fix(bicep): make ARM AKS checks compatible with Bicep (#3836)

* make ARM AKS checks compatible with Bicep

* fix linting

checkov/arm/base_resource_check.py

@@ -43,6 +43,7 @@ def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResul
                 return CheckResult.UNKNOWN
 
             self.api_version = conf["api_version"]
+            conf["config"]["apiVersion"] = conf["api_version"]  # set for better reusability of existing ARM checks
 
             return self.scan_resource_conf(conf["config"], entity_type)
 

checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py

@@ -4,7 +4,6 @@
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
-from checkov.common.parsers.node import DictNode
 
 
 class AKSApiServerAuthorizedIpRanges(BaseResourceCheck):
@@ -32,7 +31,7 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
             else:
                 # ApiServerAuthorizedIpRanges fully supported in all future API versions
                 properties = conf.get('properties')
-                if not properties or not isinstance(properties, DictNode):
+                if not properties or not isinstance(properties, dict):
                     return CheckResult.FAILED
                 api_server_access_profile = properties.get('apiServerAccessProfile')
                 if not api_server_access_profile:

checkov/arm/checks/resource/AKSDashboardDisabled.py

@@ -4,7 +4,6 @@
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
-from checkov.common.parsers.node import DictNode
 
 
 class AKSDashboardDisabled(BaseResourceCheck):
@@ -23,13 +22,13 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                 return CheckResult.FAILED
 
         properties = conf.get("properties")
-        if properties is None or not isinstance(properties, DictNode):
+        if properties is None or not isinstance(properties, dict):
             return CheckResult.FAILED
         addon_profiles = conf["properties"].get("addonProfiles")
-        if not isinstance(addon_profiles, DictNode):
+        if not isinstance(addon_profiles, dict):
             return CheckResult.FAILED
         kube_dashboard = addon_profiles.get("kubeDashboard")
-        if not isinstance(kube_dashboard, DictNode):
+        if not isinstance(kube_dashboard, dict):
             return CheckResult.FAILED
         enabled = kube_dashboard.get("enabled")
         if enabled is not None and str(enabled).lower() == "false":

checkov/arm/checks/resource/AKSNetworkPolicy.py

@@ -4,7 +4,6 @@
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
-from checkov.common.parsers.node import DictNode
 
 
 class AKSNetworkPolicy(BaseResourceCheck):
@@ -23,7 +22,7 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                 return CheckResult.FAILED
 
         properties = conf.get('properties')
-        if not properties or not isinstance(properties, DictNode):
+        if not properties or not isinstance(properties, dict):
             return CheckResult.FAILED
         network_profile = properties.get('networkProfile')
         if not network_profile:

checkov/arm/checks/resource/AKSRbacEnabled.py

@@ -4,7 +4,6 @@
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
-from checkov.common.parsers.node import DictNode
 
 
 class AKSRbacEnabled(BaseResourceCheck):
@@ -23,7 +22,7 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                 return CheckResult.FAILED
 
         properties = conf.get('properties')
-        if not properties or not isinstance(properties, DictNode):
+        if not properties or not isinstance(properties, dict):
             return CheckResult.FAILED
         enable_RBAC = properties.get('enableRBAC')
         if str(enable_RBAC).lower() == "true":

tests/bicep/checks/resource/azure/example_AKSApiServerAuthorizedIpRanges/main.bicep

@@ -0,0 +1,98 @@
+// pass
+
+resource enabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = {
+  name: 'string'
+  location: resourceGroup().location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    enableRBAC: true
+    agentPoolProfiles: [
+      {
+        name: 'agentpool'
+        osDiskSizeGB: osDiskSizeGB
+        osSKU: 'Ubuntu'
+        osType: 'Linux'
+      }
+    ]
+    addonProfiles: {
+      omsagent: {
+        config: {
+          logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id
+        }
+        enabled: true
+      }
+      kubeDashboard: {
+        enabled: false
+      }
+    }
+    apiServerAccessProfile: {
+      authorizedIPRanges: [
+        '10.0.0.0/8'
+      ]
+    }
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'azure'
+    }
+    linuxProfile: {
+      adminUsername: linuxAdminUsername
+      ssh: {
+        publicKeys: [
+          {
+            keyData: sshRSAPublicKey
+          }
+        ]
+      }
+    }
+  }
+}
+
+// fail
+
+resource default 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = {
+  name: 'string'
+  location: resourceGroup().location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    agentPoolProfiles: [
+      {
+        name: 'agentpool'
+        osDiskSizeGB: osDiskSizeGB
+        osSKU: 'Ubuntu'
+        osType: 'Linux'
+      }
+    ]
+    addonProfiles: {
+      omsagent: {
+        config: {
+          logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id
+        }
+        enabled: true
+      }
+      kubeDashboard: {
+        enabled: false
+      }
+    }
+    apiServerAccessProfile: {
+      disableRunCommand: true
+    }
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'azure'
+    }
+    linuxProfile: {
+      adminUsername: linuxAdminUsername
+      ssh: {
+        publicKeys: [
+          {
+            keyData: sshRSAPublicKey
+          }
+        ]
+      }
+    }
+  }
+}

