Skip to content

Commit

Permalink
feat(arm): add CKV_AZURE_54 to ensure Enforce a minimal Tls version f…
Browse files Browse the repository at this point in the history 
…or the server (#6270)

* update new arm policy for resource: MySQLServerMinTLSVersion

* update new arm policy for resource: MySQLServerMinTLSVersion

* update new arm policy for resource: MySQLServerMinTLSVersion

---------

Co-authored-by: ChanochShayner <[email protected]>
  • Loading branch information
@tehila86127 @ChanochShayner
tehila86127 and ChanochShayner committed May 22, 2024
1 parent 348a39b commit 1357f38
Show file tree
Hide file tree
Showing 4 changed files with 581 additions and 0 deletions.
23 changes: 23 additions & 0 deletions checkov/arm/checks/resource/MySQLServerMinTLSVersion.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck


class MySQLServerMinTLSVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure MySQL is using the latest version of TLS encryption"
id = "CKV_AZURE_54"
supported_resources = ("Microsoft.DBforMySQL/servers",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name,
id=id,
categories=categories,
supported_resources=supported_resources, )

def get_inspected_key(self) -> str:
return "properties/minimalTlsVersion"

def get_expected_value(self) -> str:
return "TLS1_2"


check = MySQLServerMinTLSVersion()
257 changes: 257 additions & 0 deletions tests/arm/checks/resource/example_MySQLServerMinTLSVersion/fail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,257 @@

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "1923296876861958074"
}
},
"parameters": {
"serverName": {
"type": "string",
"metadata": {
"description": "Server Name for Azure database for MySQL"
}
},
"administratorLogin": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Database administrator login name"
}
},
"administratorLoginPassword": {
"type": "securestring",
"minLength": 8,
"metadata": {
"description": "Database administrator password"
}
},
"skuCapacity": {
"type": "int",
"defaultValue": 2,
"metadata": {
"description": "Azure database for MySQL compute capacity in vCores (2,4,8,16,32)"
}
},
"skuName": {
"type": "string",
"defaultValue": "GP_Gen5_2",
"metadata": {
"description": "Azure database for MySQL sku name "
}
},
"SkuSizeMB": {
"type": "int",
"defaultValue": 5120,
"metadata": {
"description": "Azure database for MySQL Sku Size "
}
},
"SkuTier": {
"type": "string",
"defaultValue": "GeneralPurpose",
"allowedValues": [
"Basic",
"GeneralPurpose",
"MemoryOptimized"
],
"metadata": {
"description": "Azure database for MySQL pricing tier"
}
},
"skuFamily": {
"type": "string",
"defaultValue": "Gen5",
"metadata": {
"description": "Azure database for MySQL sku family"
}
},
"mysqlVersion": {
"type": "string",
"defaultValue": "8.0",
"allowedValues": [
"5.6",
"5.7",
"8.0"
],
"metadata": {
"description": "MySQL version"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"backupRetentionDays": {
"type": "int",
"defaultValue": 7,
"metadata": {
"description": "MySQL Server backup retention days"
}
},
"geoRedundantBackup": {
"type": "string",
"defaultValue": "Disabled",
"metadata": {
"description": "Geo-Redundant Backup setting"
}
},
"virtualNetworkName": {
"type": "string",
"defaultValue": "azure_mysql_vnet",
"metadata": {
"description": "Virtual Network Name"
}
},
"subnetName": {
"type": "string",
"defaultValue": "azure_mysql_subnet",
"metadata": {
"description": "Subnet Name"
}
},
"virtualNetworkRuleName": {
"type": "string",
"defaultValue": "AllowSubnet",
"metadata": {
"description": "Virtual Network RuleName"
}
},
"vnetAddressPrefix": {
"type": "string",
"defaultValue": "10.0.0.0/16",
"metadata": {
"description": "Virtual Network Address Prefix"
}
},
"subnetPrefix": {
"type": "string",
"defaultValue": "10.0.0.0/16",
"metadata": {
"description": "Subnet Address Prefix"
}
}
},
"variables": {
"firewallrules": [
{
"Name": "rule1",
"StartIpAddress": "0.0.0.0",
"EndIpAddress": "255.255.255.255"
},
{
"Name": "rule2",
"StartIpAddress": "0.0.0.0",
"EndIpAddress": "255.255.255.255"
}
]
},
"resources": [
{
"type": "Microsoft.DBforMySQL/servers/virtualNetworkRules",
"apiVersion": "2017-12-01",
"name": "[format('{0}/{1}', parameters('serverName'), parameters('virtualNetworkRuleName'))]",
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]",
"ignoreMissingVnetServiceEndpoint": true
},
"dependsOn": [
"[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
]
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-09-01",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('vnetAddressPrefix')]"
]
}
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2023-09-01",
"name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]",
"properties": {
"addressPrefix": "[parameters('subnetPrefix')]"
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
]
},
{
"type": "Microsoft.DBforMySQL/servers",
"apiVersion": "2017-12-01",
"name": "fail",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('skuName')]",
"tier": "[parameters('SkuTier')]",
"capacity": "[parameters('skuCapacity')]",
"size": "[format('{0}', parameters('SkuSizeMB'))]",
"family": "[parameters('skuFamily')]"
},
"properties": {
"createMode": "Default",
"version": "[parameters('mysqlVersion')]",
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"storageProfile": {
"storageMB": "[parameters('SkuSizeMB')]",
"backupRetentionDays": "[parameters('backupRetentionDays')]",
"geoRedundantBackup": "[parameters('geoRedundantBackup')]"
},
"minimalTlsVersion": "TLS1_1",
"sslEnforcement": "Enabled"
}
},
{
"copy": {
"name": "firewallRules",
"count": "[length(variables('firewallrules'))]",
"mode": "serial",
"batchSize": 1
},
"type": "Microsoft.DBforMySQL/servers/firewallRules",
"apiVersion": "2017-12-01",
"name": "[format('{0}/{1}', parameters('serverName'), variables('firewallrules')[copyIndex()].Name)]",
"properties": {
"startIpAddress": "[variables('firewallrules')[copyIndex()].StartIpAddress]",
"endIpAddress": "[variables('firewallrules')[copyIndex()].EndIpAddress]"
},
"dependsOn": [
"[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"
]
}
],
"outputs": {
"location": {
"type": "string",
"value": "[parameters('location')]"
},
"name": {
"type": "string",
"value": "[parameters('serverName')]"
},
"resourceGroupName": {
"type": "string",
"value": "[resourceGroup().name]"
},
"resourceId": {
"type": "string",
"value": "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"
}
}
}

0 comments on commit 1357f38

Please sign in to comment.