feat: checkov output pre commit

.pre-commit-config.yaml

@@ -18,8 +18,12 @@ repos:
           --args=--only=terraform_workspace_remote,
         ]
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '2.2.125'
+    rev: '2.3.227'
     hooks:
     - id: checkov
       verbose: true
-      args: [--soft-fail]
+      args: [
+        --compact,
+        --quiet,
+        --skip-check, "CKV_AZURE_118,CKV_AZURE_119,CKV_AZURE_120,CKV2_AZURE_10,CKV2_AZURE_12,CKV_AZURE_35,CKV_AZURE_206,CKV_AZURE_93,CKV2_AZURE_1,CKV2_AZURE_18,CKV_AZURE_97,CKV_AZURE_59,CKV_AZURE_190,CKV2_AZURE_33,CKV_AZURE_179,CKV_AZURE_1,CKV_AZURE_49",
+      ]

examples/common_vmseries/README.md

@@ -149,6 +149,7 @@ terraform destroy
 | Name | Version |
 |------|---------|
 | <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_http"></a> [http](#provider\_http) | n/a |
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | n/a |
 | <a name="provider_local"></a> [local](#provider\_local) | n/a |
 
@@ -174,6 +175,7 @@ terraform destroy
 | [local_file.bootstrap_xml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [http_http.this](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 
 ### Inputs
 
