diff --git a/pkg/iac/adapters/terraform/azure/container/adapt.go b/pkg/iac/adapters/terraform/azure/container/adapt.go index a4e9f16dbe..c19969c2db 100644 --- a/pkg/iac/adapters/terraform/azure/container/adapt.go +++ b/pkg/iac/adapters/terraform/azure/container/adapt.go @@ -33,7 +33,6 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster { }, EnablePrivateCluster: iacTypes.BoolDefault(false, resource.GetMetadata()), APIServerAuthorizedIPRanges: nil, - AzurePolicyEnabled: iacTypes.BoolDefault(false, resource.GetMetadata()), DiskEncryptionSetID: iacTypes.StringDefault("", resource.GetMetadata()), AgentPools: []container.AgentPool{}, RoleBasedAccessControl: container.RoleBasedAccessControl{ @@ -71,24 +70,35 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster { addonProfileBlock := resource.GetBlock("addon_profile") if addonProfileBlock.IsNotNil() { cluster.AddonProfile.Metadata = addonProfileBlock.GetMetadata() - omsAgentBlock := addonProfileBlock.GetBlock("oms_agent") - if omsAgentBlock.IsNotNil() { - cluster.AddonProfile.OMSAgent.Metadata = omsAgentBlock.GetMetadata() - enabledAttr := omsAgentBlock.GetAttribute("enabled") - cluster.AddonProfile.OMSAgent.Enabled = enabledAttr.AsBoolValueOrDefault(false, omsAgentBlock) + if block := addonProfileBlock.GetBlock("oms_agent"); block.IsNotNil() { + cluster.AddonProfile.OMSAgent = container.OMSAgent{ + Metadata: block.GetMetadata(), + Enabled: block.GetAttribute("enabled").AsBoolValueOrDefault(false, block), + } } - azurePolicyBlock := addonProfileBlock.GetBlock("azure_policy") - if azurePolicyBlock.IsNotNil() { - cluster.AddonProfile.AzurePolicy.Metadata = azurePolicyBlock.GetMetadata() - enabledAttr := azurePolicyBlock.GetAttribute("enabled") - cluster.AddonProfile.AzurePolicy.Enabled = enabledAttr.AsBoolValueOrDefault(false, azurePolicyBlock) + + if block := addonProfileBlock.GetBlock("azure_policy"); block.IsNotNil() { + cluster.AddonProfile.AzurePolicy = container.AzurePolicy{ + Metadata: block.GetMetadata(), + Enabled: block.GetAttribute("enabled").AsBoolValueOrDefault(false, block), + } } } // >= azurerm 2.97.0 - if omsAgentBlock := resource.GetBlock("oms_agent"); omsAgentBlock.IsNotNil() { - cluster.AddonProfile.OMSAgent.Metadata = omsAgentBlock.GetMetadata() - cluster.AddonProfile.OMSAgent.Enabled = iacTypes.Bool(true, omsAgentBlock.GetMetadata()) + if block := resource.GetBlock("oms_agent"); block.IsNotNil() { + cluster.AddonProfile.OMSAgent = container.OMSAgent{ + Metadata: block.GetMetadata(), + Enabled: iacTypes.Bool(true, block.GetMetadata()), + } + } + + // azurerm >= 3.0.0 - new syntax for azure policy + if attr := resource.GetAttribute("azure_policy_enabled"); attr.IsNotNil() { + cluster.AddonProfile.AzurePolicy = container.AzurePolicy{ + Metadata: attr.GetMetadata(), + Enabled: attr.AsBoolValueOrDefault(false, resource), + } } // azurerm < 2.99.0 @@ -112,12 +122,6 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster { cluster.RoleBasedAccessControl.Enabled = enabledAttr.AsBoolValueOrDefault(false, block) } } - - } - - // azurerm >= 3.0.0 - new syntax for azure policy - if azurePolicyEnabledAttr := resource.GetAttribute("azure_policy_enabled"); azurePolicyEnabledAttr.IsNotNil() { - cluster.AzurePolicyEnabled = azurePolicyEnabledAttr.AsBoolValueOrDefault(false, resource) } if diskEncryptionSetIDAttr := resource.GetAttribute("disk_encryption_set_id"); diskEncryptionSetIDAttr.IsNotNil() { diff --git a/pkg/iac/adapters/terraform/azure/container/adapt_test.go b/pkg/iac/adapters/terraform/azure/container/adapt_test.go index 0c001f57c0..b4f68e052f 100644 --- a/pkg/iac/adapters/terraform/azure/container/adapt_test.go +++ b/pkg/iac/adapters/terraform/azure/container/adapt_test.go @@ -48,31 +48,20 @@ func Test_adaptCluster(t *testing.T) { } `, expected: container.KubernetesCluster{ - Metadata: iacTypes.NewTestMetadata(), NetworkProfile: container.NetworkProfile{ - Metadata: iacTypes.NewTestMetadata(), - NetworkPolicy: iacTypes.String("calico", iacTypes.NewTestMetadata()), + NetworkPolicy: iacTypes.StringTest("calico"), }, - EnablePrivateCluster: iacTypes.Bool(true, iacTypes.NewTestMetadata()), + EnablePrivateCluster: iacTypes.BoolTest(true), APIServerAuthorizedIPRanges: []iacTypes.StringValue{ - iacTypes.String("1.2.3.4/32", iacTypes.NewTestMetadata()), + iacTypes.StringTest("1.2.3.4/32"), }, - AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()), AddonProfile: container.AddonProfile{ - Metadata: iacTypes.NewTestMetadata(), OMSAgent: container.OMSAgent{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()), - }, - AzurePolicy: container.AzurePolicy{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + Enabled: iacTypes.BoolTest(true), }, }, RoleBasedAccessControl: container.RoleBasedAccessControl{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()), + Enabled: iacTypes.BoolTest(true), }, }, }, @@ -84,28 +73,9 @@ func Test_adaptCluster(t *testing.T) { } `, expected: container.KubernetesCluster{ - Metadata: iacTypes.NewTestMetadata(), - NetworkProfile: container.NetworkProfile{ - Metadata: iacTypes.NewTestMetadata(), - NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()), - }, - EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()), - AddonProfile: