From 594a4e716905f27da7762f20c8f1bec12fdb8de1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Gr=C3=BCbel?= Date: Thu, 10 Nov 2022 11:21:52 +0100 Subject: [PATCH] fix(bicep): make ARM AKS checks compatible with Bicep (#3836) * make ARM AKS checks compatible with Bicep * fix linting --- checkov/arm/base_resource_check.py | 1 + .../AKSApiServerAuthorizedIpRanges.py | 3 +- .../checks/resource/AKSDashboardDisabled.py | 7 +- .../arm/checks/resource/AKSNetworkPolicy.py | 3 +- checkov/arm/checks/resource/AKSRbacEnabled.py | 3 +- .../main.bicep | 98 ++++++++++++ .../example_AKSDashboardDisabled/main.bicep | 95 +++++++++++ .../example_AKSLoggingEnabled/main.bicep | 92 +++++++++++ .../azure/example_AKSNetworkPolicy/main.bicep | 97 ++++++++++++ .../azure/example_AKSRbacEnabled/main.bicep | 149 ++++++++++++++++++ .../test_AKSApiServerAuthorizedIpRanges.py | 35 ++++ .../azure/test_AKSDashboardDisabled.py | 35 ++++ .../resource/azure/test_AKSLoggingEnabled.py | 35 ++++ .../resource/azure/test_AKSNetworkPolicy.py | 35 ++++ .../resource/azure/test_AKSRbacEnabled.py | 36 +++++ 15 files changed, 714 insertions(+), 10 deletions(-) create mode 100644 tests/bicep/checks/resource/azure/example_AKSApiServerAuthorizedIpRanges/main.bicep create mode 100644 tests/bicep/checks/resource/azure/example_AKSDashboardDisabled/main.bicep create mode 100644 tests/bicep/checks/resource/azure/example_AKSLoggingEnabled/main.bicep create mode 100644 tests/bicep/checks/resource/azure/example_AKSNetworkPolicy/main.bicep create mode 100644 tests/bicep/checks/resource/azure/example_AKSRbacEnabled/main.bicep create mode 100644 tests/bicep/checks/resource/azure/test_AKSApiServerAuthorizedIpRanges.py create mode 100644 tests/bicep/checks/resource/azure/test_AKSDashboardDisabled.py create mode 100644 tests/bicep/checks/resource/azure/test_AKSLoggingEnabled.py create mode 100644 tests/bicep/checks/resource/azure/test_AKSNetworkPolicy.py create mode 100644 tests/bicep/checks/resource/azure/test_AKSRbacEnabled.py diff --git a/checkov/arm/base_resource_check.py b/checkov/arm/base_resource_check.py index 6a2f3f8216a..ad71465f2eb 100644 --- a/checkov/arm/base_resource_check.py +++ b/checkov/arm/base_resource_check.py @@ -43,6 +43,7 @@ def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResul return CheckResult.UNKNOWN self.api_version = conf["api_version"] + conf["config"]["apiVersion"] = conf["api_version"] # set for better reusability of existing ARM checks return self.scan_resource_conf(conf["config"], entity_type) diff --git a/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py b/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py index 74691aa91cf..1bdcaa45fcb 100644 --- a/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py +++ b/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py @@ -4,7 +4,6 @@ from checkov.common.models.enums import CheckResult, CheckCategories from checkov.arm.base_resource_check import BaseResourceCheck -from checkov.common.parsers.node import DictNode class AKSApiServerAuthorizedIpRanges(BaseResourceCheck): @@ -32,7 +31,7 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: else: # ApiServerAuthorizedIpRanges fully supported in all future API versions properties = conf.get('properties') - if not properties or not isinstance(properties, DictNode): + if not properties or not isinstance(properties, dict): return CheckResult.FAILED api_server_access_profile = properties.get('apiServerAccessProfile') if not api_server_access_profile: diff --git a/checkov/arm/checks/resource/AKSDashboardDisabled.py b/checkov/arm/checks/resource/AKSDashboardDisabled.py index 9238747febf..d684ec23b2f 100644 --- a/checkov/arm/checks/resource/AKSDashboardDisabled.py +++ b/checkov/arm/checks/resource/AKSDashboardDisabled.py @@ -4,7 +4,6 @@ from checkov.common.models.enums import CheckResult, CheckCategories from checkov.arm.base_resource_check import BaseResourceCheck -from checkov.common.parsers.node import DictNode class AKSDashboardDisabled(BaseResourceCheck): @@ -23,13 +22,13 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: return CheckResult.FAILED