From 385c56b4711dc5fdb8f864652550592c82275613 Mon Sep 17 00:00:00 2001 From: Zijie He Date: Fri, 7 Mar 2025 11:29:15 +0800 Subject: [PATCH] add rule ckv_azure_5 --- policy/checkov/AKSRbacEnabled.azapi.mock.json | 50 +++++++++++++++++++ policy/checkov/AKSRbacEnabled.azapi.rego | 15 ++++++ policy/checkov/AKSRbacEnabled.mock.json | 46 +++++++++++++++++ ...acEnabled.rego.bak => AKSRbacEnabled.rego} | 4 +- policy/checkov/azurerm/AKSRbacEnabled.py.bak | 32 ------------ policy/checkov/azurerm/AKSRbacEnabled.tf.bak | 46 ----------------- 6 files changed, 112 insertions(+), 81 deletions(-) create mode 100644 policy/checkov/AKSRbacEnabled.azapi.mock.json create mode 100644 policy/checkov/AKSRbacEnabled.azapi.rego create mode 100644 policy/checkov/AKSRbacEnabled.mock.json rename policy/checkov/{azurerm/AKSRbacEnabled.rego.bak => AKSRbacEnabled.rego} (73%) delete mode 100644 policy/checkov/azurerm/AKSRbacEnabled.py.bak delete mode 100644 policy/checkov/azurerm/AKSRbacEnabled.tf.bak diff --git a/policy/checkov/AKSRbacEnabled.azapi.mock.json b/policy/checkov/AKSRbacEnabled.azapi.mock.json new file mode 100644 index 0000000..2b16696 --- /dev/null +++ b/policy/checkov/AKSRbacEnabled.azapi.mock.json @@ -0,0 +1,50 @@ +{ + "mock": { + "enabled": { + "resource_changes": [ + { + "address": "azapi_resource.res", + "mode": "managed", + "name": "res", + "type": "azapi_resource", + "change": { + "actions": [ + "create" + ], + "after": { + "body": { + "properties": { + "enableRBAC": true + }, + "type": "Microsoft.ContainerService/managedClusters@2024-05-01" + } + } + } + } + ] + }, + "invalid_disabled": { + "resource_changes": [ + { + "address": "azapi_resource.res", + "mode": "managed", + "name": "res", + "type": "azapi_resource", + "change": { + "actions": [ + "create" + ], + "after": { + "body": { + "properties": { + "enableRBAC": false + }, + "type": "Microsoft.ContainerService/managedClusters@2024-05-01" + } + } + } + } + ] + }, + } +} \ No newline at end of file diff --git a/policy/checkov/AKSRbacEnabled.azapi.rego b/policy/checkov/AKSRbacEnabled.azapi.rego new file mode 100644 index 0000000..4a69ae3 --- /dev/null +++ b/policy/checkov/AKSRbacEnabled.azapi.rego @@ -0,0 +1,15 @@ +package checkov + +import rego.v1 + +valid_azapi_kubernetes_cluster_rbac_enabled(resource) if { + resource.values.body.properties.enableRBAC == true +} + +deny_CKV_AZURE_5 contains reason if { + resource := data.utils.resource(input, "azapi_resource")[_] + data.utils.is_azure_type(resource.values, "Microsoft.ContainerService/managedClusters") + not valid_azapi_kubernetes_cluster_rbac_enabled(resource) + + reason := sprintf("checkov/CKV_AZURE_5: Ensure RBAC is enabled on AKS clusters %s https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py", [resource.address]) +} diff --git a/policy/checkov/AKSRbacEnabled.mock.json b/policy/checkov/AKSRbacEnabled.mock.json new file mode 100644 index 0000000..8a57cf9 --- /dev/null +++ b/policy/checkov/AKSRbacEnabled.mock.json @@ -0,0 +1,46 @@ +{ + "mock": { + "enabled": { + "resource_changes": [ + { + "address": "azurerm_kubernetes_cluster.example", + "mode": "managed", + "type": "azurerm_kubernetes_cluster", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "role_based_access_control_enabled": true + } + } + } + ] + }, + "enabled_v2": { + "resource_changes": [ + { + "address": "azurerm_kubernetes_cluster.example", + "mode": "managed", + "type": "azurerm_kubernetes_cluster", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "role_based_access_control": [{ + "enabled": true + }] + } + } + } + ] + } + } +} \ No newline at end of file diff --git a/policy/checkov/azurerm/AKSRbacEnabled.rego.bak b/policy/checkov/AKSRbacEnabled.rego similarity index 73% rename from policy/checkov/azurerm/AKSRbacEnabled.rego.bak rename to policy/checkov/AKSRbacEnabled.rego index 2ad8a98..6c1b10e 100644 --- a/policy/checkov/azurerm/AKSRbacEnabled.rego.bak +++ b/policy/checkov/AKSRbacEnabled.rego @@ -14,7 +14,5 @@ deny_CKV_AZURE_5 contains reason if { resource := data.utils.resource(input, "azurerm_kubernetes_cluster")[_] not valid_azurerm_kubernetes_cluster_rbac_enabled(resource) - reason := sprintf("checkov/CKV_AZURE_5: Ensure RBAC is enabled on AKS clusters %s", [resource.address]) - - reason := sprintf("%s https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py", [reason]) + reason := sprintf("checkov/CKV_AZURE_5: Ensure RBAC is enabled on AKS clusters %s https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py", [resource.address]) } diff --git a/policy/checkov/azurerm/AKSRbacEnabled.py.bak b/policy/checkov/azurerm/AKSRbacEnabled.py.bak deleted file mode 100644 index 25462fb..0000000 --- a/policy/checkov/azurerm/AKSRbacEnabled.py.bak +++ /dev/null @@ -1,32 +0,0 @@ -import dpath.util -from checkov.common.models.enums import CheckCategories, CheckResult -from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck - - -class AKSRbacEnabled(BaseResourceCheck): - def __init__(self): - name = "Ensure RBAC is enabled on AKS clusters" - id = "CKV_AZURE_5" - supported_resources = ["azurerm_kubernetes_cluster"] - categories = [CheckCategories.KUBERNETES] - super().__init__( - name=name, - id=id, - categories=categories, - supported_resources=supported_resources, - ) - - def scan_resource_conf(self, conf): - self.evaluated_keys = [ - "role_based_access_control/[0]/enabled", # azurerm < 2.99.0 - "role_based_access_control_enabled", # azurerm >= 2.99.0 - ] - - for key in self.evaluated_keys: - if dpath.search(conf, key) and dpath.get(conf, key)[0]: - return CheckResult.PASSED - - return CheckResult.FAILED - - -check = AKSRbacEnabled() diff --git a/policy/checkov/azurerm/AKSRbacEnabled.tf.bak b/policy/checkov/azurerm/AKSRbacEnabled.tf.bak deleted file mode 100644 index 28c85b4..0000000 --- a/policy/checkov/azurerm/AKSRbacEnabled.tf.bak +++ /dev/null @@ -1,46 +0,0 @@ - -# This configuration has been generated by the Azure Terraform plugin which utilizes Generative AI which may result in unintended or inaccurate configuration code. A human must validate that this configuration accomplishes the desired goal before applying the configuration. - -provider "azurerm" { - features {} -} - -resource "azurerm_resource_group" "example" { - name = "example-resources" - location = "West Europe" -} - -resource "azurerm_kubernetes_cluster" "example" { - name = "example-aks" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - dns_prefix = "exampleaks" - - default_node_pool { - name = "default" - node_count = 1 - vm_size = "Standard_DS2_v2" - } - - identity { - type = "SystemAssigned" - } - - azure_active_directory_role_based_access_control { - tenant_id = "" # Add your tenant ID here - admin_group_object_ids = [""] # Add your admin group object ID here - } - - tags = { - Environment = "Production" - } -} - -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "4.20.0" - } - } -}