CKV_AZURE_131/132/133 (#169)

* implementation of CKV_AZURE_131

* implementation of CKV_AZURE_131 - CKV_AZURE_133

* fixed test class name

checkov/terraform/checks/resource/azure/MySQLServerPublicAccessDisabled.py

@@ -0,0 +1,23 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class MySQLServerHasPublicAccessDisabled(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure that MySQL server disables public network access"
+        id = "CKV_AZURE_132"
+        supported_resources = ['azurerm_mysql_server']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'public_network_access_enabled'
+
+    def scan_resource_conf(self, conf):
+        public_access = conf.get('public_network_access_enabled', [True])
+        if public_access[0]:
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = MySQLServerHasPublicAccessDisabled()

checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py

@@ -0,0 +1,23 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class PostgreSQLServerHasPublicAccessDisabled(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure that PostgreSQL server disables public network access"
+        id = "CKV_AZURE_133"
+        supported_resources = ['azurerm_postgresql_server']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'public_network_access_enabled'
+
+    def scan_resource_conf(self, conf):
+        public_access = conf.get('public_network_access_enabled', [True])
+        if public_access[0]:
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = PostgreSQLServerHasPublicAccessDisabled()

checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py

@@ -0,0 +1,23 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class SQLServerHasPublicAccessDisabled(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure that SQL server disables public network access"
+        id = "CKV_AZURE_131"
+        supported_resources = ['azurerm_mssql_server']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'public_network_access_enabled'
+
+    def scan_resource_conf(self, conf):
+        public_access = conf.get('public_network_access_enabled', [True])
+        if public_access[0]:
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = SQLServerHasPublicAccessDisabled()

tests/terraform/checks/resource/azure/test_MySQLServerPublicAccessDisabled.py

@@ -0,0 +1,93 @@
+import unittest
+
+import hcl2
+
+from checkov.terraform.checks.resource.azure.MySQLServerPublicAccessDisabled import check
+from checkov.common.models.enums import CheckResult
+
+
+class TestMysqlSQLServerPublicAccessDisabled(unittest.TestCase):
+
+    def test_failure_1(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_mysql_server" "example" {
+              name                = "example-mysqlserver"
+              location            = azurerm_resource_group.example.location
+              resource_group_name = azurerm_resource_group.example.name
+            
+              administrator_login          = "mysqladminun"
+              administrator_login_password = "H@Sh1CoR3!"
+            
+              sku_name   = "B_Gen5_2"
+              storage_mb = 5120
+              version    = "5.7"
+            
+              auto_grow_enabled                 = true
+              backup_retention_days             = 7
+              geo_redundant_backup_enabled      = false
+              infrastructure_encryption_enabled = false
+              public_network_access_enabled     = true
+              ssl_enforcement_enabled           = true
+              ssl_minimal_tls_version_enforced  = "TLS1_2"
+            }
+                """)
+        resource_conf = hcl_res['resource'][0]['azurerm_mysql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_failure_2(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_mysql_server" "example" {
+              name                = "example-mysqlserver"
+              location            = azurerm_resource_group.example.location
+              resource_group_name = azurerm_resource_group.example.name
+            
+              administrator_login          = "mysqladminun"
+              administrator_login_password = "H@Sh1CoR3!"
+            
+              sku_name   = "B_Gen5_2"
+              storage_mb = 5120
+              version    = "5.7"
+            
+              auto_grow_enabled                 = true
+              backup_retention_days             = 7
+              geo_redundant_backup_enabled      = false
+              infrastructure_encryption_enabled = false
+              ssl_enforcement_enabled           = true
+              ssl_minimal_tls_version_enforced  = "TLS1_2"
+            }
+                """)
+        resource_conf = hcl_res['resource'][0]['azurerm_mysql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_success(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_mysql_server" "example" {
+              name                = "example-mysqlserver"
+              location            = azurerm_resource_group.example.location
+              resource_group_name = azurerm_resource_group.example.name
+            
+              administrator_login          = "mysqladminun"
+              administrator_login_password = "H@Sh1CoR3!"
+            
+              sku_name   = "B_Gen5_2"
+              storage_mb = 5120
+              version    = "5.7"
+            
+              auto_grow_enabled                 = true
+              backup_retention_days             = 7
+              geo_redundant_backup_enabled      = false
+              infrastructure_encryption_enabled = false
+              public_network_access_enabled     = false
+              ssl_enforcement_enabled           = true
+              ssl_minimal_tls_version_enforced  = "TLS1_2"
+            }
+                """)
+        resource_conf = hcl_res['resource'][0]['azurerm_mysql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.PASSED, scan_result)
+
+
+if __name__ == '__main__':
+    unittest.main()

tests/terraform/checks/resource/azure/test_PostgreSQLServerPublicAccessDisabled.py

