gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-05 20:40:16 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(misconf): add agentpools to azure container schema (#9714)

Browse Source 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
yagreut
2025-11-05 16:27:18 +02:00
committed by GitHub
parent 6fb3fde916
commit 69f400c183
4 changed files with 98 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
pkg/iac/adapters/terraform/azure/container/adapt.go
View File

@@ -35,6 +35,7 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
APIServerAuthorizedIPRanges: nil,
AzurePolicyEnabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
DiskEncryptionSetID: iacTypes.StringDefault("", resource.GetMetadata()),
AgentPools: []container.AgentPool{},
RoleBasedAccessControl: container.RoleBasedAccessControl{
Metadata: resource.GetMetadata(),
Enabled: iacTypes.BoolDefault(false, resource.GetMetadata()),
@@ -119,10 +120,29 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
cluster.AzurePolicyEnabled = azurePolicyEnabledAttr.AsBoolValueOrDefault(false, resource)
}
// disk encryption set ID
if diskEncryptionSetIDAttr := resource.GetAttribute("disk_encryption_set_id"); diskEncryptionSetIDAttr.IsNotNil() {
cluster.DiskEncryptionSetID = diskEncryptionSetIDAttr.AsStringValueOrDefault("", resource)
}
cluster.AgentPools = adaptAgentPools(resource)
return cluster
}
func adaptAgentPools(resource *terraform.Block) []container.AgentPool {
var pools []container.AgentPool
if defaultNodePoolBlock := resource.GetBlock("default_node_pool"); defaultNodePoolBlock.IsNotNil() {
pools = append(pools, adaptAgentPool(defaultNodePoolBlock))
}
return pools
}
func adaptAgentPool(block *terraform.Block) container.AgentPool {
return container.AgentPool{
Metadata: block.GetMetadata(),
DiskEncryptionSetID: block.GetAttribute("disk_encryption_set_id").AsStringValueOrDefault("", block),
NodeType: block.GetAttribute("type").AsStringValueOrDefault("VirtualMachineScaleSets", block),
}
}

46
pkg/iac/adapters/terraform/azure/container/adapt_test.go
View File

@@ -281,6 +281,52 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" {
},
},
},
{
name: "with default_node_pool",
terraform: `
resource "azurerm_kubernetes_cluster" "example" {
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_DS2_v2"
type = "VirtualMachineScaleSets"
disk_encryption_set_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des"
}
}
`,
expected: container.KubernetesCluster{
Metadata: iacTypes.NewTestMetadata(),
NetworkProfile: container.NetworkProfile{
Metadata: iacTypes.NewTestMetadata(),
NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
},
EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
AzurePolicyEnabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
DiskEncryptionSetID: iacTypes.String("", iacTypes.NewTestMetadata()),
AgentPools: []container.AgentPool{
{
Metadata: iacTypes.NewTestMetadata(),
DiskEncryptionSetID: iacTypes.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des", iacTypes.NewTestMetadata()),
NodeType: iacTypes.String("VirtualMachineScaleSets", iacTypes.NewTestMetadata()),
},
},
AddonProfile: container.AddonProfile{
Metadata: iacTypes.NewTestMetadata(),
OMSAgent: container.OMSAgent{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
},
AzurePolicy: container.AzurePolicy{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
},
},
RoleBasedAccessControl: container.RoleBasedAccessControl{
Metadata: iacTypes.NewTestMetadata(),
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
},
},
},
}
for _, test := range tests {

7
pkg/iac/providers/azure/container/container.go
View File

@@ -17,6 +17,7 @@ type KubernetesCluster struct {
RoleBasedAccessControl RoleBasedAccessControl
AzurePolicyEnabled iacTypes.BoolValue
DiskEncryptionSetID iacTypes.StringValue
AgentPools []AgentPool
}
type RoleBasedAccessControl struct {
@@ -44,3 +45,9 @@ type NetworkProfile struct {
Metadata iacTypes.Metadata
NetworkPolicy iacTypes.StringValue // "", "calico", "azure"
}
type AgentPool struct {
Metadata iacTypes.Metadata
DiskEncryptionSetID iacTypes.StringValue
NodeType iacTypes.StringValue // "VirtualMachineScaleSets" or others
}

24
pkg/iac/rego/schemas/cloud.json
View File

@@ -4812,6 +4812,23 @@
}
}
},
"github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AgentPool": {
"type": "object",
"properties": {
"__defsec_metadata": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
},
"diskencryptionsetid": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
},
"nodetype": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
}
}
},
"github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AzurePolicy": {
"type": "object",
"properties": {
@@ -4848,6 +4865,13 @@
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AddonProfile"
},
"agentpools": {
"type": "array",
"items": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.azure.container.AgentPool"
}
},
"apiserverauthorizedipranges": {
"type": "array",
"items": {