Open ocofaigh opened 7 months ago
Hi @ocofaigh , thanks for reaching out π That's a good catch π Do you wish to contribute the fix? That would be very helpful π Otherwise, we could wait for @praveen-panw to introduce the fix. This is the relevant file path - checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml
@Saarett What do you propose the fix would be here? CBR creation is handled as completely different terraform resources to ibm_database. You basically use ibm_cbr_zone to create a zone (such as IP address space), and then use ibm_cbr_rule to create the rule. So it won't be as simple as updating the current yaml logic.
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!
Still an issue, so leaving comment to prevent issue from being closed
@ocofaigh I apologize for the delayed response. What if we changed this policy from a YAML-based policy to a Python-based policy? Would that make it easier?
@Saarett regardless of whether you go with yaml or python, I guess a decision has to be made on what exactly you plan to check. All that I know is that the rule CKV2_IBM_6
is mandating a feature that is deprecated, so you either need to remove the rule, or update it. If you were to update it, I'm not actually sure what you replace it with since they suggestion is to use CBRs, and CBRs are account level setting that are created separately to database instances
Describe the issue
CKV2_IBM_6: "Ensure Databases network access is restricted to a specific IP range"
currently fails if not using theallowlist
option with the ibm_database resource.The problem however is that this feature has been deprecated by IBM Cloud in favour of CBRs (Context Based Restrictions). From the official docs:
So I do not think
CKV2_IBM_6
should be mandating people to use a deprecated feature. Perhaps update the logic to check for CBRs? For example, our ICD redis module allows you to provision CBR rules to restrict network access -> https://github.com/terraform-ibm-modules/terraform-ibm-icd-redis/blob/bd9f6299366bf2f58a137e04500d4f2102e96cf4/main.tf#L143-L181Examples Module -> https://github.com/terraform-ibm-modules/terraform-ibm-icd-redis Failure:
Version (please complete the following information):
Additional context Add any other context about the problem here.