fix(terraform): Fix CKV_Azure_234 (#5886)

* Fix CKV_Azure_234 * typo
bridgecrewio · Dec 21, 2023 · 68b141b · 68b141b
1 parent 748f4b7
commit 68b141b
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 9 deletions.
diff --git a/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py b/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py
@@ -16,9 +16,9 @@ def __init__(self) -> None:
 
     def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
         return (
-            CheckResult.PASSED
-            if conf.get("resource_type", [""])[0].lower() == "arm" and conf.get("tier", [""])[0].lower() == "standard"
-            else CheckResult.FAILED
+            CheckResult.FAILED
+            if conf.get("resource_type", [""])[0].lower() == "arm" and conf.get("tier", [""])[0].lower() != "standard"
+            else CheckResult.PASSED
         )
 
     def get_evaluated_keys(self) -> list[str]:

diff --git a/tests/terraform/checks/resource/azure/example_AzureDefenderDisabledForResManager/main.tf b/tests/terraform/checks/resource/azure/example_AzureDefenderDisabledForResManager/main.tf
@@ -1,7 +1,7 @@
 
 # Case 1: Pass: tier is Standard and resource_type is Arm
 
-resource "azurerm_security_center_subscription_pricing" "pass" {
+resource "azurerm_security_center_subscription_pricing" "pass_1" {
   tier          = "Standard"
   resource_type = "Arm"
 }
@@ -13,10 +13,16 @@ resource "azurerm_security_center_subscription_pricing" "fail_1" {
   resource_type = "arm"
 }
 
-# Case 3: Fails as "resource_type" should be "Arm"
+# Case 3: Pass as policy should only check if the resource_type is "Arm"
 
-resource "azurerm_security_center_subscription_pricing" "fail_2" {
-  tier          = "Standard"
+resource "azurerm_security_center_subscription_pricing" "pass_2" {
+  tier          = "Free"
   resource_type = "Dns"
 }
 
+# Case 4: Pass as policy should only check if the resource_type is "Arm"
+
+resource "azurerm_security_center_subscription_pricing" "pass_3" {
+  tier          = "Free"
+  resource_type = "VirtualMachine"
+}
diff --git a/tests/terraform/checks/resource/azure/test_AzureDefenderDisabledForResManager.py b/tests/terraform/checks/resource/azure/test_AzureDefenderDisabledForResManager.py
@@ -17,11 +17,12 @@ def test(self):
         summary = report.get_summary()
 
         passing_resources = {
-            'azurerm_security_center_subscription_pricing.pass',
+            'azurerm_security_center_subscription_pricing.pass_1',
+            'azurerm_security_center_subscription_pricing.pass_2',
+            'azurerm_security_center_subscription_pricing.pass_3',
         }
         failing_resources = {
             'azurerm_security_center_subscription_pricing.fail_1',
-            'azurerm_security_center_subscription_pricing.fail_2',
         }
         skipped_resources = {}