feat(terraform): add CKV NCP rules about NASEncrytionEnabled (#3796)

* [22.10.27][add]LBListenerUsesSecureProtocols * [22.11.05][fix]fix Co-authored-by: Kuemjong Jeong <[email protected]>
bridgecrewio · Nov 8, 2022 · eb01b2f · eb01b2f
1 parent 4245295
commit eb01b2f
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 0 deletions.
diff --git a/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py b/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py
@@ -0,0 +1,17 @@
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class EFSEncryptionEnabled(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure NAS is securely encrypted"
+        id = "CKV_NCP_14"
+        supported_resources = ('ncloud_nas_volume',)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "is_encrypted_volume"
+
+
+check = EFSEncryptionEnabled()
diff --git a/tests/terraform/checks/resource/ncp/example_NASEncryptionEnabled/main.tf b/tests/terraform/checks/resource/ncp/example_NASEncryptionEnabled/main.tf
@@ -0,0 +1,19 @@
+resource "ncloud_nas_volume" "pass" {
+    volume_name_postfix = "vol"
+    volume_size = "600"
+    volume_allotment_protocol_type = "NFS"
+    is_encrypted_volume = true
+}
+
+resource "ncloud_nas_volume" "fail" {
+    volume_name_postfix = "vol"
+    volume_size = "600"
+    volume_allotment_protocol_type = "NFS"
+}
+
+resource "ncloud_nas_volume" "fail2" {
+    volume_name_postfix = "vol"
+    volume_size = "600"
+    volume_allotment_protocol_type = "NFS"
+    is_encrypted_volume = false
+}
diff --git a/tests/terraform/checks/resource/ncp/test_NASEncryptionEnabled.py b/tests/terraform/checks/resource/ncp/test_NASEncryptionEnabled.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.ncp.NASEncryptionEnabled import check
+from checkov.terraform.runner import Runner
+
+
+class TestNASEncryptionEnabled(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_NASEncryptionEnabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "ncloud_nas_volume.pass",
+        }
+        failing_resources = {
+            "ncloud_nas_volume.fail",
+            "ncloud_nas_volume.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()