-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): add CKV_AZURE_54 to ensure Enforce a minimal Tls version f…
…or the server (#6270) * update new arm policy for resource: MySQLServerMinTLSVersion * update new arm policy for resource: MySQLServerMinTLSVersion * update new arm policy for resource: MySQLServerMinTLSVersion --------- Co-authored-by: ChanochShayner <[email protected]>
- Loading branch information
1 parent
348a39b
commit 1357f38
Showing
4 changed files
with
581 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
from checkov.common.models.enums import CheckCategories | ||
from checkov.arm.base_resource_value_check import BaseResourceValueCheck | ||
|
||
|
||
class MySQLServerMinTLSVersion(BaseResourceValueCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure MySQL is using the latest version of TLS encryption" | ||
id = "CKV_AZURE_54" | ||
supported_resources = ("Microsoft.DBforMySQL/servers",) | ||
categories = (CheckCategories.NETWORKING,) | ||
super().__init__(name=name, | ||
id=id, | ||
categories=categories, | ||
supported_resources=supported_resources, ) | ||
|
||
def get_inspected_key(self) -> str: | ||
return "properties/minimalTlsVersion" | ||
|
||
def get_expected_value(self) -> str: | ||
return "TLS1_2" | ||
|
||
|
||
check = MySQLServerMinTLSVersion() |
257 changes: 257 additions & 0 deletions
257
tests/arm/checks/resource/example_MySQLServerMinTLSVersion/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,257 @@ | ||
|
||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"metadata": { | ||
"_generator": { | ||
"name": "bicep", | ||
"version": "0.26.54.24096", | ||
"templateHash": "1923296876861958074" | ||
} | ||
}, | ||
"parameters": { | ||
"serverName": { | ||
"type": "string", | ||
"metadata": { | ||
"description": "Server Name for Azure database for MySQL" | ||
} | ||
}, | ||
"administratorLogin": { | ||
"type": "string", | ||
"minLength": 1, | ||
"metadata": { | ||
"description": "Database administrator login name" | ||
} | ||
}, | ||
"administratorLoginPassword": { | ||
"type": "securestring", | ||
"minLength": 8, | ||
"metadata": { | ||
"description": "Database administrator password" | ||
} | ||
}, | ||
"skuCapacity": { | ||
"type": "int", | ||
"defaultValue": 2, | ||
"metadata": { | ||
"description": "Azure database for MySQL compute capacity in vCores (2,4,8,16,32)" | ||
} | ||
}, | ||
"skuName": { | ||
"type": "string", | ||
"defaultValue": "GP_Gen5_2", | ||
"metadata": { | ||
"description": "Azure database for MySQL sku name " | ||
} | ||
}, | ||
"SkuSizeMB": { | ||
"type": "int", | ||
"defaultValue": 5120, | ||
"metadata": { | ||
"description": "Azure database for MySQL Sku Size " | ||
} | ||
}, | ||
"SkuTier": { | ||
"type": "string", | ||
"defaultValue": "GeneralPurpose", | ||
"allowedValues": [ | ||
"Basic", | ||
"GeneralPurpose", | ||
"MemoryOptimized" | ||
], | ||
"metadata": { | ||
"description": "Azure database for MySQL pricing tier" | ||
} | ||
}, | ||
"skuFamily": { | ||
"type": "string", | ||
"defaultValue": "Gen5", | ||
"metadata": { | ||
"description": "Azure database for MySQL sku family" | ||
} | ||
}, | ||
"mysqlVersion": { | ||
"type": "string", | ||
"defaultValue": "8.0", | ||
"allowedValues": [ | ||
"5.6", | ||
"5.7", | ||
"8.0" | ||
], | ||
"metadata": { | ||
"description": "MySQL version" | ||
} | ||
}, | ||
"location": { | ||
"type": "string", | ||
"defaultValue": "[resourceGroup().location]", | ||
"metadata": { | ||
"description": "Location for all resources." | ||
} | ||
}, | ||
"backupRetentionDays": { | ||
"type": "int", | ||
"defaultValue": 7, | ||
"metadata": { | ||
"description": "MySQL Server backup retention days" | ||
} | ||
}, | ||
"geoRedundantBackup": { | ||
"type": "string", | ||
"defaultValue": "Disabled", | ||
"metadata": { | ||
"description": "Geo-Redundant Backup setting" | ||
} | ||
}, | ||
"virtualNetworkName": { | ||
"type": "string", | ||
"defaultValue": "azure_mysql_vnet", | ||
"metadata": { | ||
"description": "Virtual Network Name" | ||
} | ||
}, | ||
"subnetName": { | ||
"type": "string", | ||