properties = conf.get("properties") - if properties is None or not isinstance(properties, DictNode): + if properties is None or not isinstance(properties, dict): return CheckResult.FAILED addon_profiles = conf["properties"].get("addonProfiles") - if not isinstance(addon_profiles, DictNode): + if not isinstance(addon_profiles, dict): return CheckResult.FAILED kube_dashboard = addon_profiles.get("kubeDashboard") - if not isinstance(kube_dashboard, DictNode): + if not isinstance(kube_dashboard, dict): return CheckResult.FAILED enabled = kube_dashboard.get("enabled") if enabled is not None and str(enabled).lower() == "false": diff --git a/checkov/arm/checks/resource/AKSNetworkPolicy.py b/checkov/arm/checks/resource/AKSNetworkPolicy.py index 2ff540be530..e9ed0dc2226 100644 --- a/checkov/arm/checks/resource/AKSNetworkPolicy.py +++ b/checkov/arm/checks/resource/AKSNetworkPolicy.py @@ -4,7 +4,6 @@ from checkov.common.models.enums import CheckResult, CheckCategories from checkov.arm.base_resource_check import BaseResourceCheck -from checkov.common.parsers.node import DictNode class AKSNetworkPolicy(BaseResourceCheck): @@ -23,7 +22,7 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: return CheckResult.FAILED properties = conf.get('properties') - if not properties or not isinstance(properties, DictNode): + if not properties or not isinstance(properties, dict): return CheckResult.FAILED network_profile = properties.get('networkProfile') if not network_profile: diff --git a/checkov/arm/checks/resource/AKSRbacEnabled.py b/checkov/arm/checks/resource/AKSRbacEnabled.py index cd977c745c5..54b874720a3 100644 --- a/checkov/arm/checks/resource/AKSRbacEnabled.py +++ b/checkov/arm/checks/resource/AKSRbacEnabled.py @@ -4,7 +4,6 @@ from checkov.common.models.enums import CheckResult, CheckCategories from checkov.arm.base_resource_check import BaseResourceCheck -from checkov.common.parsers.node import DictNode class AKSRbacEnabled(BaseResourceCheck): @@ -23,7 +22,7 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: return CheckResult.FAILED properties = conf.get('properties') - if not properties or not isinstance(properties, DictNode): + if not properties or not isinstance(properties, dict): return CheckResult.FAILED enable_RBAC = properties.get('enableRBAC') if str(enable_RBAC).lower() == "true": diff --git a/tests/bicep/checks/resource/azure/example_AKSApiServerAuthorizedIpRanges/main.bicep b/tests/bicep/checks/resource/azure/example_AKSApiServerAuthorizedIpRanges/main.bicep new file mode 100644 index 00000000000..321a00525a8 --- /dev/null +++ b/tests/bicep/checks/resource/azure/example_AKSApiServerAuthorizedIpRanges/main.bicep @@ -0,0 +1,98 @@ +// pass + +resource enabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + enableRBAC: true + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '10.0.0.0/8' + ] + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} + +// fail + +resource default 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + disableRunCommand: true + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} diff --git a/tests/bicep/checks/resource/azure/example_AKSDashboardDisabled/main.bicep b/tests/bicep/checks/resource/azure/example_AKSDashboardDisabled/main.bicep new file mode 100644 index 00000000000..fa09cdaca1c --- /dev/null +++ b/tests/bicep/checks/resource/azure/example_AKSDashboardDisabled/main.bicep @@ -0,0 +1,95 @@ +// pass + +resource enabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + enableRBAC: true + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '10.0.0.0/8' + ] + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} + +// fail + +resource default 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + } + apiServerAccessProfile: { + disableRunCommand: true + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} diff --git a/tests/bicep/checks/resource/azure/example_AKSLoggingEnabled/main.bicep b/tests/bicep/checks/resource/azure/example_AKSLoggingEnabled/main.bicep new file mode 100644 index 00000000000..23f8c39867d --- /dev/null +++ b/tests/bicep/checks/resource/azure/example_AKSLoggingEnabled/main.bicep @@ -0,0 +1,92 @@ +// pass + +resource enabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + enableRBAC: true + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '10.0.0.0/8' + ] + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} + +// fail + +resource default 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + disableRunCommand: true + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} diff --git a/tests/bicep/checks/resource/azure/example_AKSNetworkPolicy/main.bicep b/tests/bicep/checks/resource/azure/example_AKSNetworkPolicy/main.bicep new file mode 100644 index 00000000000..aa8ae30c1f9 --- /dev/null +++ b/tests/bicep/checks/resource/azure/example_AKSNetworkPolicy/main.bicep @@ -0,0 +1,97 @@ +// pass + +resource enabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + enableRBAC: true + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '10.0.0.0/8' + ] + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} + +// fail + +resource default 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + disableRunCommand: true + } + networkProfile: { + networkPlugin: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} diff --git a/tests/bicep/checks/resource/azure/example_AKSRbacEnabled/main.bicep b/tests/bicep/checks/resource/azure/example_AKSRbacEnabled/main.bicep new file mode 100644 index 00000000000..1e127531033 --- /dev/null +++ b/tests/bicep/checks/resource/azure/example_AKSRbacEnabled/main.bicep @@ -0,0 +1,149 @@ +// pass + +resource enabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + enableRBAC: true + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '10.0.0.0/8' + ] + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} + +// fail + +resource disabled 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + enableRBAC: false + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '10.0.0.0/8' + ] + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} + +resource default 'Microsoft.ContainerService/managedClusters@2022-08-03-preview' = { + name: 'string' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + agentPoolProfiles: [ + { + name: 'agentpool' + osDiskSizeGB: osDiskSizeGB + osSKU: 'Ubuntu' + osType: 'Linux' + } + ] + addonProfiles: { + omsagent: { + config: { + logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id + } + enabled: true + } + kubeDashboard: { + enabled: false + } + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '10.0.0.0/8' + ] + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + } + linuxProfile: { + adminUsername: linuxAdminUsername + ssh: { + publicKeys: [ + { + keyData: sshRSAPublicKey + } + ] + } + } + } +} diff --git a/tests/bicep/checks/resource/azure/test_AKSApiServerAuthorizedIpRanges.py b/tests/bicep/checks/resource/azure/test_AKSApiServerAuthorizedIpRanges.py new file mode 100644 index 00000000000..658c80db36e --- /dev/null +++ b/tests/bicep/checks/resource/azure/test_AKSApiServerAuthorizedIpRanges.py @@ -0,0 +1,35 @@ +from pathlib import Path + +from checkov.bicep.runner import Runner +from checkov.arm.checks.resource.AKSApiServerAuthorizedIpRanges import check +from checkov.runner_filter import RunnerFilter + + +def test_examples(): + # given + test_files_dir = Path(__file__).parent / "example_AKSApiServerAuthorizedIpRanges" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.ContainerService/managedClusters.enabled", + } + + failing_resources = { + "Microsoft.ContainerService/managedClusters.default", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + assert summary["passed"] == len(passing_resources) + assert summary["failed"] == len(failing_resources) + assert summary["skipped"] == 0 + assert summary["parsing_errors"] == 0 + + assert passed_check_resources == passing_resources + assert failed_check_resources == failing_resources diff --git a/tests/bicep/checks/resource/azure/test_AKSDashboardDisabled.py b/tests/bicep/checks/resource/azure/test_AKSDashboardDisabled.py new file mode 100644 index 00000000000..17c24204b9d --- /dev/null +++ b/tests/bicep/checks/resource/azure/test_AKSDashboardDisabled.py @@ -0,0 +1,35 @@ +from pathlib