feat(terraform): new checks on new resources

checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class DMSEndpointUsesCMK(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure DMS endpoint uses Customer Managed Key (CMK)"
+        id = "CKV_AWS_296"
+        supported_resources = ("aws_dms_endpoint",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
+        engine_name = conf.get("engine_name")
+        if engine_name and isinstance(engine_name, list) and engine_name[0] == "s3":
+            self.evaluated_keys = ["s3_settings"]
+            s3_settings = conf.get("s3_settings")
+            if s3_settings and isinstance(s3_settings, list):
+                self.evaluated_keys = ["s3_settings/server_side_encryption_kms_key_id"]
+                settings = s3_settings[0]
+                if settings.get("server_side_encryption_kms_key_id"):
+                    return CheckResult.PASSED
+            return CheckResult.FAILED
+
+        self.evaluated_keys = ["kms_key_arn"]
+        kms_key = conf.get("kms_key_arn")
+        if kms_key and isinstance(kms_key, list) and kms_key[0]:
+            return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = DMSEndpointUsesCMK()

checkov/terraform/checks/resource/aws/DMSS3DefinesIntransitEncryption.py

@@ -0,0 +1,24 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class DMSS3DefinesIntransitEncryption(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure DMS S3 defines in-transit encryption"
+        id = "CKV_AWS_299"
+        supported_resources = ("aws_dms_s3_endpoint",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'ssl_mode'
+
+    def get_expected_values(self) -> list[Any]:
+        return ["require", "verify-ca", "verify-full"]
+
+
+check = DMSS3DefinesIntransitEncryption()

checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+from checkov.common.models.consts import ANY_VALUE
+
+
+class DMSS3UsesCMK(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure DMS S3 uses Customer Managed Key (CMK)"
+        id = "CKV_AWS_298"
+        supported_resources = ("aws_dms_s3_endpoint",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "kms_key_arn"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = DMSS3UsesCMK()

checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+
+
+class DatasyncLocationExposesSecrets(BaseResourceNegativeValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure DataSync Location Object Storage doesn't expose secrets"
+        id = "CKV_AWS_295"
+        supported_resources = ("aws_datasync_location_object_storage",)
+        categories = (CheckCategories.SECRETS,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "secret_key"
+
+    def get_forbidden_values(self) -> list[Any]:
+        return [ANY_VALUE]
+
+
+check = DatasyncLocationExposesSecrets()

checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py

@@ -0,0 +1,23 @@
+from typing import Any
+
+from checkov.common.models.consts import ANY_VALUE
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SchedulerScheduleUsesCMK(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)"
+        id = "CKV_AWS_297"
+        supported_resources = ("aws_scheduler_schedule",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "kms_key_arn"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = SchedulerScheduleUsesCMK()

tests/terraform/checks/resource/aws/example_DMSEndpointUsesCMK/main.tf

@@ -0,0 +1,142 @@
+
+resource "aws_dms_endpoint" "pass" {
+  certificate_arn             = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  database_name               = "test"
+  endpoint_id                 = "test-dms-endpoint-tf"
+  endpoint_type               = "source"
+  engine_name                 = "aurora"
+  extra_connection_attributes = ""
+  kms_key_arn                 = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+  password                    = "test"
+  port                        = 3306
+  server_name                 = "test"
+  ssl_mode                    = "none"
+
+  tags = {
+    Name = "test"
+  }
+
+  username = "test"
+}
+
+resource "aws_dms_endpoint" "pass2" {
+  certificate_arn             = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  database_name               = "test"
+  endpoint_id                 = "test-dms-endpoint-tf"
+  endpoint_type               = "source"
+  engine_name                 = "aurora"
+  extra_connection_attributes = ""
+  kms_key_arn                 = aws_kms_key.pike.arn
+  password                    = "test"
+  port                        = 3306
+  server_name                 = "test"
+  ssl_mode                    = "none"
+
+  tags = {
+    Name = "test"
+  }
+
+  username = "test"
+}
+
+resource "aws_dms_endpoint" "fail" {
+  certificate_arn             = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  database_name               = "test"
+  endpoint_id                 = "test-dms-endpoint-tf"
+  endpoint_type               = "source"
+  engine_name                 = "aurora"
+  extra_connection_attributes = ""
+  kms_key_arn                 = ""
+  password                    = "test"
+  port                        = 3306
+  server_name                 = "test"
+  ssl_mode                    = "none"
+
+  tags = {
+    Name = "test"
+  }
+
+  username = "test"
+}
+
+resource "aws_dms_endpoint" "fail2" {
+  certificate_arn             = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  database_name               = "test"
+  endpoint_id                 = "test-dms-endpoint-tf"
+  endpoint_type               = "source"
+  engine_name                 = "aurora"
+  extra_connection_attributes = ""
+  password                    = "test"
+  port                        = 3306
+  server_name                 = "test"
+  ssl_mode                    = "none"
+
+  tags = {
+    Name = "test"
+  }
+
+  username = "test"
+}
+
+
+
+resource "aws_dms_endpoint" "fail3" {
+  certificate_arn             = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  database_name               = "test"
+  endpoint_id                 = "test-dms-endpoint-tf"
+  endpoint_type               = "source"
+  engine_name                 = "s3"
+  extra_connection_attributes = ""
+  password                    = "test"
+  port                        = 3306
+  server_name                 = "test"
+  ssl_mode                    = "none"
+
+  tags = {
+    Name = "test"
+  }
+
+  username = "test"
+}
+
+resource "aws_dms_endpoint" "pass3" {
+  certificate_arn             = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  database_name               = "test"
+  endpoint_id                 = "test-dms-endpoint-tf"
+  endpoint_type               = "source"
+  engine_name                 = "s3"
+  extra_connection_attributes = ""
+  password                    = "test"
+  port                        = 3306
+  server_name                 = "test"
+  ssl_mode                    = "none"
+
+  tags = {
+    Name = "test"
+  }
+
+  s3_settings {
+    server_side_encryption_kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+  }
+  username = "test"
+}
+
+resource "aws_dms_endpoint" "pass4" {
+  certificate_arn             = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  database_name               = "test"
+  endpoint_id                 = "test-dms-endpoint-tf"
+  endpoint_type               = "source"
+  engine_name                 = "mongod"
+  extra_connection_attributes = ""
+  kms_key_arn                 = aws_kms_key.pike.arn
+  password                    = "test"
+  port                        = 3306
+  server_name                 = "test"
+  ssl_mode                    = "none"
+
+  tags = {
+    Name = "test"
+  }
+
+  username = "test"
+}