@@ -195,7 +197,7 @@ terraform destroy
 | <a name="input_vmseries_password"></a> [vmseries\_password](#input\_vmseries\_password) | Initial administrative password to use for all systems. Set to null for an auto-generated password. | `string` | `null` | no |
 | <a name="input_availability_set"></a> [availability\_set](#input\_availability\_set) | A map defining availability sets. Can be used to provide infrastructure high availability when zones cannot be used.<br><br>Following properties are supported:<br>- `name` - name of the Application Insights.<br>- `update_domain_count` - specifies the number of update domains that are used, defaults to 5 (Azure defaults).<br>- `fault_domain_count` - specifies the number of fault domains that are used, defaults to 3 (Azure defaults).<br><br>Please keep in mind that Azure defaults are not working for each region (especially the small ones, w/o any Availability Zones). Please verify how many update and fault domain are supported in a region before deploying this resource. | `any` | `{}` | no |
 | <a name="input_application_insights"></a> [application\_insights](#input\_application\_insights) | A map defining Azure Application Insights. There are three ways to use this variable:<br><br>* when the value is set to `null` (default) no AI is created<br>* when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key<br>* when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name.<br><br>Names for all AI instances are prefixed with `var.name_prefix`.<br><br>Properties supported (for details on each property see [modules documentation](../modules/application\_insights/README.md)):<br><br>- `name` : (optional, string) a name of a single AI instance<br>- `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated)<br>- `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode<br>- `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details<br>- `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details<br><br>Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year:<pre>vmseries = {<br>  'vm-1' = {<br>    ....<br>  }<br>  'vm-2' = {<br>    ....<br>  }<br>}<br><br>application_insights = {<br>  metrics_retention_in_days = 365<br>}</pre> | `map(string)` | `null` | no |
-| <a name="input_bootstrap_storage"></a> [bootstrap\_storage](#input\_bootstrap\_storage) | A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. This variable defines only Storage Accounts, file shares are defined per each VM. See `vmseries` variable, `bootstrap_storage` property.<br><br>Following properties are supported (except for name, all are optional):<br><br>- `name` : name of the Storage Account. Please keep in mind that storage account name has to be globally unique. This name will not be prefixed with the value of `var.name_prefix`.<br>- `create_storage_account` : (defaults to `true`) create or source (when `false`) an existing Storage Account.<br>- `resource_group_name` : (defaults to `var.resource_group_name`) name of the Resource Group hosting the Storage Account (existing or newly created). The RG has to exist.<br><br>The properties below do not directly change anything in the Storage Account settings. They can be used to control common parts of the `DAY0` configuration (used only when full bootstrap is used). These properties can also be specified per firewall, but when specified here they tak higher precedence:<br>- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.<br>- `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.<br>- `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.<br>- `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes). | `any` | `{}` | no |
+| <a name="input_bootstrap_storage"></a> [bootstrap\_storage](#input\_bootstrap\_storage) | A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. This variable defines only Storage Accounts, file shares are defined per each VM. See `vmseries` variable, `bootstrap_storage` property.<br><br>Following properties are supported (except for name, all are optional):<br><br>- `name` : name of the Storage Account. Please keep in mind that storage account name has to be globally unique. This name will not be prefixed with the value of `var.name_prefix`.<br>- `create_storage_account` : (defaults to `true`) create or source (when `false`) an existing Storage Account.<br>- `resource_group_name` : (defaults to `var.resource_group_name`) name of the Resource Group hosting the Storage Account (existing or newly created). The RG has to exist.<br>- `storage_acl` : (defaults to `false`) enables network ACLs on the Storage Account. If this is enabled - `storage_allow_vnet_subnets` and `storage_allow_inbound_public_ips` options become available. The ACL defaults to default `Deny`.<br>- `storage_allow_vnet_subnets` : (defaults to `[]`) whitelist containing the allowed vnet and associated subnets that are allowed to access the Storage Account. Note that the respective subnets require `enable_storage_service_endpoint` set to `true` to work properly.<br>- `storage_allow_inbound_public_ips` : (defaults to `[]`) whitelist containing the allowed public IP subnets that can access the Storage Account. Note that the code automatically tries to query [https://api.ipify.org](https://api.ipify.org) to obtain the public IP address of the machine executing the code so that the bootstrap files can be successfully uploaded to the Storage Account.<br><br>The properties below do not directly change anything in the Storage Account settings. They can be used to control common parts of the `DAY0` configuration (used only when full bootstrap is used). These properties can also be specified per firewall, but when specified here they tak higher precedence:<br>- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.<br>- `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.<br>- `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.<br>- `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes). | `any` | `{}` | no |
 | <a name="input_vmseries"></a> [vmseries](#input\_vmseries) | Map of virtual machines to create to run VM-Series - inbound firewalls. Following properties are supported:<br><br>- `name` : name of the VMSeries virtual machine.<br>- `vm_size` : size of the VMSeries virtual machine, when specified overrides `var.vmseries_vm_size`.<br>- `version` : PanOS version, when specified overrides `var.vmseries_version`.<br>- `vnet_key` : a key of a VNET defined in the `var.vnets` map. This value will be used during network interfaces creation.<br>- `add_to_appgw_backend` : bool, `false` by default, set this to `true` to add this backend to an Application Gateway.<br>- `avzone`: the Azure Availability Zone identifier ("1", "2", "3"). Default is "1".<br>- `availability_set_name` : a name of an Availability Set as declared in `availability_set` property. Specify when HA is required but cannot go for zonal deployment.<br><br>- `bootstrap_options` : string, optional bootstrap options to pass to VM-Series instances, semicolon separated values. When defined this precedence over `bootstrap_storage`<br>- `bootstrap_storage` : a map containing definition of the bootstrap package content. When present triggers a creation of a File Share in an existing Storage Account, following properties supported:<br>  - `name` : a name of a key in `var.bootstrap_storage` variable defining a Storage Account<br>  - `static_files` : a map where key is a path to a file, value is the location of the file in the bootstrap package (file share). All files in this map are copied 1:1 to the bootstrap package<br>  - `template_bootstrap_xml` : path to the `bootstrap.xml` template. When defined it will trigger creation of the `bootstrap.xml` file and the file will be uploaded to the storage account. This is a simple `day 0` configuration file that should set up only basic networking. Specifying this property forces additional properties that are required to properly template the file. They can be defined per each VM or globally for all VMs (in this case place them in the bootstrap storage definition). The properties are listed below.<br>  - `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.<br>  - `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.<br>  - `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.<br>  - `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes).<br><br>- `interfaces` : configuration of all NICs assigned to a VM. A list of maps, each map is a NIC definition. Notice that the order DOES matter. NICs are attached to VMs in Azure in the order they are defined in this list, therefore the management interface has to be defined first. Following properties are available:<br>  - `name`: string that will form the NIC name<br>  - `subnet_key` : (string) a key of a subnet as defined in `var.vnets`<br>  - `create_pip` : (boolean) flag to create Public IP for an interface, defaults to `false`<br>  - `public_ip_name` : (string) when `create_pip` is set to `false` a name of a Public IP resource that should be associated with this Network Interface<br>  - `public_ip_resource_group` : (string) when associating an existing Public IP resource, name of the Resource Group the IP is placed in, defaults to the `var.resource_group_name`<br>  - `load_balancer_key` : (string) key of a Load Balancer defined in the `var.loadbalancers`  variable, defaults to `null`<br>  - `private_ip_address` : (string) a static IP address that should be assigned to an interface, defaults to `null` (in that case DHCP is used)<br><br>Example:<pre>{<br>  "fw01" = {<br>    name = "firewall01"<br>    bootstrap_storage = {<br>      name                   = "storageaccountname"<br>      static_files           = { "files/init-cfg.txt" = "config/init-cfg.txt" }<br>      template_bootstrap_xml = "templates/bootstrap_common.tmpl"<br>      public_snet_key        = "public"<br>      private_snet_key       = "private"<br>    }<br>    avzone   = 1<br>    vnet_key = "trust"<br>    interfaces = [<br>      {<br>        name               = "mgmt"<br>        subnet_key         = "mgmt"<br>        create_pip         = true<br>        private_ip_address = "10.0.0.1"<br>      },<br>      {<br>        name                 = "trust"<br>        subnet_key           = "private"<br>        private_ip_address   = "10.0.1.1"<br>        load_balancer_key    = "private_lb"<br>      },<br>      {<br>        name                 = "untrust"<br>        subnet_key           = "public"<br>        private_ip_address   = "10.0.2.1"<br>        load_balancer_key    = "public_lb"<br>        public_ip_name       = "existing_public_ip"<br>      }<br>    ]<br>  }<br>}</pre> | `any` | n/a | yes |
 | <a name="input_appgws"></a> [appgws](#input\_appgws) | A map defining all Application Gateways in the current deployment.<br><br>For detailed documentation on how to configure this resource, for available properties, especially for the defaults and the `rules` property refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules/blob/main/modules/appgw/README.md).<br><br>Following properties are supported:<br>- `name` : name of the Application Gateway.<br>- `vnet_key` : a key of a VNET defined in the `var.vnets` map.<br>- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.<br>- `zones` : for zonal deployment this is a list of all zones in a region - this property is used by both: the Application Gateway and the Public IP created in front of the AppGW.<br>- `capacity` : (optional) number of Application Gateway instances, not used when autoscalling is enabled (see `capacity_min`)<br>- `capacity_min` : (optional) when set enables autoscaling and becomes the minimum capacity<br>- `capacity_max` : (optional) maximum capacity for autoscaling<br>- `enable_http2` : enable HTTP2 support on the Application Gateway<br>- `waf_enabled` : (optional) enables WAF Application Gateway, defining WAF rules is not supported, defaults to `false`<br>- `vmseries_public_nic_name` : name of the public VMSeries interface as defined in `interfaces` property.<br>- `managed_identities` : (optional) a list of existing User-Assigned Managed Identities, which Application Gateway uses to retrieve certificates from Key Vault<br>- `ssl_policy_type` : (optional) type of an SSL policy, defaults to `Predefined`<br>- `ssl_policy_name` : (optional) name of an SSL policy, for `ssl_policy_type` set to `Predefined`<br>- `ssl_policy_min_protocol_version` : (optional) minimum version of the TLS protocol for SSL Policy, for `ssl_policy_type` set to `Custom`<br>- `ssl_policy_cipher_suites` : (optional) a list of accepted cipher suites, for `ssl_policy_type` set to `Custom`<br>- `ssl_profiles` : (optional) a map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property | `map` | `{}` | no |
 