import Path + +from checkov.bicep.runner import Runner +from checkov.arm.checks.resource.AKSDashboardDisabled import check +from checkov.runner_filter import RunnerFilter + + +def test_examples(): + # given + test_files_dir = Path(__file__).parent / "example_AKSDashboardDisabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.ContainerService/managedClusters.enabled", + } + + failing_resources = { + "Microsoft.ContainerService/managedClusters.default", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + assert summary["passed"] == len(passing_resources) + assert summary["failed"] == len(failing_resources) + assert summary["skipped"] == 0 + assert summary["parsing_errors"] == 0 + + assert passed_check_resources == passing_resources + assert failed_check_resources == failing_resources diff --git a/tests/bicep/checks/resource/azure/test_AKSLoggingEnabled.py b/tests/bicep/checks/resource/azure/test_AKSLoggingEnabled.py new file mode 100644 index 00000000000..1c8b3a1f1ed --- /dev/null +++ b/tests/bicep/checks/resource/azure/test_AKSLoggingEnabled.py @@ -0,0 +1,35 @@ +from pathlib import Path + +from checkov.bicep.runner import Runner +from checkov.arm.checks.resource.AKSLoggingEnabled import check +from checkov.runner_filter import RunnerFilter + + +def test_examples(): + # given + test_files_dir = Path(__file__).parent / "example_AKSLoggingEnabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.ContainerService/managedClusters.enabled", + } + + failing_resources = { + "Microsoft.ContainerService/managedClusters.default", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + assert summary["passed"] == len(passing_resources) + assert summary["failed"] == len(failing_resources) + assert summary["skipped"] == 0 + assert summary["parsing_errors"] == 0 + + assert passed_check_resources == passing_resources + assert failed_check_resources == failing_resources diff --git a/tests/bicep/checks/resource/azure/test_AKSNetworkPolicy.py b/tests/bicep/checks/resource/azure/test_AKSNetworkPolicy.py new file mode 100644 index 00000000000..7911d117ed0 --- /dev/null +++ b/tests/bicep/checks/resource/azure/test_AKSNetworkPolicy.py @@ -0,0 +1,35 @@ +from pathlib import Path + +from checkov.bicep.runner import Runner +from checkov.arm.checks.resource.AKSNetworkPolicy import check +from checkov.runner_filter import RunnerFilter + + +def test_examples(): + # given + test_files_dir = Path(__file__).parent / "example_AKSNetworkPolicy" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.ContainerService/managedClusters.enabled", + } + + failing_resources = { + "Microsoft.ContainerService/managedClusters.default", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + assert summary["passed"] == len(passing_resources) + assert summary["failed"] == len(failing_resources) + assert summary["skipped"] == 0 + assert summary["parsing_errors"] == 0 + + assert passed_check_resources == passing_resources + assert failed_check_resources == failing_resources diff --git a/tests/bicep/checks/resource/azure/test_AKSRbacEnabled.py b/tests/bicep/checks/resource/azure/test_AKSRbacEnabled.py new file mode 100644 index 00000000000..54e8467122a --- /dev/null +++ b/tests/bicep/checks/resource/azure/test_AKSRbacEnabled.py @@ -0,0 +1,36 @@ +from pathlib import Path + +from checkov.bicep.runner import Runner +from checkov.arm.checks.resource.AKSRbacEnabled import check +from checkov.runner_filter import RunnerFilter + + +def test_examples(): + # given + test_files_dir = Path(__file__).parent / "example_AKSRbacEnabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.ContainerService/managedClusters.enabled", + } + + failing_resources = { + "Microsoft.ContainerService/managedClusters.default", + "Microsoft.ContainerService/managedClusters.disabled", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + assert summary["passed"] == len(passing_resources) + assert summary["failed"] == len(failing_resources) + assert summary["skipped"] == 0 + assert summary["parsing_errors"] == 0 + + assert passed_check_resources == passing_resources + assert failed_check_resources == failing_resources