s: https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py", [resource.address])
}
118 changes: 118 additions & 0 deletions policy/checkov/AKSNodePublicIpDisabled.mock.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
{
"mock": {
"disabled": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"change": {
"actions": [
"create"
],
"after": {
"default_node_pool": [
{
"node_public_ip_enabled": false
}
]
}
}
}
]
},
"disabled_v3": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"change": {
"actions": [
"create"
],
"after": {
"default_node_pool": [
{
"enable_node_public_ip": false
}
]
}
}
}
]
},
"omitted": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"change": {
"actions": [
"create"
],
"after": {
"default_node_pool": [
{
}
]
}
}
}
]
},
"invalid_enabled": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"change": {
"actions": [
"create"
],
"after": {
"default_node_pool": [
{
"node_public_ip_enabled": true
}
]
}
}
}
]
},
"invalid_enabled_v3": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"change": {
"actions": [
"create"
],
"after": {
"default_node_pool": [
{
"enable_node_public_ip": true
}
]
}
}
}
]
}
}
}
4 changes: 2 additions & 2 deletions .../azurerm/AKSNodePublicIpDisabled.rego.bak → policy/checkov/AKSNodePublicIpDisabled.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@ package checkov
import rego.v1

valid_azurerm_kubernetes_cluster_node_public_ip_disabled(resource) if {
not resource.values.default_node_pool[0].enable_node_public_ip
resource.values.default_node_pool[0].enable_node_public_ip != true
}

deny_CKV_AZURE_143 contains reason if {
resource := data.utils.resource(input, "azurerm_kubernetes_cluster")[_]
not valid_azurerm_kubernetes_cluster_node_public_ip_disabled(resource)

reason := sprintf("checkov/CKV_AZURE_143: Ensure AKS cluster nodes do not have public IP addresses %s", ["https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py"])
reason := sprintf("checkov/CKV_AZURE_143: Ensure AKS cluster nodes do not have public IP addresses %s: https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py", [resource.address])
}
21 changes: 0 additions & 21 deletions policy/checkov/azurerm/AKSNodePublicIpDisabled.py.bak
View file

This file was deleted.

51 changes: 0 additions & 51 deletions policy/checkov/azurerm/AKSNodePublicIpDisabled.tf.bak
View file

This file was deleted.

0 comments on commit 260db8c

Please sign in to comment.