Skip to content

Commit

Permalink
feat(arm): ARM VnetLocalDNS (#6424)
Browse files Browse the repository at this point in the history 
* feat(Arm) VnetLocalDNS

* feat(Arm) VnetLocalDNS

---------

Co-authored-by: Rachel <[email protected]>
  • Loading branch information
@RachelBorzi @MaliUser1
RachelBorzi and MaliUser1 authored Jun 27, 2024
1 parent bb35e3f commit 623394c
Show file tree
Hide file tree
Showing 9 changed files with 595 additions and 0 deletions.
48 changes: 48 additions & 0 deletions checkov/arm/checks/resource/VnetLocalDNS.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
from ipaddress import ip_network, ip_address
from typing import Any, List, Dict

from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckCategories, CheckResult


class VnetLocalDNS(BaseResourceCheck):
def __init__(self) -> None:
"""Avoid taking a dependency on external DNS servers
for local communication such as those deployed on-premises.
Where possible consider deploying Azure Private DNS Zones,
a platform-as-a-service (PaaS) DNS service for VNETs"""

name = "Ensure that VNET uses local DNS addresses"
id = "CKV_AZURE_183"
supported_resources = ("Microsoft.Network/virtualNetworks",)
categories = [CheckCategories.NETWORKING, ]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[Any]]]]) -> CheckResult:
if "properties" in conf and "dhcpOptions" in conf["properties"]:
if "dnsServers" in conf["properties"]["dhcpOptions"]:
if isinstance(conf["properties"]["dhcpOptions"]["dnsServers"], list):
dns_servers = conf["properties"]["dhcpOptions"]["dnsServers"]
if dns_servers:
for ip in dns_servers:
if "addressSpace" in conf["properties"] and conf["properties"]["addressSpace"]:
if "addressPrefixes" in conf["properties"]["addressSpace"]:
if isinstance(conf["properties"]["addressSpace"]["addressPrefixes"], list):
address_spaces = conf["properties"]["addressSpace"]["addressPrefixes"]
if isinstance(address_spaces, list):
for address_range in address_spaces:
if not isinstance(address_range, str):
continue
try:
net = ip_network(address_range)
ip_add = ip_address(ip) if isinstance(ip, str) else None
except ValueError:
return CheckResult.UNKNOWN
if isinstance(ip, str) and ip_add in net:
return CheckResult.PASSED
self.evaluated_keys = ["dnsServers"]
return CheckResult.FAILED
return CheckResult.PASSED


check = VnetLocalDNS()
73 changes: 73 additions & 0 deletions tests/arm/checks/resource/example_VnetLocalDNS/fail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"metadata": {
"Description": "The region to deploy the resources into"
}
},
"virtualNetworkName": {
"type": "string",
"metadata": {
"Description": "The name of the Virtual Network"
}
},
"virtualNetworkAddressRange": {
"type": "string",
"metadata": {
"Description": "The address range of the virtual network in CIDR format"
},
"defaultValue": "10.0.0.0/16"
},
"virtualNetworkSubnetaddress": {
"type": "array",
"metadata": {
"Description": "The subnet definition for the virtual network"
}
},
"dnsAddress": {
"type": "array",
"metadata": {
"Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
}
}
},
"resources": [
{
"name": "fail",
"type": "Microsoft.Network/virtualNetworks",
"location": "[parameters('location')]",
"apiVersion": "2018-02-01",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
"8.8.8.8"
]
},
"subnets": [
{
"name": "subnet1",
"properties": {
"addressPrefix": "10.0.1.0/24"
}
},
{
"name": "subnet2",
"properties": {
"addressPrefix": "10.0.2.0/24"
}
}
]
}
}
],
"outputs": {}
}

73 changes: 73 additions & 0 deletions tests/arm/checks/resource/example_VnetLocalDNS/fail2.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"metadata": {
"Description": "The region to deploy the resources into"
}
},
"virtualNetworkName": {
"type": "string",
"metadata": {
"Description": "The name of the Virtual Network"
}
},
"virtualNetworkAddressRange": {
"type": "string",
"metadata": {
"Description": "The address range of the virtual network in CIDR format"
},
"defaultValue": "10.0.0.0/16"
},
"virtualNetworkSubnetaddress": {
"type": "array",
"metadata": {
"Description": "The subnet definition for the virtual network"
}
},
"dnsAddress": {
"type": "array",
"metadata": {
"Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
}
}
},
"resources": [
{
"name": "fail2",
"type": "Microsoft.Network/virtualNetworks",
"location": "[parameters('location')]",
"apiVersion": "2018-02-01",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
[]
]
},
"subnets": [
{
"name": "subnet1",
"properties": {
"addressPrefix": "10.0.1.0/24"
}
},
{
"name": "subnet2",
"properties": {
"addressPrefix": "10.0.2.0/24"
}
}
]
}
}
],
"outputs": {}
}

71 changes: 71 additions & 0 deletions tests/arm/checks/resource/example_VnetLocalDNS/fail3.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"metadata": {
"Description": "The region to deploy the resources into"
}
},
"virtualNetworkName": {
"type": "string",
"metadata": {
"Description": "The name of the Virtual Network"
}
},
"virtualNetworkAddressRange": {
"type": "string",
"metadata": {
"Description": "The address range of the virtual network in CIDR format"
},
"defaultValue": "10.0.0.0/16"
},
"virtualNetworkSubnetaddress": {
"type": "array",
"metadata": {
"Description": "The subnet definition for the virtual network"
}
},
"dnsAddress": {
"type": "array",
"metadata": {
"Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
}
}
},
"resources": [
{
"name": "fail3",
"type": "Microsoft.Network/virtualNetworks",
"location": "[parameters('location')]",
"apiVersion": "2018-02-01",
"properties": {
"addressSpace": {
"addressPrefixes": []
},
"dhcpOptions": {
"dnsServers": [
"8.8.8.8"
]
},
"subnets": [
{
"name": "subnet1",
"properties": {
"addressPrefix": "10.0.1.0/24"
}
},
{
"name": "subnet2",
"properties": {
"addressPrefix": "10.0.2.0/24"
}
}
]
}
}
],
"outputs": {}
}

74 changes: 74 additions & 0 deletions tests/arm/checks/resource/example_VnetLocalDNS/pass.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"metadata": {
"Description": "The region to deploy the resources into"
}
},
"virtualNetworkName": {
"type": "string",
"metadata": {
"Description": "The name of the Virtual Network"
}
},
"virtualNetworkAddressRange": {
"type": "string",
"metadata": {
"Description": "The address range of the virtual network in CIDR format"
},
"defaultValue": "10.0.0.0/16"
},
"virtualNetworkSubnetaddress": {
"type": "array",
"metadata": {
"Description": "The subnet definition for the virtual network"
}
},
"dnsAddress": {
"type": "array",
"metadata": {
"Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
}
}
},
"resources": [
{
"name": "pass",
"type": "Microsoft.Network/virtualNetworks",
"location": "[parameters('location')]",
"apiVersion": "2018-02-01",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
"10.0.0.4",
"10.0.0.5"
]
},
"subnets": [
{
"name": "subnet1",
"properties": {
"addressPrefix": "10.0.1.0/24"
}
},
{
"name": "subnet2",
"properties": {
"addressPrefix": "10.0.2.0/24"
}
}
]
}
}
],
"outputs": {}
}

Loading

0 comments on commit 623394c

Please sign in to comment.