feat(terraform): add CKV_AZURE_248 - Azure batch account network access restriction #6928
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
emaohi
changed the title
emaohi
changed the title
OfekShimko
approved these changes
Jan 2, 2025
tsmithv11
requested changes
Jan 2, 2025
There was a problem hiding this comment.
Nice work! A few notes:
- I believe you need to adjust the checks for the default value of one of the fields (the other is accurately good when missing).
- In the description, can you mention that this is aligned to the run policy ID
ea27ffec-c8ba-4dbb-95e4-159b5350c94ffor when we platformize it? - Make sure to add the
evaluated_keysas @bo156 mentioned.
Comment on lines
21
to
23
| public_network_access = conf.get('public_network_access_enabled', [None])[0] | ||
| if not public_network_access: | ||
| return CheckResult.PASSED |
There was a problem hiding this comment.
The default for public_network_access_enabled is true which is bad. If this field is missing you need to check the default_action before passing/failing.
Looks like you'll need to adjust the ARM one as well for this.
There was a problem hiding this comment.
correct, updated the logic accordingly
| FORBIDDEN_NETWORK_ACCESS_DEFAULT_ACTION = "allow" | ||
|
|
||
| def __init__(self) -> None: | ||
| name = "Ensure that Azure Batch account public network access is 'enabled' account access default action is 'ignore'" |
There was a problem hiding this comment.
Suggested change
| name = "Ensure that Azure Batch account public network access is 'enabled' account access default action is 'ignore'" | |
| name = "Ensure that Azure Batch account public network access is disabled and account access default action is deny" |
| class AzureBatchAccountEndpointAccessDefaultAction(BaseResourceCheck): | ||
|
|
||
| def __init__(self) -> None: | ||
| name = "Ensure that Azure Batch account public network access is 'enabled' account access default action is 'ignore'" |
There was a problem hiding this comment.
Suggested change
| name = "Ensure that Azure Batch account public network access is 'enabled' account access default action is 'ignore'" | |
| name = "Ensure that Azure Batch account public network access is disabled and account access default action is deny" |
| default_action = "allow" | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Suggested change
| } | |
| } | |
| resource "azurerm_batch_account" "fail_bad_default_action_no_public_network" { | |
| name = "testbatchaccount" | |
| resource_group_name = "group" | |
| location = "azurerm_resource_group.example.location" | |
| pool_allocation_mode = "BatchService" | |
| network_profile { | |
| account_access { | |
| default_action = "allow" | |
| } | |
| } | |
| } |
I suggest adding this scenario and adding it to the test cases for both Terraform and ARM.
There was a problem hiding this comment.
added + in arm test
…mon checks assertions function
bo156
approved these changes
Jan 6, 2025
Saarett
pushed a commit
that referenced
this pull request
Jan 7, 2025
…ss restriction (#6928) * add azure batch account network access validation - arm * add azure batch account network access validation - terraform
Saarett
pushed a commit
that referenced
this pull request
Jan 7, 2025
…ss restriction (#6928) * add azure batch account network access validation - arm * add azure batch account network access validation - terraform
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
User description
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
New/Edited policies (Delete if not relevant)
Description
CKV_AZURE_248 to arm, tf - when
publicNetworkAccessis enabled, check for thenetworkProfile. accountAccess.defaultActionattribute, fail if "allow".This check aligns to the run policy ID
ea27ffec-c8ba-4dbb-95e4-159b5350c94fFix
either disable
publicNetworkAccessor movenetworkProfile. accountAccess.defaultActionto "deny"Checklist:
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Implements a new security check (CKV_AZURE_248) for Azure Batch accounts in both ARM and Terraform. The check ensures that when public network access is enabled, the account access default action is set to 'deny'. Adds implementation files for both ARM and Terraform, along with corresponding test files and examples. Updates the common test assertion utility to support more detailed validations.
Modified files (1)
Latest Contributors(0)
Modified files (2)
Latest Contributors(0)
Modified files (5)
Latest Contributors(0)