Open mmassey1993 opened 2 weeks ago
Hey @mmassey1993 when using changing the value from "publicNetworkAccess: 'Disabled' to lowercase 'disabled' seems to have fixed this issue for me.
Example of updated code: resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: keyVaultName location: location properties: { sku: { family: 'A' name: 'standard' } tenantId: tenant().tenantId enablePurgeProtection: true enableSoftDelete: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enabledForDeployment: true enableRbacAuthorization: true publicNetworkAccess: 'disabled' } }
Seems to be the format that listed in the following documenatation: https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?pivots=deployment-language-bicep#resource-format:~:text=RegisteringDns%27%0A%27Succeeded%27-,publicNetworkAccess,the%20firewall%20rules%20are%20present%20we%20will%20not%20honor%20the%20rules.,-string
Other notes: Checkov version 3.2.133
@mannycepeda1989 Thank you that has worked. However i use the same Disabled value for other things and it works perfectly fine. Would be nice if there was consistency or if it just use a lower() function to ensure its always the lowercase if that is what's needed.
The check also fails if the value is a parameter. Even if that parameters is "disabled" by default, it will still fail. Can checkov evaluate the parameter values?
@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') @allowed([ 'enabled' 'disabled' ]) param publicNetworkAccess string = 'disabled'
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: name location: location tags: tags properties: { enabledForDeployment: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enableSoftDelete: true softDeleteRetentionInDays: softDeleteRetentionInDays enableRbacAuthorization: true enablePurgeProtection: true tenantId: subscription().tenantId accessPolicies: formattedAccessPolicies sku: { name: vaultSku family: 'A' } networkAcls: { defaultAction: 'Deny' bypass: 'AzureServices' } publicNetworkAccess: publicNetworkAccess } }
Describe the issue The checkov scan is failing on CKV_AZURE_189 (Ensure public network access for key vault is disabled) even though the correct property is in place
Examples resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: keyVaultName location: location properties: { sku: { family: 'A' name: 'standard' } tenantId: tenant().tenantId enablePurgeProtection: true enableSoftDelete: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enabledForDeployment: true enableRbacAuthorization: true publicNetworkAccess: 'Disabled' } }
I would expect this to work as public network access value is disabled
Additional context I had an issue with a different checkov check, and the issue was because it was not checking for string values of "Enabled" or "Disabled" correctly in BICEP compared to terraform