From 2a0a9578569d0b25d31d5085ffc3207fec0bfcde Mon Sep 17 00:00:00 2001 From: Barak Fatal Date: Tue, 22 Nov 2022 15:56:06 +0200 Subject: [PATCH] Added CKV_AWS_282 check for setting inside terraform --- .../aws/RedshiftServerlessNamespaceKMSKey.py | 21 ++++++++++ .../main.tf | 8 ++++ .../test_RedshiftServerlessNamespaceKMSKey.py | 40 +++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py create mode 100644 tests/terraform/checks/resource/aws/example_RedshiftServerlessNamespaceKMSKey/main.tf create mode 100644 tests/terraform/checks/resource/aws/test_RedshiftServerlessNamespaceKMSKey.py diff --git a/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py b/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py new file mode 100644 index 00000000000..fad39c8de5d --- /dev/null +++ b/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py @@ -0,0 +1,21 @@ +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories +from checkov.common.models.consts import ANY_VALUE + + +class RedshiftServerlessNamespaceKMSKey(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Redshift serverless namespace is encrypted by KMS" + id = "CKV_AWS_282" + supported_resources = ['aws_redshiftserverless_namespace'] + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "kms_key_id" + + def get_expected_value(self) -> str: + return ANY_VALUE + + +check = RedshiftServerlessNamespaceKMSKey() diff --git a/tests/terraform/checks/resource/aws/example_RedshiftServerlessNamespaceKMSKey/main.tf b/tests/terraform/checks/resource/aws/example_RedshiftServerlessNamespaceKMSKey/main.tf new file mode 100644 index 00000000000..3ec7e9a37cc --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_RedshiftServerlessNamespaceKMSKey/main.tf @@ -0,0 +1,8 @@ +resource "aws_redshiftserverless_namespace" "fail" { + namespace_name = "test-fail-namespace" +} + +resource "aws_redshiftserverless_namespace" "pass" { + namespace_name = "test-pass-namespace" + kms_key_id = aws_kms_key.example.arn +} diff --git a/tests/terraform/checks/resource/aws/test_RedshiftServerlessNamespaceKMSKey.py b/tests/terraform/checks/resource/aws/test_RedshiftServerlessNamespaceKMSKey.py new file mode 100644 index 00000000000..4f061f65afe --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_RedshiftServerlessNamespaceKMSKey.py @@ -0,0 +1,40 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.aws.RedshiftServerlessNamespaceKMSKey import check +from checkov.terraform.runner import Runner + + +class TestRedshiftServerlessNamespaceKMSKey(unittest.TestCase): + def test(self) -> None: + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_RedshiftServerlessNamespaceKMSKey" + report = runner.run( + root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]) + ) + summary = report.get_summary() + + passing_resources = { + "aws_redshiftserverless_namespace.pass", + } + failing_resources = { + "aws_redshiftserverless_namespace.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main()