fix(terraform): add null as allowed value, when checking for presence…

… of public IP in CKV2_AZURE_39 (#6094) * add null as allowed value for public-ips * add tests for empty/null list in AzureVMconfigPublicIP_SerialConsoleAccess * correct type of "ip_configuration.public_ip_address_id" to string --------- Co-authored-by: Taylor <[email protected]>
bridgecrewio · Aug 12, 2024 · 99730d1 · 99730d1
1 parent 0f9bc58
commit 99730d1
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 0 deletions.
diff --git a/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml b/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml
@@ -50,3 +50,10 @@ definition:
       operator: length_less_than_or_equal
       value: 0
 
+    - cond_type: attribute
+      resource_types:
+        - azurerm_network_interface
+      attribute: ip_configuration.public_ip_address_id
+      operator: equals
+      value: null
+
diff --git a/.../terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml b/.../terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/expected.yaml
@@ -1,5 +1,7 @@
 pass:
   - "azurerm_network_interface.pass_int_1"
   - "azurerm_network_interface.pass_int_2"
+  - "azurerm_network_interface.pass_int_3"
+  - "azurerm_network_interface.pass_int_4"
 fail:
   - "azurerm_network_interface.fail_int"
diff --git a/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf b/tests/terraform/graph/checks/resources/AzureVMconfigPublicIP_SerialConsoleAccess/main.tf
@@ -98,4 +98,56 @@ resource "azurerm_virtual_machine" "pass_vm" {
 #    enabled             = true
 #    storage_uri         = ""
 #  }
+}
+
+# Case 4: Pass case: "ip_configuration.public_ip_address_id" does exist but is empty
+
+resource "azurerm_network_interface" "pass_int_3" {
+  name                = "pass-nic"
+  location            = azurerm_resource_group.pud-rg.location
+  resource_group_name = azurerm_resource_group.pud-rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = var.prefix
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = ""
+  }
+}
+
+resource "azurerm_linux_virtual_machine" "pass_vm_3" {
+  name                = "pud-linux-vm"
+  resource_group_name = azurerm_resource_group.pud-rg.name
+  location            = azurerm_resource_group.pud-rg.location
+  size                = "Standard_F2"
+  admin_username      = "pud-admin"
+  network_interface_ids = [
+    azurerm_network_interface.pass_int_3.id,
+  ]
+}
+
+# Case 5: Pass case: "ip_configuration.public_ip_address_id" does exist but is null
+
+resource "azurerm_network_interface" "pass_int_4" {
+  name                = "pass-nic"
+  location            = azurerm_resource_group.pud-rg.location
+  resource_group_name = azurerm_resource_group.pud-rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = var.prefix
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = null
+  }
+}
+
+resource "azurerm_linux_virtual_machine" "pass_vm_4" {
+  name                = "pud-linux-vm"
+  resource_group_name = azurerm_resource_group.pud-rg.name
+  location            = azurerm_resource_group.pud-rg.location
+  size                = "Standard_F2"
+  admin_username      = "pud-admin"
+  network_interface_ids = [
+    azurerm_network_interface.pass_int_4.id,
+  ]
 }