feat(arm): add CKV_AZURE_174 to ensure that API management public acc…

…ess is disabled (#6480)

* added a new arm policy for resource: APIManagementPublicAccess

* update arm policy for resource: APIManagementPublicAccess

---------

Co-authored-by: ChanochShayner <[email protected]>

checkov/arm/checks/resource/APIManagementPublicAccess.py

@@ -0,0 +1,22 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class APIManagementPublicAccess(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure API management public access is disabled"
+        id = "CKV_AZURE_174"
+        supported_resources = ("Microsoft.ApiManagement/service",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
+
+    def get_expected_value(self) -> Any:
+        return "Disabled"
+
+
+check = APIManagementPublicAccess()

tests/arm/checks/resource/example_APIManagementPublicAccess/fail.json

@@ -0,0 +1,103 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.20.4.51522",
+      "templateHash": "6577944355650859703"
+    }
+  },
+  "parameters": {
+    "publisherEmail": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The email address of the owner of the service"
+      }
+    },
+    "publisherName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The name of the owner of the service"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Developer",
+      "allowedValues": [
+        "Basic",
+        "Consumption",
+        "Developer",
+        "Standard",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of this API Management service"
+      }
+    },
+    "skuCount": {
+      "type": "int",
+      "defaultValue": 1,
+      "metadata": {
+        "description": "The instance size of this API Management service."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2021-08-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "administratorLogin": "jonasAdmin",
+        "version": "12.0",
+        "state": "Ready",
+        "fullyQualifiedDomainName": "jonas.database.windows.net",
+        "privateEndpointConnections": [],
+        "minimalTlsVersion": "None",
+        "restrictOutboundNetworkAccess": "Disabled"
+
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+    },
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2021-08-01",
+      "name": "fail2",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "administratorLogin": "jonasAdmin",
+        "version": "12.0",
+        "state": "Ready",
+        "fullyQualifiedDomainName": "jonas.database.windows.net",
+        "privateEndpointConnections": [],
+        "minimalTlsVersion": "None",
+        "publicNetworkAccess": "Enabled",
+        "restrictOutboundNetworkAccess": "Disabled"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+    }
+  ]
+}

tests/arm/checks/resource/example_APIManagementPublicAccess/pass.json

@@ -0,0 +1,81 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.20.4.51522",
+      "templateHash": "6577944355650859703"
+    }
+  },
+  "parameters": {
+    "publisherEmail": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The email address of the owner of the service"
+      }
+    },
+    "publisherName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The name of the owner of the service"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Developer",
+      "allowedValues": [
+        "Basic",
+        "Consumption",
+        "Developer",
+        "Standard",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of this API Management service"
+      }
+    },
+    "skuCount": {
+      "type": "int",
+      "defaultValue": 1,
+      "metadata": {
+        "description": "The instance size of this API Management service."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2021-08-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "administratorLogin": "jonasAdmin",
+        "version": "12.0",
+        "state": "Ready",
+        "fullyQualifiedDomainName": "jonas.database.windows.net",
+        "privateEndpointConnections": [],
+        "minimalTlsVersion": "None",
+        "publicNetworkAccess": "Disabled",
+        "restrictOutboundNetworkAccess": "Disabled"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+    }
+  ]
+}

tests/arm/checks/resource/test_APIManagementPublicAccess.py

@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.APIManagementPublicAccess import check
+from checkov.arm.runner import Runner
+
+
+class TestAPIManagementPublicAccess(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_APIManagementPublicAccess"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.ApiManagement/service.pass",
+        }
+
+        failing_resources = {
+            "Microsoft.ApiManagement/service.fail",
+            "Microsoft.ApiManagement/service.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()