Skip to content

Commit

Permalink
add rule ckv_azure_4
Browse files Browse the repository at this point in the history
  • Loading branch information
@lonegunmanb
lonegunmanb committed Mar 7, 2025
1 parent d1650f1 commit b1cfcd4
Show file tree
Hide file tree
Showing 9 changed files with 275 additions and 167 deletions.
86 changes: 86 additions & 0 deletions policy/checkov/AKSLoggingEnabled.azapi.mock.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
{
"mock": {
"default": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azapi_resource",
"change": {
"actions": [
"create"
],
"after": {
"type": "Microsoft.ContainerService/managedClusters@2024-05-01",
"body": {
"properties": {
"addonProfiles": {
"omsagent": {
"config": {
"logAnalyticsWorkspaceResourceID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.OperationalInsights/workspaces/workspace1"
}
}
}
}
}
}
}
}
]
},
"known_after_apply": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azapi_resource",
"change": {
"actions": [
"create"
],
"after_unknown": {
"body": {
"properties": {
"addonProfiles": {
"omsagent": {
"config": {
"logAnalyticsWorkspaceResourceID": true
}
}
}
}
}
}
}
}
]
},
"invalid_omitted": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azapi_resource",
"change": {
"actions": [
"create"
],
"after": {
"type": "Microsoft.ContainerService/managedClusters@2024-05-01",
"body": {
"properties": {
"addonProfiles": {
"omsagent": {
"config": {
}
}
}
}
}
}
}
}
]
}
}
}
19 changes: 19 additions & 0 deletions policy/checkov/AKSLoggingEnabled.azapi.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
package checkov

import rego.v1

valid_azapi_kubernetes_cluster_logging_enabled(resource) if {
resource.values.properties.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID == resource.values.properties.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID
}

valid_azapi_kubernetes_cluster_logging_enabled(resource) if {
resource.after_unknown.properties.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID == resource.after_unknown.properties.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID
}

deny_CKV_AZURE_4 contains reason if {
resource := data.utils.resource(input, "azapi_resource")[_]
data.utils.is_azure_type(resource.values, "Microsoft.ContainerService/managedClusters")
not valid_azapi_kubernetes_cluster_logging_enabled(resource)

reason := sprintf("checkov/CKV_AZURE_4: Ensure AKS logging to Azure Monitoring is Configured %s: https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py", [resource.address])
}
148 changes: 148 additions & 0 deletions policy/checkov/AKSLoggingEnabled.mock.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{
"mock": {
"default_enabled": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"change": {
"actions": [
"create"
],
"after": {
"oms_agent": [
{
"log_analytics_workspace_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.OperationalInsights/workspaces/workspace1"
}
]
}
}
}
]
},
"default_enabled_v2": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"change": {
"actions": [
"create"
],
"after": {
"addon_profile": [
{
"oms_agent": [
{
"enabled": true
}
]
}
]
}
}
}
]
},
"default_known_after_apply": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"change": {
"actions": [
"create"
],
"after": {},
"after_unknown": {
"oms_agent": [
{
"log_analytics_workspace_id": true
}
]
}
}
}
]
},
"invalid_omitted": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"change": {
"actions": [
"create"
],
"after": {}
}
}
]
},
"invalid_omitted2": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"change": {
"actions": [
"create"
],
"after": {
"oms_agent": []
}
}
}
]
},
"invalid_omitted3": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"change": {
"actions": [
"create"
],
"after": {
"oms_agent": [{

}]
}
}
}
]
},
"invalid_disabled_v2": {
"resource_changes": [
{
"address": "azurerm_kubernetes_cluster.example",
"mode": "managed",
"type": "azurerm_kubernetes_cluster",
"change": {
"actions": [
"create"
],
"after": {
"addon_profile": [
{
"oms_agent": [
{
"enabled": false
}
]
}
]
}
}
}
]
}
}
}
22 changes: 22 additions & 0 deletions policy/checkov/AKSLoggingEnabled.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
package checkov

import rego.v1

valid_azurerm_kubernetes_cluster_logging_enabled(_input) if {
_input.values.addon_profile[0].oms_agent[0].enabled == true
}

valid_azurerm_kubernetes_cluster_logging_enabled(_input) if {
_input.values.oms_agent[0].log_analytics_workspace_id == _input.values.oms_agent[0].log_analytics_workspace_id
}

valid_azurerm_kubernetes_cluster_logging_enabled(_input) if {
_input.after_unknown.oms_agent[0].log_analytics_workspace_id == _input.after_unknown.oms_agent[0].log_analytics_workspace_id
}

deny_CKV_AZURE_4 contains reason if {
resource := data.utils.resource(input, "azurerm_kubernetes_cluster")[_]
not valid_azurerm_kubernetes_cluster_logging_enabled(resource)

reason := sprintf("checkov/CKV_AZURE_4: Ensure AKS logging to Azure Monitoring is Configured. %s: https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py", [resource.address])
}
27 changes: 0 additions & 27 deletions policy/checkov/azurerm/AKSLoggingEnabled.azapi.rego.bak
View file

This file was deleted.

41 changes: 0 additions & 41 deletions policy/checkov/azurerm/AKSLoggingEnabled.mock.json.bak
View file

This file was deleted.

31 changes: 0 additions & 31 deletions policy/checkov/azurerm/AKSLoggingEnabled.py.bak
View file

This file was deleted.

Loading

0 comments on commit b1cfcd4

Please sign in to comment.