mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-05 20:40:16 -08:00
feat(misconf): Update Azure Container Schema (#9673)
This commit is contained in:
yagreut
@@ -33,6 +33,8 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
|
||||
},
|
||||
EnablePrivateCluster: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
||||
APIServerAuthorizedIPRanges: nil,
|
||||
AzurePolicyEnabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
||||
DiskEncryptionSetID: iacTypes.StringDefault("", resource.GetMetadata()),
|
||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||
Metadata: resource.GetMetadata(),
|
||||
Enabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
||||
@@ -43,6 +45,10 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
|
||||
Metadata: resource.GetMetadata(),
|
||||
Enabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
||||
},
|
||||
AzurePolicy: container.AzurePolicy{
|
||||
Metadata: resource.GetMetadata(),
|
||||
Enabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
@@ -70,6 +76,12 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
|
||||
enabledAttr := omsAgentBlock.GetAttribute("enabled")
|
||||
cluster.AddonProfile.OMSAgent.Enabled = enabledAttr.AsBoolValueOrDefault(false, omsAgentBlock)
|
||||
}
|
||||
azurePolicyBlock := addonProfileBlock.GetBlock("azure_policy")
|
||||
if azurePolicyBlock.IsNotNil() {
|
||||
cluster.AddonProfile.AzurePolicy.Metadata = azurePolicyBlock.GetMetadata()
|
||||
enabledAttr := azurePolicyBlock.GetAttribute("enabled")
|
||||
cluster.AddonProfile.AzurePolicy.Enabled = enabledAttr.AsBoolValueOrDefault(false, azurePolicyBlock)
|
||||
}
|
||||
}
|
||||
|
||||
// >= azurerm 2.97.0
|
||||
@@ -101,5 +113,16 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// azurerm >= 3.0.0 - new syntax for azure policy
|
||||
if azurePolicyEnabledAttr := resource.GetAttribute("azure_policy_enabled"); azurePolicyEnabledAttr.IsNotNil() {
|
||||
cluster.AzurePolicyEnabled = azurePolicyEnabledAttr.AsBoolValueOrDefault(false, resource)
|
||||
}
|
||||
|
||||
// disk encryption set ID
|
||||
if diskEncryptionSetIDAttr := resource.GetAttribute("disk_encryption_set_id"); diskEncryptionSetIDAttr.IsNotNil() {
|
||||
cluster.DiskEncryptionSetID = diskEncryptionSetIDAttr.AsStringValueOrDefault("", resource)
|
||||
}
|
||||
|
||||
return cluster
|
||||
}
|
||||
|
||||
@@ -57,12 +57,18 @@ func Test_adaptCluster(t *testing.T) {
|
||||
APIServerAuthorizedIPRanges: []iacTypes.StringValue{
|
||||
iacTypes.String("1.2.3.4/32", iacTypes.NewTestMetadata()),
|
||||
},
|
||||
AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
AddonProfile: container.AddonProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
OMSAgent: container.OMSAgent{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
AzurePolicy: container.AzurePolicy{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
@@ -84,12 +90,18 @@ func Test_adaptCluster(t *testing.T) {
|
||||
NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
},
|
||||
EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
AddonProfile: container.AddonProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
OMSAgent: container.OMSAgent{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
AzurePolicy: container.AzurePolicy{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
@@ -110,12 +122,18 @@ func Test_adaptCluster(t *testing.T) {
|
||||
NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
},
|
||||
EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
AddonProfile: container.AddonProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
OMSAgent: container.OMSAgent{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
AzurePolicy: container.AzurePolicy{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
@@ -141,12 +159,18 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" {
|
||||
NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
},
|
||||
EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
AddonProfile: container.AddonProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
OMSAgent: container.OMSAgent{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
AzurePolicy: container.AzurePolicy{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
@@ -154,6 +178,109 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "azure policy with new syntax",
|
||||
terraform: `
|
||||
resource "azurerm_kubernetes_cluster" "example" {
|
||||
azure_policy_enabled = true
|
||||
}
|
||||
`,
|
||||
expected: container.KubernetesCluster{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
NetworkProfile: container.NetworkProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
