feat(terraform): add CKV NCP rules about Network ACL. (#3668)

* [22.09.27][추가] CKV_NCP_1 * [22.09.27][추가] CKV_NCP_2 * Apply suggestions from code review Co-authored-by: Anton Grübel <[email protected]> * Apply suggestions from code review Co-authored-by: Anton Grübel <[email protected]> * Apply suggestions from code review Co-authored-by: Anton Grübel <[email protected]> * Create main.yml * [22.09.28][수정] Lint test * Delete main.yml * [22.09.29][수정]testcode 수정 * [22.09.29][수정] 테스트 코드 수정 * [22.09.29][수정] 테스트코드 수정 * [22.09.29][수정] add test resource for 'ncloud_access_control_group_rule' * [22.10.03][add]CKV_AWS_3 RULE * [22.10.04][add]CKV_NCP_4, CKV_NCP_5 RULE * [22.10.04][add] NCP ACG Inbound for port 22, 3389 * [22.10.04][add] NCP NACL for port 20, 21, 22, 3389 * [22.10.05][modify] LBSecureProtocols.py * [22.10.05][add] NCP ACGIngress & Egress Check * [22.10.06][add] NCP rules about ACG, LB, NACL, Encrpytion * [22.10.06][refactor] rename rules * [22.10.07][add] NCP NACLPortCheck * [22.10.08][refactor] modify rule id 77 to 14 * [22.10.14][add] add NCP rule about Network ACL * [22.10.03][add]CKV_AWS_3 RULE * [22.10.18][test] commit test * [22.10.19][refactor] adjust ncp rule 12 * [22.10.25][fix] delete guideline Co-authored-by: pj991207 <[email protected]> Co-authored-by: Anton Grübel <[email protected]> Co-authored-by: taeng0204 <[email protected]> Co-authored-by: yudam <[email protected]>
bridgecrewio · Oct 27, 2022 · 4daa0d1 · 4daa0d1
1 parent 248b644
commit 4daa0d1
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 0 deletions.
diff --git a/checkov/terraform/checks/resource/ncp/NACLPortCheck.py b/checkov/terraform/checks/resource/ncp/NACLPortCheck.py
@@ -0,0 +1,24 @@
+from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
+from checkov.common.models.enums import CheckResult, CheckCategories
+
+
+class NACLPortCheck(BaseResourceCheck):
+    def __init__(self):
+        name = "An inbound Network ACL rule should not allow ALL ports."
+        id = "CKV_NCP_12"
+        supported_resources = ('ncloud_network_acl_rule',)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf):
+        if 'inbound' in conf.keys():
+            for inbound in conf['inbound']:
+                if 'port_range' in inbound.keys():
+                    for port_range in inbound['port_range']:
+                        if port_range == "1-65535":
+                            return CheckResult.FAILED
+                    return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = NACLPortCheck()
diff --git a/tests/terraform/checks/resource/ncp/example_NACLPortCheck/main.tf b/tests/terraform/checks/resource/ncp/example_NACLPortCheck/main.tf
@@ -0,0 +1,46 @@
+resource "ncloud_network_acl_rule" "pass" {
+  network_acl_no    = ncloud_network_acl.nacl.id
+
+  inbound {
+    priority    = 110
+    protocol    = "TCP"
+    rule_action = "ALLOW"
+    deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id
+    port_range  = "22"
+  }
+}
+
+resource "ncloud_network_acl_rule" "pass1" {
+  network_acl_no    = ncloud_network_acl.nacl.id
+
+  inbound {
+    priority    = 110
+    protocol    = "TCP"
+    rule_action = "ALLOW"
+    deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id
+    port_range  = "1-43"
+  }
+}
+
+resource "ncloud_network_acl_rule" "fail" {
+  network_acl_no    = ncloud_network_acl.nacl.id
+
+  inbound {
+    priority    = 110
+    protocol    = "TCP"
+    rule_action = "ALLOW"
+    deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id
+  }
+}
+
+resource "ncloud_network_acl_rule" "fail1" {
+  network_acl_no    = ncloud_network_acl.nacl.id
+
+  inbound {
+    priority    = 110
+    protocol    = "TCP"
+    rule_action = "ALLOW"
+    deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id
+    port_range  = "1-65535"
+  }
+}
diff --git a/tests/terraform/checks/resource/ncp/test_NACLPortCheck.py b/tests/terraform/checks/resource/ncp/test_NACLPortCheck.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.ncp.NACLPortCheck import check
+from checkov.terraform.runner import Runner
+
+
+class TestNACLPortCheck(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_NACLPortCheck"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "ncloud_network_acl_rule.pass",
+            "ncloud_network_acl_rule.pass1"
+        }
+        failing_resources = {
+            "ncloud_network_acl_rule.fail",
+            "ncloud_network_acl_rule.fail1"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()