-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
73b1615
commit b736fe4
Showing
10 changed files
with
250 additions
and
84 deletions.
There are no files selected for viewing
92 changes: 92 additions & 0 deletions
92
policy/checkov/AKSApiServerAuthorizedIpRanges.azapi.mock.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| { | ||
| "mock" : { | ||
| "default": { | ||
| "resource_changes": [{ | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azapi_resource", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "type": "Microsoft.ContainerService/managedClusters@2024-05-01", | ||
| "body": { | ||
| "properties": { | ||
| "apiServerAccessProfile": { | ||
| "authorizedIPRanges": [ | ||
| "10.0.0.0/24" | ||
| ], | ||
| "enablePrivateCluster": false | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }] | ||
| }, | ||
| "private_cluster": { | ||
| "resource_changes": [{ | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azapi_resource", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "type": "Microsoft.ContainerService/managedClusters@2024-05-01", | ||
| "body": { | ||
| "properties": { | ||
| "apiServerAccessProfile": { | ||
| "enablePrivateCluster": true | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }] | ||
| }, | ||
| "invalid_omitted": { | ||
| "resource_changes": [{ | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azapi_resource", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "type": "Microsoft.ContainerService/managedClusters@2024-05-01", | ||
| "body": { | ||
| "properties": { | ||
| "apiServerAccessProfile": { | ||
| "enablePrivateCluster": false | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }] | ||
| }, | ||
| "invalid_omitted2": { | ||
| "resource_changes": [{ | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azapi_resource", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "type": "Microsoft.ContainerService/managedClusters@2024-05-01", | ||
| "body": { | ||
| "properties": { | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }] | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| package checkov | ||
|
|
||
| import rego.v1 | ||
|
|
||
| valid_azapi_kubernetes_cluster_api_server_authorized_ip_ranges(resource) if { | ||
| resource.values.body.properties.apiServerAccessProfile.enablePrivateCluster == true | ||
| } | ||
|
|
||
| valid_azapi_kubernetes_cluster_api_server_authorized_ip_ranges(resource) if { | ||
| resource.values.body.properties.apiServerAccessProfile.authorizedIPRanges[_] | ||
| } | ||
|
|
||
| deny_CKV_AZURE_6 contains reason if { | ||
| resource := data.utils.resource(input, "azapi_resource")[_] | ||
| data.utils.is_azure_type(resource.values, "Microsoft.ContainerService/managedClusters") | ||
| not valid_azapi_kubernetes_cluster_api_server_authorized_ip_ranges(resource.changes.after) | ||
|
|
||
| reason := sprintf("checkov/CKV_AZURE_6: Ensure AKS has an API Server Authorized IP Ranges enabled %s: https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py", [resource.address]) | ||
| } |
116 changes: 116 additions & 0 deletions
116
policy/checkov/AKSApiServerAuthorizedIpRanges.mock.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| { | ||
| "mock": { | ||
| "default": { | ||
| "resource_changes": [ | ||
| { | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azurerm_kubernetes_cluster", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "api_server_access_profile": [ | ||
| { | ||
| "authorized_ip_ranges": [ | ||
| "10.0.0.0/24" | ||
| ] | ||
| } | ||
| ], | ||
| "private_cluster_enabled": false | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| "default_v2": { | ||
| "resource_changes": [ | ||
| { | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azurerm_kubernetes_cluster", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "api_server_authorized_ip_ranges": [ | ||
| "10.0.0.0/24" | ||
| ], | ||
| "private_cluster_enabled": false | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| "private_cluster": { | ||
| "resource_changes": [ | ||
| { | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azurerm_kubernetes_cluster", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "private_cluster_enabled": true | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| "invalid_omitted": { | ||
| "resource_changes": [ | ||
| { | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azurerm_kubernetes_cluster", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": {} | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| "invalid_empty": { | ||
| "resource_changes": [ | ||
| { | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azurerm_kubernetes_cluster", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "api_server_access_profile":{ | ||
| "authorized_ip_ranges": [] | ||
| } | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| "invalid_empty_v2": { | ||
| "resource_changes": [ | ||
| { | ||
| "address": "azurerm_kubernetes_cluster.example", | ||
| "mode": "managed", | ||
| "type": "azurerm_kubernetes_cluster", | ||
| "change": { | ||
| "actions": [ | ||
| "create" | ||
| ], | ||
| "after": { | ||
| "api_server_authorized_ip_ranges": [] | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| } |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| package checkov | ||
|
|
||
| import rego.v1 | ||
|
|
||
| valid_azurerm_kubernetes_cluster_api_server_authorized_ip_ranges(resource) if { | ||
| resource.values.private_cluster_enabled == true | ||
| } | ||
|
|
||
| valid_azurerm_kubernetes_cluster_api_server_authorized_ip_ranges(resource) if { | ||
| resource.values.api_server_authorized_ip_ranges[0] == resource.values.api_server_authorized_ip_ranges[0] | ||
| } | ||
|
|
||
| valid_azurerm_kubernetes_cluster_api_server_authorized_ip_ranges(resource) if { | ||
| resource.values.api_server_access_profile[0].authorized_ip_ranges[0] == resource.values.api_server_access_profile[0].authorized_ip_ranges[0] | ||
| } | ||
|
|
||
| deny_CKV_AZURE_6 contains reason if { | ||
| resource := data.utils.resource(input, "azurerm_kubernetes_cluster")[_] | ||
| not valid_azurerm_kubernetes_cluster_api_server_authorized_ip_ranges(resource) | ||
|
|
||
| reason := sprintf("checkov/CKV_AZURE_6: Ensure AKS has an API Server Authorized IP Ranges enabled %s: https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py", [resource.address]) | ||
| } |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 0 additions & 20 deletions
20
policy/checkov/azurerm/AKSApiServerAuthorizedIpRanges.azapi.rego.bak
This file was deleted.
Oops, something went wrong.
44 changes: 0 additions & 44 deletions
44
policy/checkov/azurerm/AKSApiServerAuthorizedIpRanges.mock.json.bak
This file was deleted.
Oops, something went wrong.
19 changes: 0 additions & 19 deletions
19
policy/checkov/azurerm/AKSApiServerAuthorizedIpRanges.rego.bak
This file was deleted.
Oops, something went wrong.