forked from bridgecrewio/checkov
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
110 additions
and
0 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| from checkov.common.models.enums import CheckResult, CheckCategories | ||
| from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceCheck | ||
|
|
||
|
|
||
| class RouteTableNATGatewayDefault(BaseResourceCheck): | ||
| def __init__(self): | ||
| name = "Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to " \ | ||
| "allow connectivity " | ||
| id = "CKV_NCP_32" | ||
| supported_resources = ('ncloud_route',) | ||
| categories = (CheckCategories.KUBERNETES,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def scan_resource_conf(self, conf): | ||
| if "destination_cidr_block" in conf.keys() and "target_type" in conf.keys(): | ||
| if conf.get("destination_cidr_block") in (["0.0.0.0/0"],) \ | ||
| and conf.get("target_type") in (["NATGW"],): | ||
| return CheckResult.PASSED | ||
| return CheckResult.FAILED | ||
|
|
||
|
|
||
| check = RouteTableNATGatewayDefault() |
46 changes: 46 additions & 0 deletions
46
tests/terraform/checks/resource/ncp/example_RouteTableNATGatewayDefault/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| resource "ncloud_vpc" "vpc" { | ||
| name = "vpc" | ||
| ipv4_cidr_block = "10.0.0.0/16" | ||
| } | ||
|
|
||
| resource "ncloud_route_table" "route_table" { | ||
| vpc_no = ncloud_vpc.vpc.id | ||
| supported_subnet_type = "PUBLIC" | ||
| } | ||
|
|
||
| resource "ncloud_nat_gateway" "nat_gateway" { | ||
| vpc_no = ncloud_vpc.vpc.id | ||
| zone = "KR-2" | ||
| } | ||
|
|
||
| resource "ncloud_route" "pass" { | ||
| route_table_no = ncloud_route_table.route_table.id | ||
| destination_cidr_block = "0.0.0.0/0" | ||
| target_type = "NATGW" // NATGW (NAT Gateway) | VPCPEERING (VPC Peering) | VGW (Virtual Private Gateway). | ||
| target_name = ncloud_nat_gateway.nat_gateway.name | ||
| target_no = ncloud_nat_gateway.nat_gateway.id | ||
| } | ||
|
|
||
| resource "ncloud_route" "fail" { | ||
| route_table_no = ncloud_route_table.route_table.id | ||
| destination_cidr_block = "0.0.0.0/0" | ||
| target_type = "VPCPEERING" // NATGW (NAT Gateway) | VPCPEERING (VPC Peering) | VGW (Virtual Private Gateway). | ||
| target_name = ncloud_nat_gateway.nat_gateway.name | ||
| target_no = ncloud_nat_gateway.nat_gateway.id | ||
| } | ||
|
|
||
| resource "ncloud_route" "fail2" { | ||
| route_table_no = ncloud_route_table.route_table.id | ||
| destination_cidr_block = "0.0.0.0/0" | ||
| target_type = "VGW" // NATGW (NAT Gateway) | VPCPEERING (VPC Peering) | VGW (Virtual Private Gateway). | ||
| target_name = ncloud_nat_gateway.nat_gateway.name | ||
| target_no = ncloud_nat_gateway.nat_gateway.id | ||
| } | ||
|
|
||
| resource "ncloud_route" "fail3" { | ||
| route_table_no = ncloud_route_table.route_table.id | ||
| destination_cidr_block = "0.0.0.1/0" | ||
| target_type = "NATGW" // NATGW (NAT Gateway) | VPCPEERING (VPC Peering) | VGW (Virtual Private Gateway). | ||
| target_name = ncloud_nat_gateway.nat_gateway.name | ||
| target_no = ncloud_nat_gateway.nat_gateway.id | ||
| } |
42 changes: 42 additions & 0 deletions
42
tests/terraform/checks/resource/ncp/test_RouteTableNATGatewayDefault.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| import unittest | ||
| from pathlib import Path | ||
|
|
||
| from checkov.runner_filter import RunnerFilter | ||
| from checkov.terraform.checks.resource.ncp.RouteTableNATGatewayDefault import check | ||
| from checkov.terraform.runner import Runner | ||
|
|
||
|
|
||
| class TestRouteTableNATGatewayDefault(unittest.TestCase): | ||
| def test(self): | ||
| # given | ||
| test_files_dir = Path(__file__).parent / "example_RouteTableNATGatewayDefault" | ||
|
|
||
| # when | ||
| report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) | ||
|
|
||
| # then | ||
| summary = report.get_summary() | ||
|
|
||
| passing_resources = { | ||
| "ncloud_route.pass", | ||
| } | ||
| failing_resources = { | ||
| "ncloud_route.fail", | ||
| "ncloud_route.fail2", | ||
| "ncloud_route.fail3", | ||
| } | ||
|
|
||
| passed_check_resources = {c.resource for c in report.passed_checks} | ||
| failed_check_resources = {c.resource for c in report.failed_checks} | ||
|
|
||
| self.assertEqual(summary["passed"], 1) | ||
| self.assertEqual(summary["failed"], 3) | ||
| self.assertEqual(summary["skipped"], 0) | ||
| self.assertEqual(summary["parsing_errors"], 0) | ||
|
|
||
| self.assertEqual(passing_resources, passed_check_resources) | ||
| self.assertEqual(failing_resources, failed_check_resources) | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| unittest.main() |