Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(terraform): adding 3 policies & tests #7011

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat(terraform): adding 3 policies & tests #7011

wants to merge 12 commits into from

Conversation

TomerSegev241
Copy link
Collaborator

@TomerSegev241 TomerSegev241 commented Feb 12, 2025
edited by baz-reviewer bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

New/Edited policies (Delete if not relevant)

Description

Include a description of what makes it a violation and any relevant external links.

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Implements three new security policies for Terraform resources and adds corresponding tests. The policies address potential vulnerabilities in AWS AMI configuration, Azure Storage Sync Service and Managed Disk network access, and OCI Data Catalog public access. New classes are created to perform these checks, along with test files and example configurations to validate the policies.

TopicDetails
New Security Policies Implements three new security policies for AWS, Azure, and OCI resources
Modified files (4)
  • checkov/terraform/checks/data/aws/WhoAMI.py
  • checkov/terraform/checks/resource/azure/VMDiskWithPublicAccess.py
  • checkov/terraform/checks/resource/oci/DataCatalogWithPublicAccess.py
  • checkov/terraform/checks/resource/azure/StorageSyncServicePermissiveAccess.py
Latest Contributors(0)
UserCommitDate
Test Implementation Adds test files and example configurations for the new security policies
Modified files (8)
  • tests/terraform/checks/data/aws/test_WhoAMI.py
  • tests/terraform/checks/resource/azure/test_VMDiskWithPublicAccess.py
  • tests/terraform/checks/resource/oci/test_DataCatalogWithPublicAccess.py
  • tests/terraform/checks/resource/azure/test_StorageSyncServicePermissiveAccess.py
  • tests/terraform/checks/resource/oci/example_DataCatalogWithPublicAccess/main.tf
  • tests/terraform/checks/data/aws/example_WhoAMI/main.tf
  • tests/terraform/checks/resource/azure/example_StorageSyncServicePermissiveAccess/main.tf
  • tests/terraform/checks/resource/azure/example_VMDiskWithPublicAccess/main.tf
Latest Contributors(0)
UserCommitDate
This pull request is reviewed by Baz. Join @TomerSegev241 and the rest of your team on (Baz).

@TomerSegev241 TomerSegev241 changed the title adding 3 policies + tests feat(terraform): adding 3 policies & tests Feb 13, 2025
tsmithv11
tsmithv11 requested changes Feb 17, 2025
View reviewed changes
Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! Added some suggested changes. Also, in the description for this PR, please add a map of the CKV ID to Prisma Policy ID if these are translated policies. For example, CKV_AZURE_250 translates ddf89efb-979f-412d-8e62-5ffa8d388e2c

checkov/terraform/checks/resource/aws/WhoAMI.py Outdated
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
if "image_owner_alias" in conf or 'owner_id' in conf:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are Attribute Reference attributes, so they are not written by the user for the resource type.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yet if they are specified (doesn't matter the actual value of it) its a best practice to avoid WhoAMI attack. So if it is declared it's enough in order to pass the policy. is that makes sense?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm saying that a user can't specify them in their Terraform code, so this would only apply to plan file scans. This check is effectively just looking for * in name and I don't think that is the intention.

checkov/terraform/checks/resource/azure/StorageSyncServicePermissiveAccess.py
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

checkov/terraform/checks/resource/aws/WhoAMI.py Outdated
from typing import Dict, Any

from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TomerSegev241 users can't define owner in the resource type. I think you need a data type check instead.

checkov/terraform/checks/resource/oci/DataCatalogWithPublicAccess.py
@@ -0,0 +1,29 @@
# DataCatalogWithPublicAccess
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd remove this comment

checkov/terraform/checks/resource/oci/DataCatalogWithPublicAccess.py
Comment on lines +20 to +21
else:
return CheckResult.FAILED
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not strictly necessary, but ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsmithv11 tsmithv11 tsmithv11 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TomerSegev241 @tsmithv11