From d003adebf4f1c19c911560b9a7553e07af1fedc6 Mon Sep 17 00:00:00 2001 From: paddymorgan84 Date: Tue, 8 Oct 2024 14:27:10 +0000 Subject: [PATCH] fix: Update CKV_AZURE_167 to correct check on retention policy --- .../resource/azure/ACREnableRetentionPolicy.py | 8 ++++++-- .../example_ACREnableRetentionPolicy/main.tf | 16 +--------------- .../azure/test_ACREnableRetentionPolicy.py | 3 +-- 3 files changed, 8 insertions(+), 19 deletions(-) diff --git a/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py b/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py index bb1a62af838..a1df9447687 100644 --- a/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py +++ b/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py @@ -1,5 +1,7 @@ from checkov.common.models.enums import CheckCategories from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from typing import Any +from checkov.common.models.consts import ANY_VALUE class ACREnableRetentionPolicy(BaseResourceValueCheck): @@ -10,8 +12,10 @@ def __init__(self) -> None: categories = (CheckCategories.GENERAL_SECURITY,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self) -> str: - return "retention_policy/enabled" + def get_inspected_key(self): + return "retention_policy_in_days" + def get_expected_value(self) -> Any: + return ANY_VALUE check = ACREnableRetentionPolicy() diff --git a/tests/terraform/checks/resource/azure/example_ACREnableRetentionPolicy/main.tf b/tests/terraform/checks/resource/azure/example_ACREnableRetentionPolicy/main.tf index 7120aaefd5d..e7b38a2b09b 100644 --- a/tests/terraform/checks/resource/azure/example_ACREnableRetentionPolicy/main.tf +++ b/tests/terraform/checks/resource/azure/example_ACREnableRetentionPolicy/main.tf @@ -6,9 +6,7 @@ resource "azurerm_container_registry" "pass" { sku = "Premium" anonymous_pull_enabled = false quarantine_policy_enabled = true - retention_policy { - enabled = true - } + retention_policy_in_days = 7 } @@ -18,15 +16,3 @@ resource "azurerm_container_registry" "fail" { location = azurerm_resource_group.rg.location sku = "Premium" } - - -resource "azurerm_container_registry" "fail2" { - name = "containerRegistry1" - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - sku = "Standard" - quarantine_policy_enabled = false - retention_policy { - enabled = false - } -} diff --git a/tests/terraform/checks/resource/azure/test_ACREnableRetentionPolicy.py b/tests/terraform/checks/resource/azure/test_ACREnableRetentionPolicy.py index 19f36d0d9b8..3a5b54a6f51 100644 --- a/tests/terraform/checks/resource/azure/test_ACREnableRetentionPolicy.py +++ b/tests/terraform/checks/resource/azure/test_ACREnableRetentionPolicy.py @@ -22,7 +22,6 @@ def test(self): } failing_resources = { 'azurerm_container_registry.fail', - 'azurerm_container_registry.fail2' } skipped_resources = {} @@ -39,4 +38,4 @@ def test(self): if __name__ == '__main__': - unittest.main() \ No newline at end of file + unittest.main()