fix(terraform): extend CKV2_AWS_5 to include aws_appstream_fleet (#5487…

…) (#5491) * Add aws_appstream_fleet as connected resource for CKV2_AWS_5
bridgecrewio · Aug 27, 2023 · ae073a1 · ae073a1
1 parent 4931dcd
commit ae073a1
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml
@@ -14,6 +14,7 @@ definition:
       connected_resource_types:
         - aws_alb
         - aws_apprunner_vpc_connector
+        - aws_appstream_fleet
         - aws_batch_compute_environment
         - aws_cloudwatch_event_target
         - aws_codebuild_project
@@ -55,6 +56,6 @@ definition:
         - aws_transfer_server
         - aws_vpc_endpoint
         - aws_vpclattice_service_network_vpc_association
-      operator:  exists
+      operator: exists
       attribute: networking
       cond_type: connection
diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml
@@ -1,6 +1,7 @@
 pass:
   - "aws_security_group.pass_alb"
   - "aws_security_group.pass_app_runner"
+  - "aws_security_group.pass_appstream_fleet"
   - "aws_security_group.pass_batch"
   - "aws_security_group.pass_cloudwatch_event"
   - "aws_security_group.pass_codebuild"

diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf
@@ -18,6 +18,29 @@ resource "aws_apprunner_vpc_connector" "pass_app_runner" {
   security_groups    = [aws_security_group.pass_app_runner.id]
 }
 
+# App Stream Fleet
+
+resource "aws_security_group" "pass_appstream_fleet" {
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_appstream_fleet" "pass_appstream_fleet" {
+  name          = "name"
+  instance_type = "stream.standard.large"
+  compute_capacity {
+    desired_instances = 1
+  }
+  vpc_config {
+    security_groups_ids = [aws_security_group.pass_appstream_fleet.id]
+  }
+}
+
 # Batch
 
 resource "aws_security_group" "pass_batch" {
@@ -674,7 +697,7 @@ resource "aws_quicksight_vpc_connection" "pass_quicksight" {
   name               = "Example Connection"
   role_arn           = "aws_iam_role.vpc_connection_role.arn"
   security_group_ids = [aws_security_group.pass_quicksight.id]
-  subnet_ids = ["subnet-00000000000000000"]
+  subnet_ids         = ["subnet-00000000000000000"]
 }
 
 # RDS