feat(terraform): NSGRulePortAccessRestricted - Remove the condition f…

…or dynamic blocks (#3862) Remove the condition for dynamic blocks
bridgecrewio · Nov 13, 2022 · 9052caa · 9052caa
1 parent f0031f7
commit 9052caa
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 5 deletions.
diff --git a/checkov/terraform/checks/resource/azure/NSGRulePortAccessRestricted.py b/checkov/terraform/checks/resource/azure/NSGRulePortAccessRestricted.py
@@ -28,10 +28,6 @@ def is_port_in_range(self, ports: Union[int, str, List[Union[int, str]]]) -> boo
         return False
 
     def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
-        if "dynamic" in conf:
-            self.evaluated_keys = ["dynamic"]
-            return CheckResult.UNKNOWN
-
         rule_confs = [conf]
         evaluated_key_prefix = ""
         if "security_rule" in conf:

diff --git a/tests/terraform/checks/resource/azure/example_NSGRuleRDPAccessRestricted/main.tf b/tests/terraform/checks/resource/azure/example_NSGRuleRDPAccessRestricted/main.tf
@@ -165,3 +165,39 @@ resource "azurerm_network_security_rule" "range_prefix_lower_case" {
   destination_port_range = "3000-4000"
   source_address_prefix  = "internet"
 }
+
+resource "azurerm_network_security_group" "snet_nsgs" {
+  count               = "${length(local.subnets)}"
+  name                = "${local.root}-snet-${lookup(local.subnets[count.index], "name")}-nsg"
+  location            = "${azurerm_resource_group.net_rg.location}"
+  resource_group_name = "${azurerm_resource_group.net_rg.name}"
+  tags                = "${local.tags}"
+
+
+  dynamic "security_rule" {
+    for_each = [for s in local.subnets[count.index].nsg_rules : {
+      name                       = s.name
+      priority                   = s.priority
+      direction                  = s.direction
+      access                     = s.access
+      protocol                   = s.protocol
+      source_port_range          = s.source_port_range
+      destination_port_range     = s.destination_port_range
+      source_address_prefix      = s.source_address_prefix
+      destination_address_prefix = s.destination_address_prefix
+      description                = s.description
+    }]
+    content {
+      name                       = security_rule.value.name
+      priority                   = security_rule.value.priority
+      direction                  = security_rule.value.direction
+      access                     = security_rule.value.access
+      protocol                   = security_rule.value.protocol
+      source_port_range          = security_rule.value.source_port_range
+      destination_port_range     = security_rule.value.destination_port_range
+      source_address_prefix      = security_rule.value.source_address_prefix
+      destination_address_prefix = security_rule.value.destination_address_prefix
+      description                = security_rule.value.description
+    }
+  }
+}
diff --git a/tests/terraform/checks/resource/azure/test_NSGRuleRDPAccessRestricted.py b/tests/terraform/checks/resource/azure/test_NSGRuleRDPAccessRestricted.py
@@ -21,6 +21,7 @@ def test(self):
             "azurerm_network_security_rule.https",
             "azurerm_network_security_rule.rdp_restricted_prefixes",
             "azurerm_network_security_group.rdp_restricted",
+            "azurerm_network_security_group.snet_nsgs"
         }
         failing_resources = {
             "azurerm_network_security_rule.all",
@@ -35,7 +36,7 @@ def test(self):
         passed_check_resources = {c.resource for c in report.passed_checks}
         failed_check_resources = {c.resource for c in report.failed_checks}
 
-        self.assertEqual(summary["passed"], 3)
+        self.assertEqual(summary["passed"], 4)
         self.assertEqual(summary["failed"], 7)
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)