Skip to content

Commit

Permalink
Add new NSG check
Browse files Browse the repository at this point in the history
  • Loading branch information
@tsmithv11
tsmithv11 committed Nov 23, 2024
1 parent c42fcd4 commit 1be3da1
Show file tree
Hide file tree
Showing 3 changed files with 191 additions and 0 deletions.
13 changes: 13 additions & 0 deletions checkov/terraform/checks/resource/azure/NSGRuleAllAccessRestricted.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
from checkov.terraform.checks.resource.azure.NSGRulePortAccessRestricted import NSGRulePortAccessRestricted


class NSGRuleSSHAccessRestricted(NSGRulePortAccessRestricted):
def __init__(self) -> None:
super().__init__(
name="Ensure that * port access is restricted from the internet",
check_id="CKV_AZURE_246",
port="*",
)


check = NSGRuleSSHAccessRestricted()
132 changes: 132 additions & 0 deletions tests/terraform/checks/resource/azure/example_NSGRuleAllAccessRestricted/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@

resource "azurerm_network_security_rule" "pass_https" {
name = "example"
access = "Allow"
direction = "Inbound"
network_security_group_name = "azurerm_network_security_group.example.name"
priority = 100
protocol = "Tcp"
resource_group_name = "azurerm_resource_group.example.name"

destination_port_range = 443
source_address_prefix = "Internet"
}

resource "azurerm_network_security_rule" "star_restricted_prefixes" {
name = "example"
access = "Allow"
direction = "Inbound"
network_security_group_name = "azurerm_network_security_group.example.name"
priority = 100
protocol = "Tcp"
resource_group_name = "azurerm_resource_group.example.name"

destination_port_range = "*"
source_address_prefixes = [
"123.123.123.123/32",
"10.0.0.0/16"
]
}

resource "azurerm_network_security_group" "star_restricted" {
name = "example"
location = "azurerm_resource_group.example.location"
resource_group_name = "azurerm_resource_group.example.name"

security_rule {
name = "example"
access = "Allow"
direction = "Inbound"
priority = 100
protocol = "Tcp"

destination_port_range = "*"
source_address_prefix = "10.0.0.0/16"
}
}

# fail

resource "azurerm_network_security_rule" "star" {
name = "example"
access = "Allow"
direction = "Inbound"
network_security_group_name = "azurerm_network_security_group.example.name"
priority = 100
protocol = "Tcp"
resource_group_name = "azurerm_resource_group.example.name"

destination_port_range = "*"
source_address_prefix = "*"
destination_port_ranges = null
source_address_prefixes = null
}

resource "azurerm_network_security_rule" "all" {
name = "example"
access = "Allow"
direction = "Inbound"
network_security_group_name = "azurerm_network_security_group.example.name"
priority = 100
protocol = "Tcp"
resource_group_name = "azurerm_resource_group.example.name"

destination_port_range = "*"
source_address_prefix = "Internet"
}

resource "azurerm_network_security_rule" "ranges_prefixes" {
name = "example"
access = "Allow"
direction = "Inbound"
network_security_group_name = "azurerm_network_security_group.example.name"
priority = 100
protocol = "Tcp"
resource_group_name = "azurerm_resource_group.example.name"

destination_port_range = null
source_address_prefix = null
destination_port_ranges = [
22,
"*"
]
source_address_prefixes = [
"Internet",
"10.0.0.0/16"
]
}

resource "azurerm_network_security_group" "ranges" {
name = "example"
location = "azurerm_resource_group.example.location"
resource_group_name = "azurerm_resource_group.example.name"

security_rule {
name = "example"
access = "Allow"
direction = "Inbound"
priority = 100
protocol = "Tcp"

destination_port_ranges = [
"*",
"8000-9000"
]
source_address_prefix = "*"
}
}

resource "azurerm_network_security_group" "star_unrestricted" {
name = "example"
location = "azurerm_resource_group.example.location"
resource_group_name = "azurerm_resource_group.example.name"

security_rule {
name = "example"
access = "Allow"
direction = "Inbound"
protocol = "Tcp"
source_address_prefix = "Internet"
destination_port_range = "*"
}
}
46 changes: 46 additions & 0 deletions tests/terraform/checks/resource/azure/test_NSGRuleAllAccessRestricted.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
import unittest
from pathlib import Path

from checkov.runner_filter import RunnerFilter
from checkov.terraform.checks.resource.azure.NSGRuleAllAccessRestricted import check
from checkov.terraform.runner import Runner


class TestNSGRuleAllAccessRestricted(unittest.TestCase):
def test(self):
# given
test_files_dir = Path(__file__).parent / "example_NSGRuleAllAccessRestricted"

# when
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))

# then
summary = report.get_summary()

passing_resources = {
"azurerm_network_security_rule.pass_https",
"azurerm_network_security_rule.star_restricted_prefixes",
"azurerm_network_security_group.star_restricted",
}
failing_resources = {
"azurerm_network_security_rule.all",
"azurerm_network_security_rule.ranges_prefixes",
"azurerm_network_security_rule.star",
"azurerm_network_security_group.ranges",
"azurerm_network_security_group.star_unrestricted",
}

passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}

self.assertEqual(summary["passed"], 3)
self.assertEqual(summary["failed"], 5)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)

self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)


if __name__ == "__main__":
unittest.main()

0 comments on commit 1be3da1

Please sign in to comment.