new rule for ckv_azure_139

policy/checkov/ActiveDirectoryUsedAuthenticationServiceFabric.azapi.mock.json

@@ -0,0 +1,71 @@
+{
+  "mock": {
+    "default": {
+      "resource_changes": [
+        {
+          "address": "azurerm_service_fabric_cluster.example",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "type": "Microsoft.ServiceFabric/clusters@2021-06-01",
+              "body": {
+                "properties": {
+                  "azureActiveDirectory": {
+                    "tenantId": "00000000-0000-0000-0000-000000000000"
+                  }
+                }
+              }
+            }
+          }
+        }
+      ]
+    },
+    "known_after_apply": {
+      "resource_changes": [
+        {
+          "address": "azurerm_service_fabric_cluster.example",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "type": "Microsoft.ServiceFabric/clusters@2021-06-01"
+            },
+            "after_unknown": {
+              "body": {
+                "properties": {
+                  "azureActiveDirectory": {
+                    "tenantId": true
+                  }
+                }
+              }
+            }
+          }
+        }
+      ]
+    },
+    "invalid_omitted": {
+      "resource_changes": [
+        {
+          "address": "azurerm_service_fabric_cluster.example",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "type": "Microsoft.ServiceFabric/clusters@2021-06-01"
+            }
+          }
+        }
+      ]
+    }
+  }
+}

policy/checkov/azurerm/ActiveDirectoryUsedAuthenticationServiceFabric.azapi.rego.bak → policy/checkov/ActiveDirectoryUsedAuthenticationServiceFabric.azapi.rego

@@ -3,12 +3,16 @@ package checkov
 import rego.v1
 
 valid_azapi_service_fabric_cluster_has_active_directory(resource) if {
-    resource.body.properties.azureActiveDirectory.tenantId != null
+    resource.values.body.properties.azureActiveDirectory.tenantId == resource.values.body.properties.azureActiveDirectory.tenantId
+}
+
+valid_azapi_service_fabric_cluster_has_active_directory(resource) if {
+    resource.after_unknown.body.properties.azureActiveDirectory.tenantId == resource.after_unknown.body.properties.azureActiveDirectory.tenantId
 }
 
 deny_CKV_AZURE_126_azapi contains reason if {
     resource := data.utils.resource(input, "azapi_resource")[_]
-    resource.type == "Microsoft.ServiceFabric/clusters/2021-06-01"
+    data.utils.is_azure_type(resource.values, "Microsoft.ServiceFabric/clusters")
     not valid_azapi_service_fabric_cluster_has_active_directory(resource)
 
     reason := sprintf("checkov/CKV_AZURE_126: Ensure that Active Directory is used for authentication for Service Fabric %s https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py", [resource.address])

policy/checkov/ActiveDirectoryUsedAuthenticationServiceFabric.mock.json

@@ -0,0 +1,71 @@
+{
+  "mock": {
+    "default": {
+      "resource_changes": [
+        {
+          "address": "azurerm_service_fabric_cluster.example",
+          "mode": "managed",
+          "type": "azurerm_service_fabric_cluster",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "name": "example-servicefabric",
+              "location": "westeurope",
+              "resource_group_name": "example-resources",
+              "azure_active_directory": [
+                {
+                  "tenant_id": "00000000-0000-0000-0000-000000000000"
+                }
+              ]
+            }
+          }
+        }
+      ]
+    },
+    "known_after_apply": {
+      "resource_changes": [
+        {
+          "address": "azurerm_service_fabric_cluster.example",
+          "mode": "managed",
+          "type": "azurerm_service_fabric_cluster",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+            },
+            "after_unknown": {
+              "azure_active_directory": [
+                {
+                  "tenant_id": true
+                }
+              ]
+            }
+          }
+        }
+      ]
+    },
+    "invalid_omitted": {
+      "resource_changes": [
+        {
+          "address": "azurerm_service_fabric_cluster.example",
+          "mode": "managed",
+          "type": "azurerm_service_fabric_cluster",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "azure_active_directory": [
+                {
+                }
+              ]
+            }
+          }
+        }
+      ]
+    }
+  }
+}

policy/checkov/azurerm/ActiveDirectoryUsedAuthenticationServiceFabric.rego.bak → policy/checkov/ActiveDirectoryUsedAuthenticationServiceFabric.rego

@@ -3,7 +3,11 @@ package checkov
 import rego.v1
 
 valid_azurerm_service_fabric_cluster_has_active_directory(resource) if {
-    resource.values.azure_active_directory[0].tenant_id != null
+    resource.values.azure_active_directory[0].tenant_id == resource.values.azure_active_directory[0].tenant_id
+}
+
+valid_azurerm_service_fabric_cluster_has_active_directory(resource) if {
+    resource.after_unknown.azure_active_directory[0].tenant_id == resource.after_unknown.azure_active_directory[0].tenant_id
 }
 
 deny_CKV_AZURE_126 contains reason if {