tests/bicep/checks/resource/azure/example_AKSDashboardDisabled/main.bicep

@@ -0,0 +1,95 @@
+// pass
+
+resource enabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = {
+  name: 'string'
+  location: resourceGroup().location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    enableRBAC: true
+    agentPoolProfiles: [
+      {
+        name: 'agentpool'
+        osDiskSizeGB: osDiskSizeGB
+        osSKU: 'Ubuntu'
+        osType: 'Linux'
+      }
+    ]
+    addonProfiles: {
+      omsagent: {
+        config: {
+          logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id
+        }
+        enabled: true
+      }
+      kubeDashboard: {
+        enabled: false
+      }
+    }
+    apiServerAccessProfile: {
+      authorizedIPRanges: [
+        '10.0.0.0/8'
+      ]
+    }
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'azure'
+    }
+    linuxProfile: {
+      adminUsername: linuxAdminUsername
+      ssh: {
+        publicKeys: [
+          {
+            keyData: sshRSAPublicKey
+          }
+        ]
+      }
+    }
+  }
+}
+
+// fail
+
+resource default 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = {
+  name: 'string'
+  location: resourceGroup().location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    agentPoolProfiles: [
+      {
+        name: 'agentpool'
+        osDiskSizeGB: osDiskSizeGB
+        osSKU: 'Ubuntu'
+        osType: 'Linux'
+      }
+    ]
+    addonProfiles: {
+      omsagent: {
+        config: {
+          logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id
+        }
+        enabled: true
+      }
+    }
+    apiServerAccessProfile: {
+      disableRunCommand: true
+    }
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'azure'
+    }
+    linuxProfile: {
+      adminUsername: linuxAdminUsername
+      ssh: {
+        publicKeys: [
+          {
+            keyData: sshRSAPublicKey
+          }
+        ]
+      }
+    }
+  }
+}

tests/bicep/checks/resource/azure/example_AKSLoggingEnabled/main.bicep

@@ -0,0 +1,92 @@
+// pass
+
+resource enabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = {
+  name: 'string'
+  location: resourceGroup().location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    enableRBAC: true
+    agentPoolProfiles: [
+      {
+        name: 'agentpool'
+        osDiskSizeGB: osDiskSizeGB
+        osSKU: 'Ubuntu'
+        osType: 'Linux'
+      }
+    ]
+    addonProfiles: {
+      omsagent: {
+        config: {
+          logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id
+        }
+        enabled: true
+      }
+      kubeDashboard: {
+        enabled: false
+      }
+    }
+    apiServerAccessProfile: {
+      authorizedIPRanges: [
+        '10.0.0.0/8'
+      ]
+    }
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'azure'
+    }
+    linuxProfile: {
+      adminUsername: linuxAdminUsername
+      ssh: {
+        publicKeys: [
+          {
+            keyData: sshRSAPublicKey
+          }
+        ]
+      }
+    }
+  }
+}
+
+// fail
+
+resource default 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = {
+  name: 'string'
+  location: resourceGroup().location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    agentPoolProfiles: [
+      {
+        name: 'agentpool'
+        osDiskSizeGB: osDiskSizeGB
+        osSKU: 'Ubuntu'
+        osType: 'Linux'
+      }
+    ]
+    addonProfiles: {
+      kubeDashboard: {
+        enabled: false
+      }
+    }
+    apiServerAccessProfile: {
+      disableRunCommand: true
+    }
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'azure'
+    }
+    linuxProfile: {
+      adminUsername: linuxAdminUsername
+      ssh: {
+        publicKeys: [
+          {
+            keyData: sshRSAPublicKey
+          }
+        ]
+      }
+    }
+  }
+}