From 68b141be964175c8bbec2f13c251edfaf0359ee5 Mon Sep 17 00:00:00 2001 From: Taylor <28880387+tsmithv11@users.noreply.github.com> Date: Thu, 21 Dec 2023 01:17:37 -0800 Subject: [PATCH] fix(terraform): Fix CKV_Azure_234 (#5886) * Fix CKV_Azure_234 * typo --- .../azure/AzureDefenderDisabledForResManager.py | 6 +++--- .../main.tf | 14 ++++++++++---- .../test_AzureDefenderDisabledForResManager.py | 5 +++-- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py b/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py index 190c312c500..bd6ce09cfcc 100644 --- a/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py +++ b/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py @@ -16,9 +16,9 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return ( - CheckResult.PASSED - if conf.get("resource_type", [""])[0].lower() == "arm" and conf.get("tier", [""])[0].lower() == "standard" - else CheckResult.FAILED + CheckResult.FAILED + if conf.get("resource_type", [""])[0].lower() == "arm" and conf.get("tier", [""])[0].lower() != "standard" + else CheckResult.PASSED ) def get_evaluated_keys(self) -> list[str]: diff --git a/tests/terraform/checks/resource/azure/example_AzureDefenderDisabledForResManager/main.tf b/tests/terraform/checks/resource/azure/example_AzureDefenderDisabledForResManager/main.tf index 50766dacccd..3c3f3c111b0 100644 --- a/tests/terraform/checks/resource/azure/example_AzureDefenderDisabledForResManager/main.tf +++ b/tests/terraform/checks/resource/azure/example_AzureDefenderDisabledForResManager/main.tf @@ -1,7 +1,7 @@ # Case 1: Pass: tier is Standard and resource_type is Arm -resource "azurerm_security_center_subscription_pricing" "pass" { +resource "azurerm_security_center_subscription_pricing" "pass_1" { tier = "Standard" resource_type = "Arm" } @@ -13,10 +13,16 @@ resource "azurerm_security_center_subscription_pricing" "fail_1" { resource_type = "arm" } -# Case 3: Fails as "resource_type" should be "Arm" +# Case 3: Pass as policy should only check if the resource_type is "Arm" -resource "azurerm_security_center_subscription_pricing" "fail_2" { - tier = "Standard" +resource "azurerm_security_center_subscription_pricing" "pass_2" { + tier = "Free" resource_type = "Dns" } +# Case 4: Pass as policy should only check if the resource_type is "Arm" + +resource "azurerm_security_center_subscription_pricing" "pass_3" { + tier = "Free" + resource_type = "VirtualMachine" +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/test_AzureDefenderDisabledForResManager.py b/tests/terraform/checks/resource/azure/test_AzureDefenderDisabledForResManager.py index 5bf608b2d8e..8f8a3619b15 100644 --- a/tests/terraform/checks/resource/azure/test_AzureDefenderDisabledForResManager.py +++ b/tests/terraform/checks/resource/azure/test_AzureDefenderDisabledForResManager.py @@ -17,11 +17,12 @@ def test(self): summary = report.get_summary() passing_resources = { - 'azurerm_security_center_subscription_pricing.pass', + 'azurerm_security_center_subscription_pricing.pass_1', + 'azurerm_security_center_subscription_pricing.pass_2', + 'azurerm_security_center_subscription_pricing.pass_3', } failing_resources = { 'azurerm_security_center_subscription_pricing.fail_1', - 'azurerm_security_center_subscription_pricing.fail_2', } skipped_resources = {}