@@ -0,0 +1,92 @@
+import unittest
+
+import hcl2
+
+from checkov.terraform.checks.resource.azure.PostgreSQLServerPublicAccessDisabled import check
+from checkov.common.models.enums import CheckResult
+
+
+class TestPostgreSQLServerPublicAccessDisabled(unittest.TestCase):
+
+    def test_failure_1(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_postgresql_server" "example" {
+              name                = "example-psqlserver"
+              location            = azurerm_resource_group.example.location
+              resource_group_name = azurerm_resource_group.example.name
+            
+              administrator_login          = "psqladminun"
+              administrator_login_password = "H@Sh1CoR3!"
+            
+              sku_name   = "GP_Gen5_4"
+              version    = "9.6"
+              storage_mb = 640000
+            
+              backup_retention_days        = 7
+              geo_redundant_backup_enabled = true
+              auto_grow_enabled            = true
+
+              public_network_access_enabled    = true
+              ssl_enforcement_enabled          = true
+              ssl_minimal_tls_version_enforced = "TLS1_2"
+            }
+        """)
+        resource_conf = hcl_res['resource'][0]['azurerm_postgresql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_failure_2(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_postgresql_server" "example" {
+              name                = "example-psqlserver"
+              location            = azurerm_resource_group.example.location
+              resource_group_name = azurerm_resource_group.example.name
+
+              administrator_login          = "psqladminun"
+              administrator_login_password = "H@Sh1CoR3!"
+
+              sku_name   = "GP_Gen5_4"
+              version    = "9.6"
+              storage_mb = 640000
+
+              backup_retention_days        = 7
+              geo_redundant_backup_enabled = true
+              auto_grow_enabled            = true
+              ssl_enforcement_enabled          = true
+              ssl_minimal_tls_version_enforced = "TLS1_2"
+            }
+                """)
+        resource_conf = hcl_res['resource'][0]['azurerm_postgresql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_success(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_postgresql_server" "example" {
+              name                = "example-psqlserver"
+              location            = azurerm_resource_group.example.location
+              resource_group_name = azurerm_resource_group.example.name
+
+              administrator_login          = "psqladminun"
+              administrator_login_password = "H@Sh1CoR3!"
+
+              sku_name   = "GP_Gen5_4"
+              version    = "9.6"
+              storage_mb = 640000
+
+              backup_retention_days        = 7
+              geo_redundant_backup_enabled = true
+              auto_grow_enabled            = true
+
+              public_network_access_enabled    = false
+              ssl_enforcement_enabled          = true
+              ssl_minimal_tls_version_enforced = "TLS1_2"
+            }
+                """)
+        resource_conf = hcl_res['resource'][0]['azurerm_postgresql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.PASSED, scan_result)
+
+
+if __name__ == '__main__':
+    unittest.main()

tests/terraform/checks/resource/azure/test_SQLServerPublicAccessDisabled.py

@@ -0,0 +1,75 @@
+import unittest
+
+import hcl2
+
+from checkov.terraform.checks.resource.azure.SQLServerPublicAccessDisabled import check
+from checkov.common.models.enums import CheckResult
+
+
+class TestSQLServerPublicAccessDisabled(unittest.TestCase):
+
+    def test_failure_1(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_mssql_server" "example" {
+              name                         = "mssqlserver"
+              resource_group_name          = azurerm_resource_group.example.name
+              location                     = azurerm_resource_group.example.location
+              version                      = "12.0"
+              administrator_login          = "missadministrator"
+              administrator_login_password = "thisIsKat11"
+              minimum_tls_version          = "1.2"
+              public_network_access_enabled = true
+              azuread_administrator {
+                login_username = "AzureAD Admin"
+                object_id      = "00000000-0000-0000-0000-000000000000"
+              }
+            }
+                """)
+        resource_conf = hcl_res['resource'][0]['azurerm_mssql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_failure_2(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_mssql_server" "example" {
+              name                         = "mssqlserver"
+              resource_group_name          = azurerm_resource_group.example.name
+              location                     = azurerm_resource_group.example.location
+              version                      = "12.0"
+              administrator_login          = "missadministrator"
+              administrator_login_password = "thisIsKat11"
+              minimum_tls_version          = "1.2"
+              azuread_administrator {
+                login_username = "AzureAD Admin"
+                object_id      = "00000000-0000-0000-0000-000000000000"
+              }
+            }
+                """)
+        resource_conf = hcl_res['resource'][0]['azurerm_mssql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_success(self):
+        hcl_res = hcl2.loads("""
+            resource "azurerm_mssql_server" "example" {
+              name                         = "mssqlserver"
+              resource_group_name          = azurerm_resource_group.example.name
+              location                     = azurerm_resource_group.example.location
+              version                      = "12.0"
+              administrator_login          = "missadministrator"
+              administrator_login_password = "thisIsKat11"
+              minimum_tls_version          = "1.2"
+              public_network_access_enabled = false
+              azuread_administrator {
+                login_username = "AzureAD Admin"
+                object_id      = "00000000-0000-0000-0000-000000000000"
+              }
+            }
+                """)
+        resource_conf = hcl_res['resource'][0]['azurerm_mssql_server']['example']
+        scan_result = check.scan_resource_conf(conf=resource_conf)
+        self.assertEqual(CheckResult.PASSED, scan_result)
+
+
+if __name__ == '__main__':
+    unittest.main()