-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): add CKV_AZURE_174 to ensure that API management public acc…
…ess is disabled (#6480) * added a new arm policy for resource: APIManagementPublicAccess * update arm policy for resource: APIManagementPublicAccess --------- Co-authored-by: ChanochShayner <[email protected]>
- Loading branch information
1 parent
bfb3c7d
commit 0a013f5
Showing
4 changed files
with
248 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
from typing import Any | ||
|
||
from checkov.common.models.enums import CheckCategories | ||
from checkov.arm.base_resource_value_check import BaseResourceValueCheck | ||
|
||
|
||
class APIManagementPublicAccess(BaseResourceValueCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure API management public access is disabled" | ||
id = "CKV_AZURE_174" | ||
supported_resources = ("Microsoft.ApiManagement/service",) | ||
categories = (CheckCategories.NETWORKING,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def get_inspected_key(self) -> str: | ||
return "properties/publicNetworkAccess" | ||
|
||
def get_expected_value(self) -> Any: | ||
return "Disabled" | ||
|
||
|
||
check = APIManagementPublicAccess() |
103 changes: 103 additions & 0 deletions
103
tests/arm/checks/resource/example_APIManagementPublicAccess/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"metadata": { | ||
"_generator": { | ||
"name": "bicep", | ||
"version": "0.20.4.51522", | ||
"templateHash": "6577944355650859703" | ||
} | ||
}, | ||
"parameters": { | ||
"publisherEmail": { | ||
"type": "string", | ||
"minLength": 1, | ||
"metadata": { | ||
"description": "The email address of the owner of the service" | ||
} | ||
}, | ||
"publisherName": { | ||
"type": "string", | ||
"minLength": 1, | ||
"metadata": { | ||
"description": "The name of the owner of the service" | ||
} | ||
}, | ||
"sku": { | ||
"type": "string", | ||
"defaultValue": "Developer", | ||
"allowedValues": [ | ||
"Basic", | ||
"Consumption", | ||
"Developer", | ||
"Standard", | ||
"Premium" | ||
], | ||
"metadata": { | ||
"description": "The pricing tier of this API Management service" | ||
} | ||
}, | ||
"skuCount": { | ||
"type": "int", | ||
"defaultValue": 1, | ||
"metadata": { | ||
"description": "The instance size of this API Management service." | ||
} | ||
}, | ||
"location": { | ||
"type": "string", | ||
"defaultValue": "[resourceGroup().location]", | ||
"metadata": { | ||
"description": "Location for all resources." | ||
} | ||
} | ||
}, | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.ApiManagement/service", | ||
"apiVersion": "2021-08-01", | ||
"name": "fail", | ||
"location": "[parameters('location')]", | ||
"sku": { | ||
"name": "[parameters('sku')]", | ||
"capacity": "[parameters('skuCount')]" | ||
}, | ||
"properties": { | ||
"administratorLogin": "jonasAdmin", | ||
"version": "12.0", | ||
"state": "Ready", | ||
"fullyQualifiedDomainName": "jonas.database.windows.net", | ||
"privateEndpointConnections": [], | ||
"minimalTlsVersion": "None", | ||
"restrictOutboundNetworkAccess": "Disabled" | ||
|
||
}, | ||
"identity": { | ||
"type": "SystemAssigned" | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.ApiManagement/service", | ||
"apiVersion": "2021-08-01", | ||
"name": "fail2", | ||
"location": "[parameters('location')]", | ||
"sku": { | ||
"name": "[parameters('sku')]", | ||
"capacity": "[parameters('skuCount')]" | ||
}, | ||
"properties": { | ||
"administratorLogin": "jonasAdmin", | ||
"version": "12.0", | ||
"state": "Ready", | ||
"fullyQualifiedDomainName": "jonas.database.windows.net", | ||
"privateEndpointConnections": [], | ||
"minimalTlsVersion": "None", | ||
