-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): Implement CKV_AZURE_111 in ARM (#5528)
- Loading branch information
1 parent
6e87aa2
commit 83743df
Showing
6 changed files
with
521 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
from checkov.arm.base_resource_value_check import BaseResourceValueCheck | ||
from checkov.common.models.enums import CheckCategories | ||
from checkov.common.models.enums import CheckResult | ||
|
||
|
||
class KeyVaultEnablesSoftDelete(BaseResourceValueCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure that key vault enables soft delete" | ||
id = "CKV_AZURE_111" | ||
supported_resources = ['Microsoft.KeyVault/vaults'] | ||
categories = [CheckCategories.LOGGING] | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, | ||
missing_block_result=CheckResult.PASSED) | ||
|
||
def get_inspected_key(self) -> str: | ||
return "properties/enableSoftDelete" | ||
|
||
|
||
check = KeyVaultEnablesSoftDelete() |
155 changes: 155 additions & 0 deletions
155
tests/arm/checks/resource/example_KeyVaultEnablesSoftDelete/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"keyVaultName": { | ||
"type": "string", | ||
"metadata": { | ||
"description": "Specifies the name of the key vault." | ||
} | ||
}, | ||
"location": { | ||
"type": "string", | ||
"defaultValue": "[resourceGroup().location]", | ||
"metadata": { | ||
"description": "Specifies the Azure location where the key vault should be created." | ||
} | ||
}, | ||
"enabledForDeployment": { | ||
"type": "bool", | ||
"defaultValue": false, | ||
"allowedValues": [ | ||
true, | ||
false | ||
], | ||
"metadata": { | ||
"description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." | ||
} | ||
}, | ||
"enableSoftDelete": { | ||
"type": "bool", | ||
"defaultValue": false | ||
}, | ||
"enabledForDiskEncryption": { | ||
"type": "bool", | ||
"defaultValue": false, | ||
"allowedValues": [ | ||
true, | ||
false | ||
], | ||
"metadata": { | ||
"description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." | ||
} | ||
}, | ||
"enabledForTemplateDeployment": { | ||
"type": "bool", | ||
"defaultValue": false, | ||
"allowedValues": [ | ||
true, | ||
false | ||
], | ||
"metadata": { | ||
"description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault." | ||
} | ||
}, | ||
"tenantId": { | ||
"type": "string", | ||
"defaultValue": "[subscription().tenantId]", | ||
"metadata": { | ||
"description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet." | ||
} | ||
}, | ||
"objectId": { | ||
"type": "string", | ||
"metadata": { | ||
"description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets." | ||
} | ||
}, | ||
"keysPermissions": { | ||
"type": "array", | ||
"defaultValue": [ | ||
"list" | ||
], | ||
"metadata": { | ||
"description": "Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge." | ||
} | ||
}, | ||
"secretsPermissions": { | ||
"type": "array", | ||
"defaultValue": [ | ||
"list" | ||
], | ||
"metadata": { | ||
"description": "Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge." | ||
} | ||
}, | ||
"skuName": { | ||
"type": "string", | ||
"defaultValue": "Standard", | ||
"allowedValues": [ | ||
"Standard", | ||
"Premium" | ||
], | ||
"metadata": { | ||
"description": "Specifies whether the key vault is a standard vault or a premium vault." | ||
} | ||
}, | ||
"secretName": { | ||
"type": "string", | ||
"metadata": { | ||
"description": "Specifies the name of the secret that you want to create." | ||
} | ||
}, | ||
"secretValue": { | ||
"type": "securestring", | ||
"metadata": { | ||
"description": "Specifies the value of the secret that you want to create." | ||
} | ||
} | ||
}, | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.KeyVault/vaults", | ||
"name": "fail", | ||
"apiVersion": "2018-02-14", | ||
"location": "[parameters('location')]", | ||
"properties": { | ||
"enabledForDeployment": "[parameters('enabledForDeployment')]", | ||
"enableSoftDelete": false, | ||
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]", | ||
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]", | ||
"tenantId": "[parameters('tenantId')]", | ||
"accessPolicies": [ | ||
{ | ||
"objectId": "[parameters('objectId')]", | ||
"tenantId": "[parameters('tenantId')]", | ||
"permissions": { | ||
"keys": "[parameters('keysPermissions')]", | ||
"secrets": "[parameters('secretsPermissions')]" | ||
} | ||
} | ||
], | ||
"sku": { | ||
"name": "[parameters('skuName')]", | ||
"family": "A" | ||
}, | ||
"networkAcls": { | ||
