feat(terraform): add CKV NCP rules about LBTargetGroupUsingHTTPS (#3797)

* [22.10.27][add]LBListenerUsesSecureProtocols

* [22.11.05][add]NCP_LBTargetGroupUsingHTTPS

* [22.11.05][delete]ncp_13_rule

* Update checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py

Co-authored-by: Anton Grübel <[email protected]>

* Update checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py

Co-authored-by: Anton Grübel <[email protected]>

Co-authored-by: Kuemjong Jeong <[email protected]>
Co-authored-by: Anton Grübel <[email protected]>

checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py

@@ -0,0 +1,23 @@
+from __future__ import annotations
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
+
+
+class LBTargetGroupUsingHTTPS(BaseResourceCheck):
+
+    def __init__(self):
+        name = "Ensure Load Balancer Target Group is not using HTTP"
+        id = "CKV_NCP_15"
+        supported_resources = ("ncloud_lb_target_group",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf):
+        if "protocol" in conf.keys():
+            if conf.get("protocol") != ['HTTP']:
+                return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = LBTargetGroupUsingHTTPS()

tests/terraform/checks/resource/ncp/example_LBTargetGroupUsingHTTPS/main.tf

@@ -0,0 +1,34 @@
+resource "ncloud_lb_target_group" "pass" {
+  vpc_no   = ncloud_vpc.test.vpc_no
+  protocol = "HTTPS"
+  target_type = "VSVR"
+  port        = 8080
+  description = "for test"
+  health_check {
+    protocol = "HTTP"
+    http_method = "GET"
+    port           = 8080
+    url_path       = "/monitor/l7check"
+    cycle          = 30
+    up_threshold   = 2
+    down_threshold = 2
+  }
+  algorithm_type = "RR"
+}
+resource "ncloud_lb_target_group" "fail" {
+  vpc_no   = ncloud_vpc.test.vpc_no
+  protocol = "HTTP"
+  target_type = "VSVR"
+  port        = 8080
+  description = "for test"
+  health_check {
+    protocol = "HTTP"
+    http_method = "GET"
+    port           = 8080
+    url_path       = "/monitor/l7check"
+    cycle          = 30
+    up_threshold   = 2
+    down_threshold = 2
+  }
+  algorithm_type = "RR"
+}

tests/terraform/checks/resource/ncp/test_LBTargetGroupUsingHTTPS.py

@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.ncp.LBTargetGroupUsingHTTPS import check
+from checkov.terraform.runner import Runner
+
+
+class TestLBTargetGroupUsingHTTPS(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_LBTargetGroupUsingHTTPS"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "ncloud_lb_target_group.pass",
+        }
+        failing_resources = {
+            "ncloud_lb_target_group.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()