[22.11.12][fix]CKV_NCP_16

bridgecrewio · Nov 12, 2022 · 74715cb · 74715cb
1 parent ec25900
commit 74715cb
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 0 deletions.
diff --git a/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py b/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py
@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class LBNetworkPrivate(BaseResourceValueCheck):
+
+    def __init__(self):
+        name = "Ensure LB isn't exposed to the internet"
+        id = "CKV_NCP_16"
+        supported_resources = ("ncloud_lb",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "network_type"
+
+    def get_expected_values(self) -> List[Any]:
+        return ["PRIVATE"]
+
+
+check = LBNetworkPrivate()
diff --git a/tests/terraform/checks/resource/ncp/example_LBNetworkPrivate/main.tf b/tests/terraform/checks/resource/ncp/example_LBNetworkPrivate/main.tf
@@ -0,0 +1,18 @@
+resource "ncloud_lb" "pass" {
+  name = "tf-lb-test"
+  network_type = "PRIVATE"
+  type = "APPLICATION"
+  subnet_no_list = [ ncloud_subnet.test.subnet_no ]
+}
+
+resource "ncloud_lb" "fail" {
+  name = "tf-lb-test"
+  network_type = "PUBLIC"
+  type = "APPLICATION"
+  subnet_no_list = [ ncloud_subnet.test.subnet_no ]
+}
+resource "ncloud_lb" "fail2" {
+  name = "tf-lb-test"
+  type = "APPLICATION"
+  subnet_no_list = [ ncloud_subnet.test.subnet_no ]
+}
diff --git a/tests/terraform/checks/resource/ncp/test_LBNetworkPrivate.py b/tests/terraform/checks/resource/ncp/test_LBNetworkPrivate.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.ncp.LBNetworkPrivate import check
+from checkov.terraform.runner import Runner
+
+
+class TestLBNetworkPrivate(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_LBNetworkPrivate"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "ncloud_lb.pass",
+        }
+        failing_resources = {
+            "ncloud_lb.fail",
+            "ncloud_lb.fail2"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()