diff --git a/pkg/iac/adapters/terraform/azure/container/adapt.go b/pkg/iac/adapters/terraform/azure/container/adapt.go index d3a8f6c216..a4e9f16dbe 100644 --- a/pkg/iac/adapters/terraform/azure/container/adapt.go +++ b/pkg/iac/adapters/terraform/azure/container/adapt.go @@ -35,6 +35,7 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster { APIServerAuthorizedIPRanges: nil, AzurePolicyEnabled: iacTypes.BoolDefault(false, resource.GetMetadata()), DiskEncryptionSetID: iacTypes.StringDefault("", resource.GetMetadata()), + AgentPools: []container.AgentPool{}, RoleBasedAccessControl: container.RoleBasedAccessControl{ Metadata: resource.GetMetadata(), Enabled: iacTypes.BoolDefault(false, resource.GetMetadata()), @@ -119,10 +120,29 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster { cluster.AzurePolicyEnabled = azurePolicyEnabledAttr.AsBoolValueOrDefault(false, resource) } - // disk encryption set ID if diskEncryptionSetIDAttr := resource.GetAttribute("disk_encryption_set_id"); diskEncryptionSetIDAttr.IsNotNil() { cluster.DiskEncryptionSetID = diskEncryptionSetIDAttr.AsStringValueOrDefault("", resource) } + cluster.AgentPools = adaptAgentPools(resource) + return cluster } + +func adaptAgentPools(resource *terraform.Block) []container.AgentPool { + var pools []container.AgentPool + + if defaultNodePoolBlock := resource.GetBlock("default_node_pool"); defaultNodePoolBlock.IsNotNil() { + pools = append(pools, adaptAgentPool(defaultNodePoolBlock)) + } + + return pools +} + +func adaptAgentPool(block *terraform.Block) container.AgentPool { + return container.AgentPool{ + Metadata: block.GetMetadata(), + DiskEncryptionSetID: block.GetAttribute("disk_encryption_set_id").AsStringValueOrDefault("", block), + NodeType: block.GetAttribute("type").AsStringValueOrDefault("VirtualMachineScaleSets", block), + } +} diff --git a/pkg/iac/adapters/terraform/azure/container/adapt_test.go b/pkg/iac/adapters/terraform/azure/container/adapt_test.go index 21a8663b59..0c001f57c0 100644 --- a/pkg/iac/adapters/terraform/azure/container/adapt_test.go +++ b/pkg/iac/adapters/terraform/azure/container/adapt_test.go @@ -281,6 +281,52 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" { }, }, }, + { + name: "with default_node_pool", + terraform: ` + resource "azurerm_kubernetes_cluster" "example" { + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_DS2_v2" + type = "VirtualMachineScaleSets" + disk_encryption_set_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des" + } + } +`, + expected: container.KubernetesCluster{ + Metadata: iacTypes.NewTestMetadata(), + NetworkProfile: container.NetworkProfile{ + Metadata: iacTypes.NewTestMetadata(), + NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()), + }, + EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()), + AgentPools: []container.AgentPool{ + { + Metadata: iacTypes.NewTestMetadata(), + DiskEncryptionSetID: iacTypes.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des", iacTypes.NewTestMetadata()), + NodeType: iacTypes.String("VirtualMachineScaleSets", iacTypes.NewTestMetadata()), + }, + }, + AddonProfile: container.AddonProfile{ + Metadata: iacTypes.NewTestMetadata(), + OMSAgent: container.OMSAgent{ + Metadata: iacTypes.NewTestMetadata(), + Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + }, + AzurePolicy: container.AzurePolicy{ + Metadata: iacTypes.NewTestMetadata(), + Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + }, + }, + RoleBasedAccessControl: container.RoleBasedAccessControl{ + Metadata: iacTypes.NewTestMetadata(), + Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + }, + }, + }, } for _, test := range tests { diff --git a/pkg/iac/providers/azure/container/container.go b/pkg/iac/providers/azure/container/container.go index 32270a4ce6..b68be3d33e 100755 --- a/pkg/iac/providers/azure/container/container.go +++ b/pkg/iac/providers/azure/container/container.go @@ -17,6 +17,7 @@ type KubernetesCluster struct { RoleBasedAccessControl RoleBasedAccessControl AzurePolicyEnabled iacTypes.BoolValue DiskEncryptionSetID iacTypes.StringValue + AgentPools []AgentPool } type RoleBasedAccessControl struct { @@ -44,3 +45,9 @@ type NetworkProfile struct { Metadata iacTypes.Metadata NetworkPolicy iacTypes.StringValue // "", "calico", "azure" } + +type AgentPool struct { + Metadata iacTypes.Metadata + DiskEncryptionSetID iacTypes.StringValue + NodeType iacTypes.StringValue // "VirtualMachineScaleSets" or others +} diff --git a/pkg/iac/rego/schemas/cloud.json b/pkg/iac/rego/schemas/cloud.json index ec7a9e722c..7930d74fd7 100644 --- a/pkg/iac/rego/schemas/cloud.json +++ b/pkg/iac/rego/schemas/cloud.json @@ -4812,6 +4812,23 @@ } } }, + "github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AgentPool": { + "type": "object", + "properties": { + "__defsec_metadata": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata" + }, + "diskencryptionsetid": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue" + }, + "nodetype": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue" + } + } + }, "github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AzurePolicy": { "type": "object", "properties": { @@ -4848,6 +4865,13 @@ "type": "object", "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AddonProfile" }, + "agentpools": { + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AgentPool" + } + }, "apiserverauthorizedipranges": { "type": "array", "items": {