Policy as code basic implementation for demo with Checkov

[eduardodfmex]

Description

Policy as code basic implementation for demo with Checkov Policy as code allow users to detect and implement base line security configuration and best practices, for example can for to implement encryption for VMS or remove public endpoint for resources.

Example: Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access" PASSED for resource: azurerm_key_vault.key_vault File: /tf.json:0-0 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-189

Possible tasks

• Make run Checkov locally.

• Create a custom rule with Python to check policy locally.

• Example policy would be: “won't let you create an environment without a security group assigned”.

• Create GitHub action for the demo.

Example Details

• Proposed Name: (e.g. 101-my-example)
• Supporting documentation:
• Estimated complexity/effort:
• Related resources/data sources:

Potential Checkov Configuration example "KeyVaultDisablesPublicNetworkAccess".

https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py

# Sample Checkov rule describing how the check will look like.

from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck

class KeyVaultDisablesPublicNetworkAccess(BaseResourceValueCheck):
    def __init__(self):
        name = "Ensure that Azure Key Vault disables public network access"
        id = "CKV_AZURE_189"
        supported_resources = ('azurerm_key_vault',)
        categories = (CheckCategories.NETWORKING,)
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def get_inspected_key(self):
        return "public_network_access_enabled"

    def get_expected_value(self):
        return False

    def scan_resource_conf(self, conf) -> CheckResult:
        """
        KeyVaultDisablesPublicNetworkAccess unique logic.
        public_network_access_enabled default value is True (when creating it)
        If it False - check pass
        Otherwise, we check that ip rules configured inside network_acls.

        """
        conf_value = conf.get(self.get_inspected_key())
        conf_value = conf_value[0] if isinstance(conf_value, list) else conf_value
        if self.get_expected_value() == conf_value:
            return CheckResult.PASSED
        if conf.get("network_acls"):
            network_acls = conf.get("network_acls")
            if isinstance(network_acls, list):
                for network_acl in network_acls:
                    if isinstance(network_acl, dict):
                        ip_rules = network_acl.get("ip_rules")
                        # Get first element in ip_rules (as parser wrap it with list).
                        ip_rules = ip_rules[0] if ip_rules and isinstance(ip_rules, list) else ip_rules
                        if ip_rules:
                            return CheckResult.PASSED

        return CheckResult.FAILED

check = KeyVaultDisablesPublicNetworkAccess()

Definition of Done

• [ ] Example in the /examples/quickstarts folder
• [ ] Example documentation in README.md.tmpl
• [ ] Updated auto-generated provider docs with make quickstarts
• [ ] Confirmation that you have manually tested this

Contributions

Do you plan to raise a PR to address this issue? YES / NO?

See the contributing guide for more information about what's expected for contributions.

[eduardodfmex]

Closing this because we already implement this quickstart : https://github.com/microsoft/power-platform-terraform-quickstarts/blob/main/quickstarts/300-pac-checkov/README.md