"publicNetworkAccess": "Enabled", | ||
"restrictOutboundNetworkAccess": "Disabled" | ||
}, | ||
"identity": { | ||
"type": "SystemAssigned" | ||
} | ||
} | ||
] | ||
} |
81 changes: 81 additions & 0 deletions
81
tests/arm/checks/resource/example_APIManagementPublicAccess/pass.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"metadata": { | ||
"_generator": { | ||
"name": "bicep", | ||
"version": "0.20.4.51522", | ||
"templateHash": "6577944355650859703" | ||
} | ||
}, | ||
"parameters": { | ||
"publisherEmail": { | ||
"type": "string", | ||
"minLength": 1, | ||
"metadata": { | ||
"description": "The email address of the owner of the service" | ||
} | ||
}, | ||
"publisherName": { | ||
"type": "string", | ||
"minLength": 1, | ||
"metadata": { | ||
"description": "The name of the owner of the service" | ||
} | ||
}, | ||
"sku": { | ||
"type": "string", | ||
"defaultValue": "Developer", | ||
"allowedValues": [ | ||
"Basic", | ||
"Consumption", | ||
"Developer", | ||
"Standard", | ||
"Premium" | ||
], | ||
"metadata": { | ||
"description": "The pricing tier of this API Management service" | ||
} | ||
}, | ||
"skuCount": { | ||
"type": "int", | ||
"defaultValue": 1, | ||
"metadata": { | ||
"description": "The instance size of this API Management service." | ||
} | ||
}, | ||
"location": { | ||
"type": "string", | ||
"defaultValue": "[resourceGroup().location]", | ||
"metadata": { | ||
"description": "Location for all resources." | ||
} | ||
} | ||
}, | ||
"resources": [ | ||
|
||
{ | ||
"type": "Microsoft.ApiManagement/service", | ||
"apiVersion": "2021-08-01", | ||
"name": "pass", | ||
"location": "[parameters('location')]", | ||
"sku": { | ||
"name": "[parameters('sku')]", | ||
"capacity": "[parameters('skuCount')]" | ||
}, | ||
"properties": { | ||
"administratorLogin": "jonasAdmin", | ||
"version": "12.0", | ||
"state": "Ready", | ||
"fullyQualifiedDomainName": "jonas.database.windows.net", | ||
"privateEndpointConnections": [], | ||
"minimalTlsVersion": "None", | ||
"publicNetworkAccess": "Disabled", | ||
"restrictOutboundNetworkAccess": "Disabled" | ||
}, | ||
"identity": { | ||
"type": "SystemAssigned" | ||
} | ||
} | ||
] | ||
} |
42 changes: 42 additions & 0 deletions
42
tests/arm/checks/resource/test_APIManagementPublicAccess.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
import unittest | ||
from pathlib import Path | ||
|
||
from checkov.runner_filter import RunnerFilter | ||
from checkov.arm.checks.resource.APIManagementPublicAccess import check | ||
from checkov.arm.runner import Runner | ||
|
||
|
||
class TestAPIManagementPublicAccess(unittest.TestCase): | ||
def test(self): | ||
# given | ||
test_files_dir = Path(__file__).parent / "example_APIManagementPublicAccess" | ||
|
||
# when | ||
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) | ||
|
||
# then | ||
summary = report.get_summary() | ||
|
||
passing_resources = { | ||
"Microsoft.ApiManagement/service.pass", | ||
} | ||
|
||
failing_resources = { | ||
"Microsoft.ApiManagement/service.fail", | ||
"Microsoft.ApiManagement/service.fail2", | ||
} | ||
|
||
passed_check_resources = {c.resource for c in report.passed_checks} | ||
failed_check_resources = {c.resource for c in report.failed_checks} | ||
|
||
self.assertEqual(summary["passed"], len(passing_resources)) | ||
self.assertEqual(summary["failed"], len(failing_resources)) | ||
self.assertEqual(summary["skipped"], 0) | ||
self.assertEqual(summary["parsing_errors"], 0) | ||
|
||
self.assertEqual(passing_resources, passed_check_resources) | ||
self.assertEqual(failing_resources, failed_check_resources) | ||
|
||
|
||
if __name__ == "__main__": | ||
unittest.main() |