tests/terraform/checks/resource/aws/example_DMSS3DefinesIntransitEncryption/main.tf

@@ -0,0 +1,28 @@
+resource "aws_dms_s3_endpoint" "fail" {
+  endpoint_id             = "donnedtipi"
+  endpoint_type           = "target"
+  bucket_name             = "beckut_name"
+  service_access_role_arn = aws_iam_role.example.arn
+  depends_on = [aws_iam_role_policy.example]
+}
+
+resource "aws_dms_s3_endpoint" "fail2" {
+  endpoint_id             = "donnedtipi"
+  endpoint_type           = "target"
+  bucket_name             = "beckut_name"
+  service_access_role_arn = aws_iam_role.example.arn
+  ssl_mode="none"
+  kms_key_arn=""
+  depends_on = [aws_iam_role_policy.example]
+}
+
+resource "aws_dms_s3_endpoint" "pass" {
+  endpoint_id             = "donnedtipi"
+  endpoint_type           = "target"
+  bucket_name             = "beckut_name"
+  service_access_role_arn = aws_iam_role.example.arn
+  ssl_mode="require"
+  kms_key_arn="arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+  depends_on = [aws_iam_role_policy.example]
+}
+

tests/terraform/checks/resource/aws/example_DMSS3UsesCMK/main.tf

@@ -0,0 +1,38 @@
+resource "aws_dms_s3_endpoint" "fail" {
+  endpoint_id             = "donnedtipi"
+  endpoint_type           = "target"
+  bucket_name             = "beckut_name"
+  service_access_role_arn = aws_iam_role.example.arn
+
+  depends_on = [aws_iam_role_policy.example]
+}
+
+resource "aws_dms_s3_endpoint" "fail2" {
+  endpoint_id             = "donnedtipi"
+  endpoint_type           = "target"
+  bucket_name             = "beckut_name"
+  service_access_role_arn = aws_iam_role.example.arn
+
+  kms_key_arn=""
+  depends_on = [aws_iam_role_policy.example]
+}
+
+resource "aws_dms_s3_endpoint" "pass" {
+  endpoint_id             = "donnedtipi"
+  endpoint_type           = "target"
+  bucket_name             = "beckut_name"
+  service_access_role_arn = aws_iam_role.example.arn
+
+  kms_key_arn="arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+  depends_on = [aws_iam_role_policy.example]
+}
+
+resource "aws_dms_s3_endpoint" "pass2" {
+  endpoint_id             = "donnedtipi"
+  endpoint_type           = "target"
+  bucket_name             = "beckut_name"
+  service_access_role_arn = aws_iam_role.example.arn
+
+  kms_key_arn=aws-kms_key.pike.arn
+  depends_on = [aws_iam_role_policy.example]
+}

tests/terraform/checks/resource/aws/example_DatasyncLocationExposesSecrets/main.tf

@@ -0,0 +1,12 @@
+resource "aws_datasync_location_object_storage" "pass" {
+  agent_arns      = [aws_datasync_agent.example.arn]
+  server_hostname = "example"
+  bucket_name     = "example"
+}
+
+resource "aws_datasync_location_object_storage" "fail" {
+  agent_arns      = [aws_datasync_agent.example.arn]
+  server_hostname = "example"
+  bucket_name     = "example"
+  secret_key="OWTHATSBLOWNIT"
+}