diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml index 44477b6..c3f6c4a 100644 --- a/.github/workflows/checkov.yml +++ b/.github/workflows/checkov.yml @@ -21,7 +21,7 @@ jobs: id: checkov uses: bridgecrewio/checkov-action@master with: - directory: . + directory: example #file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided. #check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list #skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list diff --git a/.tfsec/custom_tfchecks.yaml b/.tfsec/custom_tfchecks.yaml index 16d976d..97e450a 100644 --- a/.tfsec/custom_tfchecks.yaml +++ b/.tfsec/custom_tfchecks.yaml @@ -1,55 +1,66 @@ ---- checks: -- code: rg-naming-pattern - description: Custom check to check resource group naming - impact: resource groups should be named consistently - resolution: use the pattern rg-app-env-region - requiredTypes: - - resource - requiredLabels: - - azurerm_resource_group - severity: HIGH - matchSpec: - name: name - action: regexMatches - value: "^rg-[a-zA-Z]+-[a-zA-Z]+-[a-zA-Z]+" - errorMessage: improperly named resource group - relatedLinks: - - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming -- code: tags-resources - description: Custom check to ensure the CostCenter tag is applied to Azure Resources - impact: By not having CostCenter we can't keep track of billing - resolution: Add the CostCenter tag - requiredTypes: - - resource - requiredLabels: - - azurerm_subscription - - azurerm_resource_group - - azurerm_linux_web_app - - azurerm_windows_web_app - - azurerm_storage_account - - azurerm_service_plan - - azurerm_app_service - severity: HIGH - matchSpec: - name: tags - action: contains - value: CostCenter - errorMessage: The required CostCenter tag was missing - relatedLinks: - - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging -- code: app-service-deprecated - description: Custom check to warn on deprecated app service - impact: using deprecated app service resource instead of azurerm_linux_web_app or azurerm_windows_web_app - resolution: Use azurerm_linux_web_app or azurerm_windows_web_app - requiredTypes: - - resource - requiredLabels: - - azurerm_app_service - severity: HIGH - matchSpec: - name: azurerm_app_service - action: isPresent - errorMessage: Using a deprecated resource - azurerm_app_service - relatedLinks: - - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service + - { + code: rg-naming-pattern, + description: "Custom check to check resource group naming", + impact: "resource groups should be named consistently", + resolution: "use the pattern rg-app-env-region", + requiredTypes: [resource], + requiredLabels: [azurerm_resource_group], + severity: HIGH, + matchSpec: + { + action: not, + predicateMatchSpec: + [ + { + name: name, + action: regexMatches, + value: "^rg-[a-zA-Z]+-[a-zA-Z]+-[a-zA-Z]+", + }, + ], + }, + errorMessage: "improperly named resource group", + relatedLinks: + [ + "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming", + ], + } + - { + code: tags-resources, + description: "Custom check to ensure the CostCenter tag is applied to Azure Resources", + impact: "By not having CostCenter we can't keep track of billing", + resolution: "Add the CostCenter tag", + requiredTypes: [resource], + requiredLabels: + [ + azurerm_subscription, + azurerm_resource_group, + azurerm_linux_web_app, + azurerm_windows_web_app, + azurerm_storage_account, + azurerm_service_plan, + azurerm_app_service, + ], + severity: HIGH, + matchSpec: { name: tags, action: contains, value: CostCenter }, + errorMessage: "The required CostCenter tag was missing", + relatedLinks: + [ + "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging", + ], + } + - { + code: app-service-deprecated, + description: "Custom check to warn on deprecated app service", + impact: "using deprecated app service resource instead of azurerm_linux_web_app or azurerm_windows_web_app", + resolution: "Use azurerm_linux_web_app or azurerm_windows_web_app", + requiredTypes: [resource], + requiredLabels: [azurerm_app_service], + severity: HIGH, + matchSpec: { name: azurerm_app_service, action: isPresent }, + errorMessage: "Using a deprecated resource - azurerm_app_service", + relatedLinks: + [ + "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service", + ], + } diff --git a/example/modules/vnet/main.tf b/example/modules/vnet/main.tf index 12f7b63..7a22481 100644 --- a/example/modules/vnet/main.tf +++ b/example/modules/vnet/main.tf @@ -2,6 +2,12 @@ data "azurerm_resource_group" "rg" { name = var.rg_name } +resource "azurerm_network_security_group" "nsg" { + name = "${var.prefix}-nsg" + location = azurerm_resource_group.rg.name + resource_group_name = azurerm_resource_group.rg.location +} + resource "azurerm_virtual_network" "vnet" { name = "${var.prefix}-network" resource_group_name = azurerm_resource_group.rg.name @@ -14,4 +20,9 @@ resource "azurerm_subnet" "snet" { virtual_network_name = azurerm_virtual_network.rg.name resource_group_name = azurerm_resource_group.rg.name address_prefixes = ["10.0.1.0/24"] +} + +resource "azurerm_subnet_network_security_group_association" "example" { + subnet_id = azurerm_subnet.snet.id + network_security_group_id = azurerm_network_security_group.nsg.id } \ No newline at end of file diff --git a/example/prod/main.tf b/example/prod/main.tf index e8f82fd..9eed721 100644 --- a/example/prod/main.tf +++ b/example/prod/main.tf @@ -19,6 +19,6 @@ resource "azurerm_resource_group" "rg" { name = "rg-terraformdemo-${var.environment}-${var.location}" location = var.location tags = { - "CostCenter" = "it" + "CostCenter" = "ops" } }