-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat(Arm) VnetLocalDNS * feat(Arm) VnetLocalDNS --------- Co-authored-by: Rachel <[email protected]>
- Loading branch information
1 parent
bb35e3f
commit 623394c
Showing
9 changed files
with
595 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
from ipaddress import ip_network, ip_address | ||
from typing import Any, List, Dict | ||
|
||
from checkov.arm.base_resource_check import BaseResourceCheck | ||
from checkov.common.models.enums import CheckCategories, CheckResult | ||
|
||
|
||
class VnetLocalDNS(BaseResourceCheck): | ||
def __init__(self) -> None: | ||
"""Avoid taking a dependency on external DNS servers | ||
for local communication such as those deployed on-premises. | ||
Where possible consider deploying Azure Private DNS Zones, | ||
a platform-as-a-service (PaaS) DNS service for VNETs""" | ||
|
||
name = "Ensure that VNET uses local DNS addresses" | ||
id = "CKV_AZURE_183" | ||
supported_resources = ("Microsoft.Network/virtualNetworks",) | ||
categories = [CheckCategories.NETWORKING, ] | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[Any]]]]) -> CheckResult: | ||
if "properties" in conf and "dhcpOptions" in conf["properties"]: | ||
if "dnsServers" in conf["properties"]["dhcpOptions"]: | ||
if isinstance(conf["properties"]["dhcpOptions"]["dnsServers"], list): | ||
dns_servers = conf["properties"]["dhcpOptions"]["dnsServers"] | ||
if dns_servers: | ||
for ip in dns_servers: | ||
if "addressSpace" in conf["properties"] and conf["properties"]["addressSpace"]: | ||
if "addressPrefixes" in conf["properties"]["addressSpace"]: | ||
if isinstance(conf["properties"]["addressSpace"]["addressPrefixes"], list): | ||
address_spaces = conf["properties"]["addressSpace"]["addressPrefixes"] | ||
if isinstance(address_spaces, list): | ||
for address_range in address_spaces: | ||
if not isinstance(address_range, str): | ||
continue | ||
try: | ||
net = ip_network(address_range) | ||
ip_add = ip_address(ip) if isinstance(ip, str) else None | ||
except ValueError: | ||
return CheckResult.UNKNOWN | ||
if isinstance(ip, str) and ip_add in net: | ||
return CheckResult.PASSED | ||
self.evaluated_keys = ["dnsServers"] | ||
return CheckResult.FAILED | ||
return CheckResult.PASSED | ||
|
||
|
||
check = VnetLocalDNS() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"location": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The region to deploy the resources into" | ||
} | ||
}, | ||
"virtualNetworkName": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The name of the Virtual Network" | ||
} | ||
}, | ||
"virtualNetworkAddressRange": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The address range of the virtual network in CIDR format" | ||
}, | ||
"defaultValue": "10.0.0.0/16" | ||
}, | ||
"virtualNetworkSubnetaddress": { | ||
"type": "array", | ||
"metadata": { | ||
"Description": "The subnet definition for the virtual network" | ||
} | ||
}, | ||
"dnsAddress": { | ||
"type": "array", | ||
"metadata": { | ||
"Description": "The DNS address(es) of the DNS Server(s) used by the virtual network" | ||
} | ||
} | ||
}, | ||
"resources": [ | ||
{ | ||
"name": "fail", | ||
"type": "Microsoft.Network/virtualNetworks", | ||
"location": "[parameters('location')]", | ||
"apiVersion": "2018-02-01", | ||
"properties": { | ||
"addressSpace": { | ||
"addressPrefixes": [ | ||
"10.0.0.0/16" | ||
] | ||
}, | ||
"dhcpOptions": { | ||
"dnsServers": [ | ||
"8.8.8.8" | ||
] | ||
}, | ||
"subnets": [ | ||
{ | ||
"name": "subnet1", | ||
"properties": { | ||
"addressPrefix": "10.0.1.0/24" | ||
} | ||
}, | ||
{ | ||
"name": "subnet2", | ||
"properties": { | ||
"addressPrefix": "10.0.2.0/24" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"outputs": {} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"location": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The region to deploy the resources into" | ||
} | ||
}, | ||
"virtualNetworkName": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The name of the Virtual Network" | ||
} | ||
}, | ||
