diff --git a/checkov/terraform/checks/resource/azure/NSGRuleAllAccessRestricted.py b/checkov/terraform/checks/resource/azure/NSGRuleAllAccessRestricted.py new file mode 100644 index 00000000000..703b06674a8 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/NSGRuleAllAccessRestricted.py @@ -0,0 +1,13 @@ +from checkov.terraform.checks.resource.azure.NSGRulePortAccessRestricted import NSGRulePortAccessRestricted + + +class NSGRuleSSHAccessRestricted(NSGRulePortAccessRestricted): + def __init__(self) -> None: + super().__init__( + name="Ensure that * port access is restricted from the internet", + check_id="CKV_AZURE_246", + port="*", + ) + + +check = NSGRuleSSHAccessRestricted() diff --git a/tests/terraform/checks/resource/azure/example_NSGRuleAllAccessRestricted/main.tf b/tests/terraform/checks/resource/azure/example_NSGRuleAllAccessRestricted/main.tf new file mode 100644 index 00000000000..4eb82a9e8db --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_NSGRuleAllAccessRestricted/main.tf @@ -0,0 +1,132 @@ + +resource "azurerm_network_security_rule" "pass_https" { + name = "example" + access = "Allow" + direction = "Inbound" + network_security_group_name = "azurerm_network_security_group.example.name" + priority = 100 + protocol = "Tcp" + resource_group_name = "azurerm_resource_group.example.name" + + destination_port_range = 443 + source_address_prefix = "Internet" +} + +resource "azurerm_network_security_rule" "star_restricted_prefixes" { + name = "example" + access = "Allow" + direction = "Inbound" + network_security_group_name = "azurerm_network_security_group.example.name" + priority = 100 + protocol = "Tcp" + resource_group_name = "azurerm_resource_group.example.name" + + destination_port_range = "*" + source_address_prefixes = [ + "123.123.123.123/32", + "10.0.0.0/16" + ] +} + +resource "azurerm_network_security_group" "star_restricted" { + name = "example" + location = "azurerm_resource_group.example.location" + resource_group_name = "azurerm_resource_group.example.name" + + security_rule { + name = "example" + access = "Allow" + direction = "Inbound" + priority = 100 + protocol = "Tcp" + + destination_port_range = "*" + source_address_prefix = "10.0.0.0/16" + } +} + +# fail + +resource "azurerm_network_security_rule" "star" { + name = "example" + access = "Allow" + direction = "Inbound" + network_security_group_name = "azurerm_network_security_group.example.name" + priority = 100 + protocol = "Tcp" + resource_group_name = "azurerm_resource_group.example.name" + + destination_port_range = "*" + source_address_prefix = "*" + destination_port_ranges = null + source_address_prefixes = null +} + +resource "azurerm_network_security_rule" "all" { + name = "example" + access = "Allow" + direction = "Inbound" + network_security_group_name = "azurerm_network_security_group.example.name" + priority = 100 + protocol = "Tcp" + resource_group_name = "azurerm_resource_group.example.name" + + destination_port_range = "*" + source_address_prefix = "Internet" +} + +resource "azurerm_network_security_rule" "ranges_prefixes" { + name = "example" + access = "Allow" + direction = "Inbound" + network_security_group_name = "azurerm_network_security_group.example.name" + priority = 100 + protocol = "Tcp" + resource_group_name = "azurerm_resource_group.example.name" + + destination_port_range = null + source_address_prefix = null + destination_port_ranges = [ + 22, + "*" + ] + source_address_prefixes = [ + "Internet", + "10.0.0.0/16" + ] +} + +resource "azurerm_network_security_group" "ranges" { + name = "example" + location = "azurerm_resource_group.example.location" + resource_group_name = "azurerm_resource_group.example.name" + + security_rule { + name = "example" + access = "Allow" + direction = "Inbound" + priority = 100 + protocol = "Tcp" + + destination_port_ranges = [ + "*", + "8000-9000" + ] + source_address_prefix = "*" + } +} + +resource "azurerm_network_security_group" "star_unrestricted" { + name = "example" + location = "azurerm_resource_group.example.location" + resource_group_name = "azurerm_resource_group.example.name" + + security_rule { + name = "example" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_address_prefix = "Internet" + destination_port_range = "*" + } +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/test_NSGRuleAllAccessRestricted.py b/tests/terraform/checks/resource/azure/test_NSGRuleAllAccessRestricted.py new file mode 100644 index 00000000000..e0175cc1ca0 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_NSGRuleAllAccessRestricted.py @@ -0,0 +1,46 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.azure.NSGRuleAllAccessRestricted import check +from checkov.terraform.runner import Runner + + +class TestNSGRuleAllAccessRestricted(unittest.TestCase): + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_NSGRuleAllAccessRestricted" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "azurerm_network_security_rule.pass_https", + "azurerm_network_security_rule.star_restricted_prefixes", + "azurerm_network_security_group.star_restricted", + } + failing_resources = { + "azurerm_network_security_rule.all", + "azurerm_network_security_rule.ranges_prefixes", + "azurerm_network_security_rule.star", + "azurerm_network_security_group.ranges", + "azurerm_network_security_group.star_unrestricted", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], 3) + self.assertEqual(summary["failed"], 5) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main()