add rule ckv_azure_5

policy/checkov/AKSRbacEnabled.azapi.mock.json

@@ -0,0 +1,50 @@
+{
+  "mock": {
+    "enabled": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.res",
+          "mode": "managed",
+          "name": "res",
+          "type": "azapi_resource",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "body": {
+                "properties": {
+                  "enableRBAC": true
+                },
+                "type": "Microsoft.ContainerService/managedClusters@2024-05-01"
+              }
+            }
+          }
+        }
+      ]
+    },
+    "invalid_disabled": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.res",
+          "mode": "managed",
+          "name": "res",
+          "type": "azapi_resource",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "body": {
+                "properties": {
+                  "enableRBAC": false
+                },
+                "type": "Microsoft.ContainerService/managedClusters@2024-05-01"
+              }
+            }
+          }
+        }
+      ]
+    },
+  }
+}

policy/checkov/AKSRbacEnabled.azapi.rego

@@ -0,0 +1,15 @@
+package checkov
+
+import rego.v1
+
+valid_azapi_kubernetes_cluster_rbac_enabled(resource) if {
+    resource.values.body.properties.enableRBAC == true
+}
+
+deny_CKV_AZURE_5 contains reason if {
+    resource := data.utils.resource(input, "azapi_resource")[_]
+    data.utils.is_azure_type(resource.values, "Microsoft.ContainerService/managedClusters")
+    not valid_azapi_kubernetes_cluster_rbac_enabled(resource)
+
+    reason := sprintf("checkov/CKV_AZURE_5: Ensure RBAC is enabled on AKS clusters %s https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py", [resource.address])
+}

policy/checkov/AKSRbacEnabled.mock.json

@@ -0,0 +1,46 @@
+{
+  "mock": {
+    "enabled": {
+      "resource_changes": [
+        {
+          "address": "azurerm_kubernetes_cluster.example",
+          "mode": "managed",
+          "type": "azurerm_kubernetes_cluster",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "before": null,
+            "after": {
+              "role_based_access_control_enabled": true
+            }
+          }
+        }
+      ]
+    },
+    "enabled_v2": {
+      "resource_changes": [
+        {
+          "address": "azurerm_kubernetes_cluster.example",
+          "mode": "managed",
+          "type": "azurerm_kubernetes_cluster",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "before": null,
+            "after": {
+              "role_based_access_control": [{
+                "enabled": true
+              }]
+            }
+          }
+        }
+      ]
+    }
+  }
+}

policy/checkov/azurerm/AKSRbacEnabled.rego.bak → policy/checkov/AKSRbacEnabled.rego

@@ -14,7 +14,5 @@ deny_CKV_AZURE_5 contains reason if {
     resource := data.utils.resource(input, "azurerm_kubernetes_cluster")[_]
     not valid_azurerm_kubernetes_cluster_rbac_enabled(resource)
 
-    reason := sprintf("checkov/CKV_AZURE_5: Ensure RBAC is enabled on AKS clusters %s", [resource.address])
-
-    reason := sprintf("%s https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py", [reason])
+    reason := sprintf("checkov/CKV_AZURE_5: Ensure RBAC is enabled on AKS clusters %s https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py", [resource.address])
 }