fix(terraform): CKV_AZURE_144 passes on defaults (#3938)

fail test if property is not set
bridgecrewio · Nov 24, 2022 · f955cef · f955cef
1 parent 098e4b8
commit f955cef
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 23 deletions.
diff --git a/checkov/terraform/checks/resource/azure/MLPublicAccess.py b/checkov/terraform/checks/resource/azure/MLPublicAccess.py
@@ -2,7 +2,7 @@
 
 from typing import Any
 
-from checkov.common.models.enums import CheckCategories
+from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck
 
 
@@ -19,7 +19,8 @@ def __init__(self) -> None:
 
         # Valid CheckCategories are defined in checkov/common/models/enums.py
         categories = (CheckCategories.NETWORKING,)
-        super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources)
+        super().__init__(name=description, id=id, categories=categories,
+                         supported_resources=supported_resources, missing_attribute_result=CheckResult.FAILED)
 
     def get_inspected_key(self) -> str:
         return "public_network_access_enabled"

diff --git a/tests/terraform/checks/resource/azure/example_MLPublicAccess/MLPublicAccess.tf b/tests/terraform/checks/resource/azure/example_MLPublicAccess/MLPublicAccess.tf
@@ -18,14 +18,16 @@ resource "azurerm_machine_learning_workspace" "ckv_unittest_pass" {
   }
 }
 
-## SHOULD PASS: Parameter public_network_access_enabled defaults to false
-resource "azurerm_machine_learning_workspace" "ckv_unittest_pass_2" {
-  name                    = "example-workspace"
-  location                = azurerm_resource_group.example.location
-  resource_group_name     = azurerm_resource_group.example.name
-  application_insights_id = azurerm_application_insights.example.id
-  key_vault_id            = azurerm_key_vault.example.id
-  storage_account_id      = azurerm_storage_account.example.id
+
+## SHOULD FAIL: Explicitly define parameter public_network_access_enabled to true
+resource "azurerm_machine_learning_workspace" "ckv_unittest_fail" {
+  name                          = "example-workspace"
+  location                      = azurerm_resource_group.example.location
+  resource_group_name           = azurerm_resource_group.example.name
+  application_insights_id       = azurerm_application_insights.example.id
+  key_vault_id                  = azurerm_key_vault.example.id
+  storage_account_id            = azurerm_storage_account.example.id
+  public_network_access_enabled = true
 
   identity {
     type = "SystemAssigned"
@@ -37,15 +39,14 @@ resource "azurerm_machine_learning_workspace" "ckv_unittest_pass_2" {
   }
 }
 
-## SHOULD FAIL: Explicitly define parameter public_network_access_enabled to true
-resource "azurerm_machine_learning_workspace" "ckv_unittest_fail" {
-  name                          = "example-workspace"
-  location                      = azurerm_resource_group.example.location
-  resource_group_name           = azurerm_resource_group.example.name
-  application_insights_id       = azurerm_application_insights.example.id
-  key_vault_id                  = azurerm_key_vault.example.id
-  storage_account_id            = azurerm_storage_account.example.id
-  public_network_access_enabled = true
+## SHOULD FAIL: Parameter public_network_access_enabled defaults to true
+resource "azurerm_machine_learning_workspace" "ckv_unittest_fail_2" {
+  name                    = "example-workspace"
+  location                = azurerm_resource_group.example.location
+  resource_group_name     = azurerm_resource_group.example.name
+  application_insights_id = azurerm_application_insights.example.id
+  key_vault_id            = azurerm_key_vault.example.id
+  storage_account_id      = azurerm_storage_account.example.id
 
   identity {
     type = "SystemAssigned"
@@ -55,4 +56,4 @@ resource "azurerm_machine_learning_workspace" "ckv_unittest_fail" {
     key_vault_id = azurerm_key_vault.example.id
     key_id       = azurerm_key_vault_key.example.id
   }
-}
+}
diff --git a/tests/terraform/checks/resource/azure/test_MLPublicAccess.py b/tests/terraform/checks/resource/azure/test_MLPublicAccess.py
@@ -18,11 +18,11 @@ def test(self):
         summary = report.get_summary()
 
         passing_resources = {
-            'azurerm_machine_learning_workspace.ckv_unittest_pass',
-            'azurerm_machine_learning_workspace.ckv_unittest_pass_2'
+            'azurerm_machine_learning_workspace.ckv_unittest_pass'
         }
         failing_resources = {
             'azurerm_machine_learning_workspace.ckv_unittest_fail',
+            'azurerm_machine_learning_workspace.ckv_unittest_fail_2'
         }
         skipped_resources = {}
 
@@ -39,4 +39,4 @@ def test(self):
 
 
 if __name__ == '__main__':
-    unittest.main()
+    unittest.main()