feat(terraform): add CKV NCP rules about access control group outbound rule.

.gitignore

@@ -172,4 +172,4 @@ tests/20*
 # vim 
 .vim/
 .vimspector.json
-!tests/terraform/graph/variable_rendering/test_resources/tfvar_module_variables/modules/instance
+!tests/terraform/graph/variable_rendering/test_resources/tfvar_module_variables/modules/instance

checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py

@@ -0,0 +1,25 @@
+from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
+from checkov.common.models.enums import CheckResult, CheckCategories
+
+
+class AccessControlGroupOutboundRule(BaseResourceCheck):
+    def __init__(self):
+        name = "An outbound security group rule allows traffic to /0"
+        id = "CKV_NCP_3"
+        supported_resources = ['ncloud_access_control_group_rule']
+
+        categories = [CheckCategories.NETWORKING]
+        guideline = "You should restrict access to IP addresses or ranges that are explicitly required where possible."
+        super().__init__(name=name, id=id, categories=categories,
+                         supported_resources=supported_resources, guideline=guideline)
+
+    def scan_resource_conf(self, conf):
+        if 'outbound' in conf.keys():
+            for inbound in conf['outbound']:
+                ip = inbound.get('ip_block', '0.0.0.0/0')[0]
+                if ip == '0.0.0.0/0' or ip == '::/0':
+                    return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = AccessControlGroupOutboundRule()

checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py

@@ -5,7 +5,7 @@
 class AccessControlGroupRuleDescription(BaseResourceCheck):
     def __init__(self):
         name = "Ensure every access control groups rule has a description"
-        id = "CKV_NCP_002"
+        id = "CKV_NCP_2"
         supported_resource = [
             'ncloud_access_control_group',
             'ncloud_access_control_group_rule',

tests/terraform/checks/resource/ncp/example_AccessControlGroupOutboundRule/main.tf

@@ -0,0 +1,53 @@
+resource "ncloud_access_control_group_rule" "pass" {
+  access_control_group_no = ncloud_access_control_group.acg.id
+
+  inbound {
+    protocol    = "TCP"
+    ip_block    = "0.0.0.0/0"
+    port_range  = "22"
+    description = "accept 22 port"
+  }
+
+  outbound {
+    protocol    = "TCP"
+    ip_block    = "10.0.3.0/16" 
+    port_range  = "1-65535"
+    description = "accept 1-65535 port"
+  }
+}
+
+resource "ncloud_access_control_group_rule" "fail" {
+  access_control_group_no = ncloud_access_control_group.acg.id
+
+  inbound {
+    protocol    = "TCP"
+    ip_block    = "10.0.3.0/16"
+    port_range  = "22"
+    description = "accept 22 port"
+  }
+
+  outbound {
+    protocol    = "TCP"
+    ip_block    = "0.0.0.0/0" 
+    port_range  = "1-65535"
+    description = "accept 1-65535 port"
+  }
+}
+
+resource "ncloud_access_control_group_rule" "fail1" {
+  access_control_group_no = ncloud_access_control_group.acg.id
+
+  inbound {
+    protocol    = "TCP"
+    ip_block    = "10.16.0.0/32" 
+    port_range  = "1-65535"
+    description = "accept 1-65535 port"
+  }
+
+  outbound {
+    protocol    = "TCP"
+    ip_block    = "::/0"
+    port_range  = "22"
+    description = "accept 22 port"
+  }
+}

tests/terraform/checks/resource/ncp/example_LBTargetGroupHTTPS/main.tf

@@ -0,0 +1,54 @@
+resource "ncloud_lb_target_group" "pass" {
+    name = "terra-tg"
+    vpc_no = data.ncloud_vpc.selected.id
+    protocol = "HTTPS"
+    target_type = "VSVR"
+    port = 443
+    description = "cand2_lb_group"
+    health_check {
+        protocol = "HTTPS"
+        http_method = "GET"
+        port = 443
+        url_path = "/"
+        cycle = 30
+        up_threshold = 2
+        down_threshold = 2
+    }
+    algorithm_type = "RR"
+}
+
+
+resource "ncloud_lb_listener" "pass" {
+    load_balancer_no = ncloud_lb.lb.id
+    protocol = "HTTPS"
+    port = 443
+    target_group_no = ncloud_lb_target_group.tg.id
+}
+
+
+resource "ncloud_lb_target_group" "fail" {
+    name = "terra-tg"
+    vpc_no = data.ncloud_vpc.selected.id
+    protocol = "HTTP"
+    target_type = "VSVR"
+    port = 80
+    description = "cand2_lb_group"
+    health_check {
+        protocol = "HTTP"
+        http_method = "GET"
+        port = 80
+        url_path = "/"
+        cycle = 30
+        up_threshold = 2
+        down_threshold = 2
+    }
+    algorithm_type = "RR"
+}
+
+
+resource "ncloud_lb_listener" "fail" {
+    load_balancer_no = ncloud_lb.lb.id
+    protocol = "HTTP"
+    port = 80
+    target_group_no = ncloud_lb_target_group.tg.id
+}

tests/terraform/checks/resource/ncp/test_AccessControlGroupOutboundRule.py

@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.ncp.AccessControlGroupOutboundRule import check
+from checkov.terraform.runner import Runner
+
+
+class TestAccessControlGroupOutboundRule(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AccessControlGroupOutboundRule"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "ncloud_access_control_group_rule.pass"
+        }
+        failing_resources = {
+            "ncloud_access_control_group_rule.fail",
+            "ncloud_access_control_group_rule.fail1"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()