examples/common_vmseries/main.tf

@@ -14,6 +14,13 @@ locals {
   vmseries_password = coalesce(var.vmseries_password, try(random_password.this[0].result, null))
 }
 
+# Obtain Public IP address of code deployment machine
+
+data "http" "this" {
+  count = length(var.bootstrap_storage) > 0 && contains([for v in values(var.bootstrap_storage) : v.storage_acl], true) ? 1 : 0
+  url   = "https://api.ipify.org"
+}
+
 # Create or source the Resource Group.
 resource "azurerm_resource_group" "this" {
   count    = var.create_resource_group ? 1 : 0
@@ -194,10 +201,13 @@ module "bootstrap" {
 
   for_each = var.bootstrap_storage
 
-  create_storage_account = try(each.value.create_storage, true)
-  name                   = each.value.name
-  resource_group_name    = try(each.value.resource_group_name, local.resource_group.name)
-  location               = var.location
+  create_storage_account           = try(each.value.create_storage, true)
+  name                             = each.value.name
+  resource_group_name              = try(each.value.resource_group_name, local.resource_group.name)
+  location                         = var.location
+  storage_acl                      = try(each.value.storage_acl, false)
+  storage_allow_vnet_subnet_ids    = try(flatten([for v in each.value.storage_allow_vnet_subnets : [module.vnet[v.vnet_key].subnet_ids[v.subnet_key]]]), [])
+  storage_allow_inbound_public_ips = concat(try(each.value.storage_allow_inbound_public_ips, []), try([data.http.this[0].response_body], []))
 
   tags = var.tags
 }

examples/common_vmseries/variables.tf

@@ -272,6 +272,9 @@ variable "bootstrap_storage" {
   - `name` : name of the Storage Account. Please keep in mind that storage account name has to be globally unique. This name will not be prefixed with the value of `var.name_prefix`.
   - `create_storage_account` : (defaults to `true`) create or source (when `false`) an existing Storage Account.
   - `resource_group_name` : (defaults to `var.resource_group_name`) name of the Resource Group hosting the Storage Account (existing or newly created). The RG has to exist.
+  - `storage_acl` : (defaults to `false`) enables network ACLs on the Storage Account. If this is enabled - `storage_allow_vnet_subnets` and `storage_allow_inbound_public_ips` options become available. The ACL defaults to default `Deny`.
+  - `storage_allow_vnet_subnets` : (defaults to `[]`) whitelist containing the allowed vnet and associated subnets that are allowed to access the Storage Account. Note that the respective subnets require `enable_storage_service_endpoint` set to `true` to work properly.
+  - `storage_allow_inbound_public_ips` : (defaults to `[]`) whitelist containing the allowed public IP subnets that can access the Storage Account. Note that the code automatically tries to query [https://api.ipify.org](https://api.ipify.org) to obtain the public IP address of the machine executing the code so that the bootstrap files can be successfully uploaded to the Storage Account.
 
   The properties below do not directly change anything in the Storage Account settings. They can be used to control common parts of the `DAY0` configuration (used only when full bootstrap is used). These properties can also be specified per firewall, but when specified here they tak higher precedence:
   - `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.

examples/common_vmseries/versions.tf

@@ -7,6 +7,9 @@ terraform {
     random = {
       source = "hashicorp/random"
     }
+    http = {
+      source = "hashicorp/http"
+    }
   }
 }