"defaultValue": "azure_mysql_subnet", | ||
"metadata": { | ||
"description": "Subnet Name" | ||
} | ||
}, | ||
"virtualNetworkRuleName": { | ||
"type": "string", | ||
"defaultValue": "AllowSubnet", | ||
"metadata": { | ||
"description": "Virtual Network RuleName" | ||
} | ||
}, | ||
"vnetAddressPrefix": { | ||
"type": "string", | ||
"defaultValue": "10.0.0.0/16", | ||
"metadata": { | ||
"description": "Virtual Network Address Prefix" | ||
} | ||
}, | ||
"subnetPrefix": { | ||
"type": "string", | ||
"defaultValue": "10.0.0.0/16", | ||
"metadata": { | ||
"description": "Subnet Address Prefix" | ||
} | ||
} | ||
}, | ||
"variables": { | ||
"firewallrules": [ | ||
{ | ||
"Name": "rule1", | ||
"StartIpAddress": "0.0.0.0", | ||
"EndIpAddress": "255.255.255.255" | ||
}, | ||
{ | ||
"Name": "rule2", | ||
"StartIpAddress": "0.0.0.0", | ||
"EndIpAddress": "255.255.255.255" | ||
} | ||
] | ||
}, | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.DBforMySQL/servers/virtualNetworkRules", | ||
"apiVersion": "2017-12-01", | ||
"name": "[format('{0}/{1}', parameters('serverName'), parameters('virtualNetworkRuleName'))]", | ||
"properties": { | ||
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]", | ||
"ignoreMissingVnetServiceEndpoint": true | ||
}, | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]", | ||
"[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]" | ||
] | ||
}, | ||
{ | ||
"type": "Microsoft.Network/virtualNetworks", | ||
"apiVersion": "2023-09-01", | ||
"name": "[parameters('virtualNetworkName')]", | ||
"location": "[parameters('location')]", | ||
"properties": { | ||
"addressSpace": { | ||
"addressPrefixes": [ | ||
"[parameters('vnetAddressPrefix')]" | ||
] | ||
} | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Network/virtualNetworks/subnets", | ||
"apiVersion": "2023-09-01", | ||
"name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]", | ||
"properties": { | ||
"addressPrefix": "[parameters('subnetPrefix')]" | ||
}, | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" | ||
] | ||
}, | ||
{ | ||
"type": "Microsoft.DBforMySQL/servers", | ||
"apiVersion": "2017-12-01", | ||
"name": "fail", | ||
"location": "[parameters('location')]", | ||
"sku": { | ||
"name": "[parameters('skuName')]", | ||
"tier": "[parameters('SkuTier')]", | ||
"capacity": "[parameters('skuCapacity')]", | ||
"size": "[format('{0}', parameters('SkuSizeMB'))]", | ||
"family": "[parameters('skuFamily')]" | ||
}, | ||
"properties": { | ||
"createMode": "Default", | ||
"version": "[parameters('mysqlVersion')]", | ||
"administratorLogin": "[parameters('administratorLogin')]", | ||
"administratorLoginPassword": "[parameters('administratorLoginPassword')]", | ||
"storageProfile": { | ||
"storageMB": "[parameters('SkuSizeMB')]", | ||
"backupRetentionDays": "[parameters('backupRetentionDays')]", | ||
"geoRedundantBackup": "[parameters('geoRedundantBackup')]" | ||
}, | ||
"minimalTlsVersion": "TLS1_1", | ||
"sslEnforcement": "Enabled" | ||
} | ||
}, | ||
{ | ||
"copy": { | ||
"name": "firewallRules", | ||
"count": "[length(variables('firewallrules'))]", | ||
"mode": "serial", | ||
"batchSize": 1 | ||
}, | ||
"type": "Microsoft.DBforMySQL/servers/firewallRules", | ||
"apiVersion": "2017-12-01", | ||
"name": "[format('{0}/{1}', parameters('serverName'), variables('firewallrules')[copyIndex()].Name)]", | ||
"properties": { | ||
"startIpAddress": "[variables('firewallrules')[copyIndex()].StartIpAddress]", | ||
"endIpAddress": "[variables('firewallrules')[copyIndex()].EndIpAddress]" | ||
}, | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]" | ||
] | ||
} | ||
], | ||
"outputs": { | ||
"location": { | ||
"type": "string", | ||
"value": "[parameters('location')]" | ||
}, | ||
"name": { | ||
"type": "string", | ||
"value": "[parameters('serverName')]" | ||
}, | ||
"resourceGroupName": { | ||
"type": "string", | ||
"value": "[resourceGroup().name]" | ||
}, | ||
"resourceId": { | ||
"type": "string", | ||
"value": "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]" | ||
} | ||
} | ||
} |
Oops, something went wrong.