From e024cff983b9977abd3808dbec5415b8d66596c0 Mon Sep 17 00:00:00 2001 From: Anders Nordby Date: Thu, 21 Dec 2023 11:57:02 +0100 Subject: [PATCH] feat(terraform): add CKV2_AZURE_47, ensure storage account is configured without blob anonymous access (#5888) Add CKV2_AZURE_47, ensure storage account is configured without blob anonymous access. --- ...geAccConfigWithoutBlobAnonymousAccess.yaml | 17 ++++++ .../expected.yaml | 5 ++ .../main.tf | 52 +++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml create mode 100644 tests/terraform/graph/checks/resources/AzureStorageAccConfigWithoutBlobAnonymousAccess/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/AzureStorageAccConfigWithoutBlobAnonymousAccess/main.tf diff --git a/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml new file mode 100644 index 00000000000..af8a4fe84e6 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml @@ -0,0 +1,17 @@ +metadata: + id: "CKV2_AZURE_47" + name: "Ensure storage account is configured without blob anonymous access" + category: "IAM" + +definition: + and: + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "allow_nested_items_to_be_public" + operator: "exists" + + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "allow_nested_items_to_be_public" + operator: "equals_ignore_case" + value: "false" diff --git a/tests/terraform/graph/checks/resources/AzureStorageAccConfigWithoutBlobAnonymousAccess/expected.yaml b/tests/terraform/graph/checks/resources/AzureStorageAccConfigWithoutBlobAnonymousAccess/expected.yaml new file mode 100644 index 00000000000..087d028a4f3 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureStorageAccConfigWithoutBlobAnonymousAccess/expected.yaml @@ -0,0 +1,5 @@ +pass: + - "azurerm_storage_account.pass" +fail: + - "azurerm_storage_account.fail_1" + - "azurerm_storage_account.fail_2" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/AzureStorageAccConfigWithoutBlobAnonymousAccess/main.tf b/tests/terraform/graph/checks/resources/AzureStorageAccConfigWithoutBlobAnonymousAccess/main.tf new file mode 100644 index 00000000000..92483a9d00d --- /dev/null +++ b/tests/terraform/graph/checks/resources/AzureStorageAccConfigWithoutBlobAnonymousAccess/main.tf @@ -0,0 +1,52 @@ +variable "rg-name" { + default = "pud-bc-rg" +} + +variable "location" { + default = "northeurope" +} + +# Case 1: Pass: allow_nested_items_to_be_public = False + +resource "azurerm_storage_account" "pass" { + name = "pud-storage2023abc1" + resource_group_name = var.rg-name + location = var.location + account_tier = "Standard" + account_replication_type = "GRS" + allow_nested_items_to_be_public = false + + tags = { + bc_status = "pass" + } +} + +# Case 2: Fail: allow_nested_items_to_be_public does NOT exist + +resource "azurerm_storage_account" "fail_1" { + name = "pud-storage2023abc2" + resource_group_name = var.rg-name + location = var.location + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + bc_status = "fail_1" + } +} + +# Case 3: Fail: allow_nested_items_to_be_public = True + +resource "azurerm_storage_account" "fail_2" { + name = "pud-storage2023abc3" + resource_group_name = var.rg-name + location = var.location + account_tier = "Standard" + account_replication_type = "GRS" + allow_nested_items_to_be_public = true + + + tags = { + bc_status = "fail_2" + } +} \ No newline at end of file