Policy as code basic implementation for demo with Checkov
Policy as code allow users to detect and implement base line security configuration and best practices, for example can for to implement encryption for VMS or remove public endpoint for resources.
# Sample Checkov rule describing how the check will look like.
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
class KeyVaultDisablesPublicNetworkAccess(BaseResourceValueCheck):
def __init__(self):
name = "Ensure that Azure Key Vault disables public network access"
id = "CKV_AZURE_189"
supported_resources = ('azurerm_key_vault',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self):
return "public_network_access_enabled"
def get_expected_value(self):
return False
def scan_resource_conf(self, conf) -> CheckResult:
"""
KeyVaultDisablesPublicNetworkAccess unique logic.
public_network_access_enabled default value is True (when creating it)
If it False - check pass
Otherwise, we check that ip rules configured inside network_acls.
"""
conf_value = conf.get(self.get_inspected_key())
conf_value = conf_value[0] if isinstance(conf_value, list) else conf_value
if self.get_expected_value() == conf_value:
return CheckResult.PASSED
if conf.get("network_acls"):
network_acls = conf.get("network_acls")
if isinstance(network_acls, list):
for network_acl in network_acls:
if isinstance(network_acl, dict):
ip_rules = network_acl.get("ip_rules")
# Get first element in ip_rules (as parser wrap it with list).
ip_rules = ip_rules[0] if ip_rules and isinstance(ip_rules, list) else ip_rules
if ip_rules:
return CheckResult.PASSED
return CheckResult.FAILED
check = KeyVaultDisablesPublicNetworkAccess()
Definition of Done
[ ] Example in the /examples/quickstarts folder
[ ] Example documentation in README.md.tmpl
[ ] Updated auto-generated provider docs with make quickstarts
[ ] Confirmation that you have manually tested this
Contributions
Do you plan to raise a PR to address this issue? YES / NO?
See the contributing guide for more information about what's expected for contributions.
Description
Policy as code basic implementation for demo with Checkov Policy as code allow users to detect and implement base line security configuration and best practices, for example can for to implement encryption for VMS or remove public endpoint for resources.
Example: Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access" PASSED for resource: azurerm_key_vault.key_vault File: /tf.json:0-0 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-189
Possible tasks
Make run Checkov locally.
Create a custom rule with Python to check policy locally.
Example policy would be: “won't let you create an environment without a security group assigned”.
Create GitHub action for the demo.
Example Details
Potential Checkov Configuration example "KeyVaultDisablesPublicNetworkAccess".
https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py
Definition of Done
make quickstarts
Contributions
Do you plan to raise a PR to address this issue? YES / NO?
See the contributing guide for more information about what's expected for contributions.