"defaultAction": "Allow", | ||
"bypass": "AzureServices" | ||
} | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.KeyVault/vaults/secrets", | ||
"name": "[concat(parameters('keyVaultName'), '/', parameters('secretName'))]", | ||
"apiVersion": "2018-02-14", | ||
"location": "[parameters('location')]", | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" | ||
], | ||
"properties": { | ||
"value": "[parameters('secretValue')]" | ||
} | ||
} | ||
] | ||
} |
155 changes: 155 additions & 0 deletions
155
tests/arm/checks/resource/example_KeyVaultEnablesSoftDelete/pass.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"keyVaultName": { | ||
"type": "string", | ||
"metadata": { | ||
"description": "Specifies the name of the key vault." | ||
} | ||
}, | ||
"location": { | ||
"type": "string", | ||
"defaultValue": "[resourceGroup().location]", | ||
"metadata": { | ||
"description": "Specifies the Azure location where the key vault should be created." | ||
} | ||
}, | ||
"enabledForDeployment": { | ||
"type": "bool", | ||
"defaultValue": false, | ||
"allowedValues": [ | ||
true, | ||
false | ||
], | ||
"metadata": { | ||
"description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." | ||
} | ||
}, | ||
"enableSoftDelete": { | ||
"type": "bool", | ||
"defaultValue": true | ||
}, | ||
"enabledForDiskEncryption": { | ||
"type": "bool", | ||
"defaultValue": false, | ||
"allowedValues": [ | ||
true, | ||
false | ||
], | ||
"metadata": { | ||
"description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." | ||
} | ||
}, | ||
"enabledForTemplateDeployment": { | ||
"type": "bool", | ||
"defaultValue": false, | ||
"allowedValues": [ | ||
true, | ||
false | ||
], | ||
"metadata": { | ||
"description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault." | ||
} | ||
}, | ||
"tenantId": { | ||
"type": "string", | ||
"defaultValue": "[subscription().tenantId]", | ||
"metadata": { | ||
"description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet." | ||
} | ||
}, | ||
"objectId": { | ||
"type": "string", | ||
"metadata": { | ||
"description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets." | ||
} | ||
}, | ||
"keysPermissions": { | ||
"type": "array", | ||
"defaultValue": [ | ||
"list" | ||
], | ||
"metadata": { | ||
"description": "Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge." | ||
} | ||
}, | ||
"secretsPermissions": { | ||
"type": "array", | ||
"defaultValue": [ | ||
"list" | ||
], | ||
"metadata": { | ||
"description": "Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge." | ||
} | ||
}, | ||
"skuName": { | ||
"type": "string", | ||
"defaultValue": "Standard", | ||
"allowedValues": [ | ||
"Standard", | ||
"Premium" | ||
], | ||
"metadata": { | ||
"description": "Specifies whether the key vault is a standard vault or a premium vault." | ||
} | ||
}, | ||
"secretName": { | ||
"type": "string", | ||
"metadata": { | ||
"description": "Specifies the name of the secret that you want to create." | ||
} | ||
}, | ||
"secretValue": { | ||
"type": "securestring", | ||
"metadata": { | ||
"description": "Specifies the value of the secret that you want to create." | ||
} | ||
} | ||
}, | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.KeyVault/vaults", | ||
"name": "pass", | ||
"apiVersion": "2018-02-14", | ||
"location": "[parameters('location')]", | ||
"properties": { | ||
"enabledForDeployment": "[parameters('enabledForDeployment')]", | ||
"enableSoftDelete": "[parameters('enableSoftDelete')]", | ||
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]", | ||
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]", | ||
"tenantId": "[parameters('tenantId')]", | ||
"accessPolicies": [ | ||
{ | ||
"objectId": "[parameters('objectId')]", | ||
"tenantId": "[parameters('tenantId')]", | ||
"permissions": { | ||
"keys": "[parameters('keysPermissions')]", | ||
"secrets": "[parameters('secretsPermissions')]" | ||
} | ||
} | ||
], | ||
"sku": { | ||
"name": "[parameters('skuName')]", | ||
"family": "A" | ||
}, | ||
"networkAcls": { | ||
"defaultAction": "Allow", | ||
"bypass": "AzureServices" | ||
} | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.KeyVault/vaults/secrets", | ||
"name": "[concat(parameters('keyVaultName'), '/', parameters('secretName'))]", | ||
"apiVersion": "2018-02-14", | ||
"location": "[parameters('location')]", | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" | ||
], | ||
"properties": { | ||
"value": "[parameters('secretValue')]" | ||
} | ||
} | ||
] | ||
} |
Oops, something went wrong.