container.AddonProfile{ - Metadata: iacTypes.NewTestMetadata(), - OMSAgent: container.OMSAgent{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - AzurePolicy: container.AzurePolicy{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - }, + AddonProfile: container.AddonProfile{}, RoleBasedAccessControl: container.RoleBasedAccessControl{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()), + Enabled: iacTypes.BoolTest(true), }, }, }, @@ -115,31 +85,7 @@ func Test_adaptCluster(t *testing.T) { resource "azurerm_kubernetes_cluster" "example" { } `, - expected: container.KubernetesCluster{ - Metadata: iacTypes.NewTestMetadata(), - NetworkProfile: container.NetworkProfile{ - Metadata: iacTypes.NewTestMetadata(), - NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()), - }, - EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()), - AddonProfile: container.AddonProfile{ - Metadata: iacTypes.NewTestMetadata(), - OMSAgent: container.OMSAgent{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - AzurePolicy: container.AzurePolicy{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - }, - RoleBasedAccessControl: container.RoleBasedAccessControl{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - }, + expected: container.KubernetesCluster{}, }, { name: "rbac off with k8s rbac on", @@ -153,28 +99,8 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" { } `, expected: container.KubernetesCluster{ - Metadata: iacTypes.NewTestMetadata(), - NetworkProfile: container.NetworkProfile{ - Metadata: iacTypes.NewTestMetadata(), - NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()), - }, - EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()), - AddonProfile: container.AddonProfile{ - Metadata: iacTypes.NewTestMetadata(), - OMSAgent: container.OMSAgent{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - AzurePolicy: container.AzurePolicy{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - }, RoleBasedAccessControl: container.RoleBasedAccessControl{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()), + Enabled: iacTypes.BoolTest(true), }, }, }, @@ -186,29 +112,11 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" { } `, expected: container.KubernetesCluster{ - Metadata: iacTypes.NewTestMetadata(), - NetworkProfile: container.NetworkProfile{ - Metadata: iacTypes.NewTestMetadata(), - NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()), - }, - EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - AzurePolicyEnabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()), - DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()), AddonProfile: container.AddonProfile{ - Metadata: iacTypes.NewTestMetadata(), - OMSAgent: container.OMSAgent{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, AzurePolicy: container.AzurePolicy{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + Enabled: iacTypes.BoolTest(true), }, }, - RoleBasedAccessControl: container.RoleBasedAccessControl{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, }, }, { @@ -223,62 +131,22 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" { } `, expected: container.KubernetesCluster{ - Metadata: iacTypes.NewTestMetadata(), - NetworkProfile: container.NetworkProfile{ - Metadata: iacTypes.NewTestMetadata(), - NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()), - }, - EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()), AddonProfile: container.AddonProfile{ - Metadata: iacTypes.NewTestMetadata(), - OMSAgent: container.OMSAgent{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, AzurePolicy: container.AzurePolicy{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(true, iacTypes.NewTestMetadata()), + Enabled: iacTypes.BoolTest(true), }, }, - RoleBasedAccessControl: container.RoleBasedAccessControl{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, }, }, { name: "disk encryption set defined", terraform: ` resource "azurerm_kubernetes_cluster" "example" { - disk_encryption_set_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/example-des" + disk_encryption_set_id = "test-id" } `, expected: container.KubernetesCluster{ - Metadata: iacTypes.NewTestMetadata(), - NetworkProfile: container.NetworkProfile{ - Metadata: iacTypes.NewTestMetadata(), - NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()), - }, - EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - DiskEncryptionSetID: iacTypes.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/example-des", iacTypes.NewTestMetadata()), - AddonProfile: container.AddonProfile{ - Metadata: iacTypes.NewTestMetadata(), - OMSAgent: container.OMSAgent{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - AzurePolicy: container.AzurePolicy{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - }, - RoleBasedAccessControl: container.RoleBasedAccessControl{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, + DiskEncryptionSetID: iacTypes.StringTest("test-id"), }, }, { @@ -290,41 +158,17 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" { node_count = 1 vm_size = "Standard_DS2_v2" type = "VirtualMachineScaleSets" - disk_encryption_set_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des" + disk_encryption_set_id = "test-id" } } `, expected: container.KubernetesCluster{ - Metadata: iacTypes.NewTestMetadata(), - NetworkProfile: container.NetworkProfile{ - Metadata: iacTypes.NewTestMetadata(), - NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()), - }, - EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()), AgentPools: []container.AgentPool{ { - Metadata: iacTypes.NewTestMetadata(), - DiskEncryptionSetID: iacTypes.