feat(arm): AppServicePlanZoneRedundant (#6472)

initial commit Co-authored-by: ChanochShayner <[email protected]>
bridgecrewio · Jul 4, 2024 · f8793e8 · f8793e8
1 parent 3c46f43
commit f8793e8
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 0 deletions.
diff --git a/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py b/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py
@@ -0,0 +1,28 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServicePlanZoneRedundant(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        """
+        To enhance the resiliency and reliability of business-critical workloads,
+        it's recommended to deploy new App Service Plans with zone-redundancy.
+
+        There's no additional cost associated with enabling availability zones.
+        Pricing for a zone redundant App Service is the same as a single zone App Service.
+        """
+        name = "Ensure the App Service Plan is zone redundant"
+        id = "CKV_AZURE_225"
+        supported_resources = ["Microsoft.Web/serverfarms", ]
+        categories = [CheckCategories.BACKUP_AND_RECOVERY, ]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
+
+    def get_inspected_key(self) -> str:
+        return "properties/zoneRedundant"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = AppServicePlanZoneRedundant()
diff --git a/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail.json b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2021-02-01",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "zoneRedundant": false,
+        "resourceGroupName": "[resourceGroup().name]",
+        "osType": "Linux",
+        "sku": {
+          "name": "P1v2"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail2.json b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail2.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2021-02-01",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "resourceGroupName": "[resourceGroup().name]",
+        "osType": "Linux",
+        "sku": {
+          "name": "P1v2"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/pass.json b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/pass.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "zoneRedundant": true,
+        "resourceGroupName": "[resourceGroup().name]",
+        "osType": "Linux",
+        "sku": {
+          "name": "P1v2"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/test_AppServicePlanZoneRedundant.py b/tests/arm/checks/resource/test_AppServicePlanZoneRedundant.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.AppServicePlanZoneRedundant import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAppServicePlanZoneRedundant(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServicePlanZoneRedundant"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/serverfarms.pass",
+        }
+        failing_resources = {
+            "Microsoft.Web/serverfarms.fail",
+            "Microsoft.Web/serverfarms.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()