mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-05 20:40:16 -08:00
feat(misconf): add agentpools to azure container schema (#9714)
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
yagreut
@@ -35,6 +35,7 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
|
|||||||
APIServerAuthorizedIPRanges: nil,
|
APIServerAuthorizedIPRanges: nil,
|
||||||
AzurePolicyEnabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
AzurePolicyEnabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
||||||
DiskEncryptionSetID: iacTypes.StringDefault("", resource.GetMetadata()),
|
DiskEncryptionSetID: iacTypes.StringDefault("", resource.GetMetadata()),
|
||||||
|
AgentPools: []container.AgentPool{},
|
||||||
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||||
Metadata: resource.GetMetadata(),
|
Metadata: resource.GetMetadata(),
|
||||||
Enabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
Enabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
|
||||||
@@ -119,10 +120,29 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
|
|||||||
cluster.AzurePolicyEnabled = azurePolicyEnabledAttr.AsBoolValueOrDefault(false, resource)
|
cluster.AzurePolicyEnabled = azurePolicyEnabledAttr.AsBoolValueOrDefault(false, resource)
|
||||||
}
|
}
|
||||||
|
|
||||||
// disk encryption set ID
|
|
||||||
if diskEncryptionSetIDAttr := resource.GetAttribute("disk_encryption_set_id"); diskEncryptionSetIDAttr.IsNotNil() {
|
if diskEncryptionSetIDAttr := resource.GetAttribute("disk_encryption_set_id"); diskEncryptionSetIDAttr.IsNotNil() {
|
||||||
cluster.DiskEncryptionSetID = diskEncryptionSetIDAttr.AsStringValueOrDefault("", resource)
|
cluster.DiskEncryptionSetID = diskEncryptionSetIDAttr.AsStringValueOrDefault("", resource)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cluster.AgentPools = adaptAgentPools(resource)
|
||||||
|
|
||||||
return cluster
|
return cluster
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func adaptAgentPools(resource *terraform.Block) []container.AgentPool {
|
||||||
|
var pools []container.AgentPool
|
||||||
|
|
||||||
|
if defaultNodePoolBlock := resource.GetBlock("default_node_pool"); defaultNodePoolBlock.IsNotNil() {
|
||||||
|
pools = append(pools, adaptAgentPool(defaultNodePoolBlock))
|
||||||
|
}
|
||||||
|
|
||||||
|
return pools
|
||||||
|
}
|
||||||
|
|
||||||
|
func adaptAgentPool(block *terraform.Block) container.AgentPool {
|
||||||
|
return container.AgentPool{
|
||||||
|
Metadata: block.GetMetadata(),
|
||||||
|
DiskEncryptionSetID: block.GetAttribute("disk_encryption_set_id").AsStringValueOrDefault("", block),
|
||||||
|
NodeType: block.GetAttribute("type").AsStringValueOrDefault("VirtualMachineScaleSets", block),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -281,6 +281,52 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "with default_node_pool",
|
||||||
|
terraform: `
|
||||||
|
resource "azurerm_kubernetes_cluster" "example" {
|
||||||
|
default_node_pool {
|
||||||
|
name = "default"
|
||||||
|
node_count = 1
|
||||||
|
vm_size = "Standard_DS2_v2"
|
||||||
|
type = "VirtualMachineScaleSets"
|
||||||
|
disk_encryption_set_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`,
|
||||||
|
expected: container.KubernetesCluster{
|
||||||
|
Metadata: iacTypes.NewTestMetadata(),
|
||||||
|
NetworkProfile: container.NetworkProfile{
|
||||||
|
Metadata: iacTypes.NewTestMetadata(),
|
||||||
|
NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||||
|
},
|
||||||
|
EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||||
|
AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||||
|
DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()),
|
||||||
|
AgentPools: []container.AgentPool{
|
||||||
|
{
|
||||||
|
Metadata: iacTypes.NewTestMetadata(),
|
||||||
|
DiskEncryptionSetID: iacTypes.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des", iacTypes.NewTestMetadata()),
|
||||||
|
NodeType: iacTypes.String("VirtualMachineScaleSets", iacTypes.NewTestMetadata()),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
AddonProfile: container.AddonProfile{
|
||||||
|
Metadata: iacTypes.NewTestMetadata(),
|
||||||
|
OMSAgent: container.OMSAgent{
|
||||||
|
Metadata: iacTypes.NewTestMetadata(),
|
||||||
|
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||||
|
},
|
||||||
|
AzurePolicy: container.AzurePolicy{
|
||||||
|
Metadata: iacTypes.NewTestMetadata(),
|
||||||
|
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
RoleBasedAccessControl: container.RoleBasedAccessControl{
|
||||||
|
Metadata: iacTypes.NewTestMetadata(),
|
||||||
|
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
|
|||||||
@@ -17,6 +17,7 @@ type KubernetesCluster struct {
|
|||||||
RoleBasedAccessControl RoleBasedAccessControl
|
RoleBasedAccessControl RoleBasedAccessControl
|
||||||
AzurePolicyEnabled iacTypes.BoolValue
|
AzurePolicyEnabled iacTypes.BoolValue
|
||||||
DiskEncryptionSetID iacTypes.StringValue
|
DiskEncryptionSetID iacTypes.StringValue
|
||||||
|
AgentPools []AgentPool
|
||||||
}
|
}
|
||||||
|
|
||||||
type RoleBasedAccessControl struct {
|
type RoleBasedAccessControl struct {
|
||||||
@@ -44,3 +45,9 @@ type NetworkProfile struct {
|
|||||||
Metadata iacTypes.Metadata
|
Metadata iacTypes.Metadata
|
||||||
NetworkPolicy iacTypes.StringValue // "", "calico", "azure"
|
NetworkPolicy iacTypes.StringValue // "", "calico", "azure"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type AgentPool struct {
|
||||||
|
Metadata iacTypes.Metadata
|
||||||
|
DiskEncryptionSetID iacTypes.StringValue
|
||||||
|
NodeType iacTypes.StringValue // "VirtualMachineScaleSets" or others
|
||||||
|
}
|
||||||
|
|||||||
@@ -4812,6 +4812,23 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AgentPool": {
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"__defsec_metadata": {
|
||||||
|
"type": "object",
|
||||||
|
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
|
||||||
|
},
|
||||||
|
"diskencryptionsetid": {
|
||||||
|
"type": "object",
|
||||||
|
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
|
||||||
|
},
|
||||||
|
"nodetype": {
|
||||||
|
"type": "object",
|
||||||
|
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
"github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AzurePolicy": {
|
"github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AzurePolicy": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
@@ -4848,6 +4865,13 @@
|
|||||||
"type": "object",
|
"type": "object",
|
||||||
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AddonProfile"
|
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AddonProfile"
|
||||||
},
|
},
|
||||||
|
"agentpools": {
|
||||||
|
"type": "array",
|
||||||
|
"items": {
|
||||||
|
"type": "object",
|
||||||
|
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AgentPool"
|
||||||
|
}
|
||||||
|
},
|
||||||
"apiserverauthorizedipranges": {
|
"apiserverauthorizedipranges": {
|
||||||
"type": "array",
|
"type": "array",
|
||||||
"items": {
|
"items": {
|
||||||
|
|||||||
Reference in New Issue
Block a user