From 5ccbfa38f0f5504aa0c02c97d897d1214a0abd4f Mon Sep 17 00:00:00 2001 From: BhEaN <6599289+bhean@users.noreply.github.com> Date: Thu, 19 Sep 2024 10:52:03 +0200 Subject: [PATCH] fix(terraform): Security group attached to an Elastic DocumentDB cluster is not recognized by check CKV2_AWS_5 (#6687) * fix(terraform): include aws_docdbelastic_cluster in the CKV2_AWS_5 check * tests(terraform): add Terraform test for the CKV2_AWS_5 check * fix(terraform): include aws_docdbelastic_cluster in the CKV2_AWS_5 check * tests(terraform): add Terraform test for the CKV2_AWS_5 check * fix(terraform): remove duplicated line --- .../aws/SGAttachedToResource.yaml | 1 + .../SGAttachedToResource/expected.yaml | 1 + .../resources/SGAttachedToResource/main.tf | 25 +++++++++++++++++++ 3 files changed, 27 insertions(+) diff --git a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml index 09d778708d8..a2ba34363d6 100644 --- a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml +++ b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml @@ -24,6 +24,7 @@ definition: - aws_dms_replication_instance - aws_dms_replication_config - aws_docdb_cluster + - aws_docdbelastic_cluster - aws_ec2_client_vpn_endpoint - aws_ec2_client_vpn_network_association - aws_ec2_spot_fleet_request diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml index c24d6f77f3c..d3c33dc1bbe 100644 --- a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml +++ b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml @@ -10,6 +10,7 @@ pass: - "aws_security_group.pass_dms" - "aws_security_group.pass_dms_serverless" - "aws_security_group.pass_docdb" + - "aws_security_group.pass_docdbelastic" - "aws_security_group.pass_ec2" - "aws_security_group.pass_ec2_client_vpn" - "aws_security_group.pass_ec2_client_vpn_endpoint" diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf index 7e1ff6a9499..3b1fbe791df 100644 --- a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf +++ b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf @@ -187,6 +187,31 @@ resource "aws_docdb_cluster" "pass_docdb" { vpc_security_group_ids = [aws_security_group.pass_docdb.id] } +# DocDB Elastic + +resource "aws_security_group" "pass_docdbelastic" { + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_docdbelastic_cluster" "pass_docdbelastic" { + name = "docdbelastic_cluster" + + admin_user_name = "admin" + admin_user_password = "4dm1np4ssw0rd" + + auth_type = "PLAIN_TEXT" + shard_capacity = 2 + shard_count = 1 + + vpc_security_group_ids = [aws_security_group.pass_docdbelastic.id] +} + # EC2 resource "aws_security_group" "pass_ec2" {