},
|
||||
EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
AzurePolicyEnabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
|
||||
DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
AddonProfile: container.AddonProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
OMSAgent: container.OMSAgent{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
AzurePolicy: container.AzurePolicy{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "azure policy with legacy syntax",
|
||||
terraform: `
|
||||
resource "azurerm_kubernetes_cluster" "example" {
|
||||
addon_profile {
|
||||
azure_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
}
|
||||
`,
|
||||
expected: container.KubernetesCluster{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
NetworkProfile: container.NetworkProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
},
|
||||
EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
AddonProfile: container.AddonProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
OMSAgent: container.OMSAgent{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
AzurePolicy: container.AzurePolicy{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "disk encryption set defined",
|
||||
terraform: `
|
||||
resource "azurerm_kubernetes_cluster" "example" {
|
||||
disk_encryption_set_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/example-des"
|
||||
}
|
||||
`,
|
||||
expected: container.KubernetesCluster{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
NetworkProfile: container.NetworkProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||
},
|
||||
EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
DiskEncryptionSetID: iacTypes.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/example-des", iacTypes.NewTestMetadata()),
|
||||
AddonProfile: container.AddonProfile{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
OMSAgent: container.OMSAgent{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
AzurePolicy: container.AzurePolicy{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||
Metadata: iacTypes.NewTestMetadata(),
|
||||
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
|
||||
@@ -15,6 +15,8 @@ type KubernetesCluster struct {
|
||||
APIServerAuthorizedIPRanges []iacTypes.StringValue
|
||||
AddonProfile AddonProfile
|
||||
RoleBasedAccessControl RoleBasedAccessControl
|
||||
AzurePolicyEnabled iacTypes.BoolValue
|
||||
DiskEncryptionSetID iacTypes.StringValue
|
||||
}
|
||||
|
||||
type RoleBasedAccessControl struct {
|
||||
@@ -23,8 +25,9 @@ type RoleBasedAccessControl struct {
|
||||
}
|
||||
|
||||
type AddonProfile struct {
|
||||
Metadata iacTypes.Metadata
|
||||
OMSAgent OMSAgent
|
||||
Metadata iacTypes.Metadata
|
||||
OMSAgent OMSAgent
|
||||
AzurePolicy AzurePolicy
|
||||
}
|
||||
|
||||
type OMSAgent struct {
|
||||
@@ -32,6 +35,11 @@ type OMSAgent struct {
|
||||
Enabled iacTypes.BoolValue
|
||||
}
|
||||
|
||||
type AzurePolicy struct {
|
||||
Metadata iacTypes.Metadata
|
||||
Enabled iacTypes.BoolValue
|
||||
}
|
||||
|
||||
type NetworkProfile struct {
|
||||
Metadata iacTypes.Metadata
|
||||
NetworkPolicy iacTypes.StringValue // "", "calico", "azure"
|
||||
|
||||
@@ -4735,12 +4735,29 @@
|
||||
"type": "object",
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
|
||||
},
|
||||
"azurepolicy": {
|
||||
"type": "object",
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AzurePolicy"
|
||||
},
|
||||
"omsagent": {
|
||||
"type": "object",
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.OMSAgent"
|
||||
}
|
||||
}
|
||||
},
|
||||
"github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AzurePolicy": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"__defsec_metadata": {
|
||||
"type": "object",
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
|
||||
},
|
||||
"enabled": {
|
||||
"type": "object",
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue"
|
||||
}
|
||||
}
|
||||
},
|
||||
"github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.Container": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
@@ -4771,6 +4788,14 @@
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
|
||||
}
|
||||
},
|
||||
"azurepolicyenabled": {
|
||||
"type": "object",
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue"
|
||||
},
|
||||
"diskencryptionsetid": {
|
||||
"type": "object",
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
|
||||
},
|
||||
"enableprivatecluster": {
|
||||
"type": "object",
|
||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue"
|
||||
|
||||
Reference in New Issue
Block a user