updated terraform

.github/workflows/checkov.yml

@@ -21,7 +21,7 @@ jobs:
         id: checkov
         uses: bridgecrewio/checkov-action@master
         with:
-          directory: .
+          directory: example
           #file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
           #check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
           #skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list

.tfsec/custom_tfchecks.yaml

@@ -1,55 +1,66 @@
----
 checks:
-- code: rg-naming-pattern
-  description: Custom check to check resource group naming
-  impact: resource groups should be named consistently
-  resolution: use the pattern rg-app-env-region
-  requiredTypes:
-  - resource
-  requiredLabels:
-  - azurerm_resource_group
-  severity: HIGH
-  matchSpec:
-    name: name
-    action: regexMatches
-    value: "^rg-[a-zA-Z]+-[a-zA-Z]+-[a-zA-Z]+"
-  errorMessage: improperly named resource group
-  relatedLinks:
-  - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming
-- code: tags-resources
-  description: Custom check to ensure the CostCenter tag is applied to Azure Resources
-  impact: By not having CostCenter we can't keep track of billing
-  resolution: Add the CostCenter tag
-  requiredTypes:
-  - resource
-  requiredLabels:
-  - azurerm_subscription
-  - azurerm_resource_group
-  - azurerm_linux_web_app
-  - azurerm_windows_web_app
-  - azurerm_storage_account
-  - azurerm_service_plan
-  - azurerm_app_service
-  severity: HIGH
-  matchSpec:
-    name: tags
-    action: contains
-    value: CostCenter
-  errorMessage: The required CostCenter tag was missing
-  relatedLinks:
-  - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging
-- code: app-service-deprecated
-  description: Custom check to warn on deprecated app service
-  impact: using deprecated app service resource instead of azurerm_linux_web_app or azurerm_windows_web_app
-  resolution: Use azurerm_linux_web_app or azurerm_windows_web_app
-  requiredTypes:
-  - resource
-  requiredLabels:
-  - azurerm_app_service
-  severity: HIGH
-  matchSpec:
-    name: azurerm_app_service
-    action: isPresent
-  errorMessage: Using a deprecated resource - azurerm_app_service
-  relatedLinks:
-  - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service
+  - {
+      code: rg-naming-pattern,
+      description: "Custom check to check resource group naming",
+      impact: "resource groups should be named consistently",
+      resolution: "use the pattern rg-app-env-region",
+      requiredTypes: [resource],
+      requiredLabels: [azurerm_resource_group],
+      severity: HIGH,
+      matchSpec:
+        {
+          action: not,
+          predicateMatchSpec:
+            [
+              {
+                name: name,
+                action: regexMatches,
+                value: "^rg-[a-zA-Z]+-[a-zA-Z]+-[a-zA-Z]+",
+              },
+            ],
+        },
+      errorMessage: "improperly named resource group",
+      relatedLinks:
+        [
+          "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming",
+        ],
+    }
+  - {
+      code: tags-resources,
+      description: "Custom check to ensure the CostCenter tag is applied to Azure Resources",
+      impact: "By not having CostCenter we can't keep track of billing",
+      resolution: "Add the CostCenter tag",
+      requiredTypes: [resource],
+      requiredLabels:
+        [
+          azurerm_subscription,
+          azurerm_resource_group,
+          azurerm_linux_web_app,
+          azurerm_windows_web_app,
+          azurerm_storage_account,
+          azurerm_service_plan,
+          azurerm_app_service,
+        ],
+      severity: HIGH,
+      matchSpec: { name: tags, action: contains, value: CostCenter },
+      errorMessage: "The required CostCenter tag was missing",
+      relatedLinks:
+        [
+          "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging",
+        ],
+    }
+  - {
+      code: app-service-deprecated,
+      description: "Custom check to warn on deprecated app service",
+      impact: "using deprecated app service resource instead of azurerm_linux_web_app or azurerm_windows_web_app",
+      resolution: "Use azurerm_linux_web_app or azurerm_windows_web_app",
+      requiredTypes: [resource],
+      requiredLabels: [azurerm_app_service],
+      severity: HIGH,
+      matchSpec: { name: azurerm_app_service, action: isPresent },
+      errorMessage: "Using a deprecated resource - azurerm_app_service",
+      relatedLinks:
+        [
+          "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service",
+        ],
+    }

example/modules/vnet/main.tf

@@ -2,6 +2,12 @@ data "azurerm_resource_group" "rg" {
   name = var.rg_name
 }
 
+resource "azurerm_network_security_group" "nsg" {
+  name                = "${var.prefix}-nsg"
+  location            = azurerm_resource_group.rg.name
+  resource_group_name = azurerm_resource_group.rg.location
+}
+
 resource "azurerm_virtual_network" "vnet" {
   name                = "${var.prefix}-network"
   resource_group_name = azurerm_resource_group.rg.name
@@ -14,4 +20,9 @@ resource "azurerm_subnet" "snet" {
   virtual_network_name = azurerm_virtual_network.rg.name
   resource_group_name  = azurerm_resource_group.rg.name
   address_prefixes     = ["10.0.1.0/24"]
+}
+
+resource "azurerm_subnet_network_security_group_association" "example" {
+  subnet_id                 = azurerm_subnet.snet.id
+  network_security_group_id = azurerm_network_security_group.nsg.id
 }

example/prod/main.tf

@@ -19,6 +19,6 @@ resource "azurerm_resource_group" "rg" {
   name     = "rg-terraformdemo-${var.environment}-${var.location}"
   location = var.location
   tags = {
-    "CostCenter" = "it"
+    "CostCenter" = "ops"
   }
 }