"virtualNetworkAddressRange": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The address range of the virtual network in CIDR format" | ||
}, | ||
"defaultValue": "10.0.0.0/16" | ||
}, | ||
"virtualNetworkSubnetaddress": { | ||
"type": "array", | ||
"metadata": { | ||
"Description": "The subnet definition for the virtual network" | ||
} | ||
}, | ||
"dnsAddress": { | ||
"type": "array", | ||
"metadata": { | ||
"Description": "The DNS address(es) of the DNS Server(s) used by the virtual network" | ||
} | ||
} | ||
}, | ||
"resources": [ | ||
{ | ||
"name": "fail2", | ||
"type": "Microsoft.Network/virtualNetworks", | ||
"location": "[parameters('location')]", | ||
"apiVersion": "2018-02-01", | ||
"properties": { | ||
"addressSpace": { | ||
"addressPrefixes": [ | ||
"10.0.0.0/16" | ||
] | ||
}, | ||
"dhcpOptions": { | ||
"dnsServers": [ | ||
[] | ||
] | ||
}, | ||
"subnets": [ | ||
{ | ||
"name": "subnet1", | ||
"properties": { | ||
"addressPrefix": "10.0.1.0/24" | ||
} | ||
}, | ||
{ | ||
"name": "subnet2", | ||
"properties": { | ||
"addressPrefix": "10.0.2.0/24" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"outputs": {} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"location": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The region to deploy the resources into" | ||
} | ||
}, | ||
"virtualNetworkName": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The name of the Virtual Network" | ||
} | ||
}, | ||
"virtualNetworkAddressRange": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The address range of the virtual network in CIDR format" | ||
}, | ||
"defaultValue": "10.0.0.0/16" | ||
}, | ||
"virtualNetworkSubnetaddress": { | ||
"type": "array", | ||
"metadata": { | ||
"Description": "The subnet definition for the virtual network" | ||
} | ||
}, | ||
"dnsAddress": { | ||
"type": "array", | ||
"metadata": { | ||
"Description": "The DNS address(es) of the DNS Server(s) used by the virtual network" | ||
} | ||
} | ||
}, | ||
"resources": [ | ||
{ | ||
"name": "fail3", | ||
"type": "Microsoft.Network/virtualNetworks", | ||
"location": "[parameters('location')]", | ||
"apiVersion": "2018-02-01", | ||
"properties": { | ||
"addressSpace": { | ||
"addressPrefixes": [] | ||
}, | ||
"dhcpOptions": { | ||
"dnsServers": [ | ||
"8.8.8.8" | ||
] | ||
}, | ||
"subnets": [ | ||
{ | ||
"name": "subnet1", | ||
"properties": { | ||
"addressPrefix": "10.0.1.0/24" | ||
} | ||
}, | ||
{ | ||
"name": "subnet2", | ||
"properties": { | ||
"addressPrefix": "10.0.2.0/24" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"outputs": {} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"location": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The region to deploy the resources into" | ||
} | ||
}, | ||
"virtualNetworkName": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The name of the Virtual Network" | ||
} | ||
}, | ||
"virtualNetworkAddressRange": { | ||
"type": "string", | ||
"metadata": { | ||
"Description": "The address range of the virtual network in CIDR format" | ||
}, | ||
"defaultValue": "10.0.0.0/16" | ||
}, | ||
"virtualNetworkSubnetaddress": { | ||
"type": "array", | ||
"metadata": { | ||
"Description": "The subnet definition for the virtual network" | ||
} | ||
}, | ||
"dnsAddress": { | ||
"type": "array", | ||
"metadata": { | ||
"Description": "The DNS address(es) of the DNS Server(s) used by the virtual network" | ||
} | ||
} | ||
}, | ||
"resources": [ | ||
{ | ||
"name": "pass", | ||
"type": "Microsoft.Network/virtualNetworks", | ||
"location": "[parameters('location')]", | ||
"apiVersion": "2018-02-01", | ||
"properties": { | ||
"addressSpace": { | ||
"addressPrefixes": [ | ||
"10.0.0.0/16" | ||
] | ||
}, | ||
"dhcpOptions": { | ||
"dnsServers": [ | ||
"10.0.0.4", | ||
"10.0.0.5" | ||
] | ||
}, | ||
"subnets": [ | ||
{ | ||
"name": "subnet1", | ||
"properties": { | ||
"addressPrefix": "10.0.1.0/24" | ||
} | ||
}, | ||
{ | ||
"name": "subnet2", | ||
"properties": { | ||
"addressPrefix": "10.0.2.0/24" | ||
} | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"outputs": {} | ||
} | ||
|
Oops, something went wrong.