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des", iacTypes.NewTestMetadata()), - NodeType: iacTypes.String("VirtualMachineScaleSets", iacTypes.NewTestMetadata()), + DiskEncryptionSetID: iacTypes.StringTest("test-id"), + NodeType: iacTypes.StringTest("VirtualMachineScaleSets"), }, }, - AddonProfile: container.AddonProfile{ - Metadata: iacTypes.NewTestMetadata(), - OMSAgent: container.OMSAgent{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - AzurePolicy: container.AzurePolicy{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, - }, - RoleBasedAccessControl: container.RoleBasedAccessControl{ - Metadata: iacTypes.NewTestMetadata(), - Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), - }, }, }, } diff --git a/pkg/iac/providers/azure/container/container.go b/pkg/iac/providers/azure/container/container.go index b68be3d33e..21a35e29df 100755 --- a/pkg/iac/providers/azure/container/container.go +++ b/pkg/iac/providers/azure/container/container.go @@ -15,7 +15,6 @@ type KubernetesCluster struct { APIServerAuthorizedIPRanges []iacTypes.StringValue AddonProfile AddonProfile RoleBasedAccessControl RoleBasedAccessControl - AzurePolicyEnabled iacTypes.BoolValue DiskEncryptionSetID iacTypes.StringValue AgentPools []AgentPool } diff --git a/pkg/iac/rego/schemas/cloud.json b/pkg/iac/rego/schemas/cloud.json index 45b59c11c3..ff484adcf0 100644 --- a/pkg/iac/rego/schemas/cloud.json +++ b/pkg/iac/rego/schemas/cloud.json @@ -4500,6 +4500,19 @@ } } }, + "github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Authentication": { + "type": "object", + "properties": { + "__defsec_metadata": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata" + }, + "enabled": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue" + } + } + }, "github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.FunctionApp": { "type": "object", "properties": { @@ -4513,6 +4526,19 @@ } } }, + "github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Identity": { + "type": "object", + "properties": { + "__defsec_metadata": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata" + }, + "type": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue" + } + } + }, "github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Service": { "type": "object", "properties": { @@ -4522,7 +4548,7 @@ }, "authentication": { "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Service.Authentication" + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Authentication" }, "enableclientcert": { "type": "object", @@ -4534,7 +4560,7 @@ }, "identity": { "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Service.Identity" + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Identity" }, "site": { "type": "object", @@ -4542,27 +4568,13 @@ } } }, - "github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Service.Authentication": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue" - } - } - }, - "github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Service.Identity": { - "type": "object", - "properties": { - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue" - } - } - }, "github.com.aquasecurity.trivy.pkg.iac.providers.azure.appservice.Site": { "type": "object", "properties": { + "__defsec_metadata": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata" + }, "enablehttp2": { "type": "object", "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue" @@ -4867,10 +4879,6 @@ "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue" } }, - "azurepolicyenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue" - }, "diskencryptionsetid": { "type": "object", "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue" @@ -5333,6 +5341,31 @@ } } }, + "github.com.aquasecurity.trivy.pkg.iac.providers.azure.network.IPConfiguration": { + "type": "object", + "properties": { + "__defsec_metadata": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata" + }, + "haspublicip": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue" + }, + "primary": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue" + }, + "publicipaddress": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue" + }, + "subnetid": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue" + } + } + }, "github.com.aquasecurity.trivy.pkg.iac.providers.azure.network.Network": { "type": "object", "properties": { @@ -5374,6 +5407,13 @@ "type": "object", "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue" }, + "ipconfigurations": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.network.IPConfiguration" + } + }, "publicipaddress": { "type": "object", "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"