Check which version of TLS is enforced (#2484)

* Check which version of TFL is enforced * I see typos
bridgecrewio · Feb 18, 2022 · 9ac786c · 9ac786c
1 parent 5d081f7
commit 9ac786c
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 7 deletions.
diff --git a/...urce/azure/PostgersSQLEncryptionEnaled.py → ...urce/azure/PostgreSQLEncryptionEnabled.py b/...urce/azure/PostgersSQLEncryptionEnaled.py → ...urce/azure/PostgreSQLEncryptionEnabled.py
@@ -2,7 +2,7 @@
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
 
-class PostgersSQLEncryptionEnaled(BaseResourceValueCheck):
+class PostgreSQLEncryptionEnabled(BaseResourceValueCheck):
     def __init__(self):
         name = "Ensure that PostgreSQL server enables infrastructure encryption"
         id = "CKV_AZURE_130"
@@ -14,5 +14,4 @@ def get_inspected_key(self):
         return 'infrastructure_encryption_enabled'
 
 
-
-check = PostgersSQLEncryptionEnaled()
+check = PostgreSQLEncryptionEnabled()
diff --git a/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py b/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py
@@ -0,0 +1,21 @@
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class PostgreSQLMinTLSVersion(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure PostgreSQL is using the latest version of TLS encryption"
+        id = "CKV_AZURE_147"
+        supported_resources = ['azurerm_postgresql_server']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
+
+    def get_inspected_key(self):
+        return "ssl_minimal_tls_version_enforced"
+
+    def get_expected_value(self):
+        return 'TLS1_2'
+
+
+check = PostgreSQLMinTLSVersion()
diff --git a/tests/terraform/checks/resource/azure/example_PostgreSQLMinTLSVersion/main.tf b/tests/terraform/checks/resource/azure/example_PostgreSQLMinTLSVersion/main.tf
@@ -0,0 +1,23 @@
+resource "azurerm_postgresql_server" "fail" {
+  name = "fail"
+
+  public_network_access_enabled    = true
+  ssl_enforcement_enabled          = true
+  ssl_minimal_tls_version_enforced = "TLS1_1"
+}
+
+
+resource "azurerm_postgresql_server" "pass" {
+  name = "fail"
+
+  public_network_access_enabled    = true
+  ssl_enforcement_enabled          = true
+  ssl_minimal_tls_version_enforced = "TLS1_2"
+}
+
+resource "azurerm_postgresql_server" "fail2" {
+  name = "fail"
+
+  public_network_access_enabled    = true
+  ssl_enforcement_enabled          = true
+}
diff --git a/...ource/azure/test_MySQLEncryptionEnaled.py → ...urce/azure/test_MySQLEncryptionEnabled.py b/...ource/azure/test_MySQLEncryptionEnaled.py → ...urce/azure/test_MySQLEncryptionEnabled.py
@@ -2,11 +2,11 @@
 
 import hcl2
 
-from checkov.terraform.checks.resource.azure.PostgersSQLEncryptionEnaled import check
+from checkov.terraform.checks.resource.azure.PostgreSQLEncryptionEnabled import check
 from checkov.common.models.enums import CheckResult
 
 
-class TestMySQLEncryptionEnaled(unittest.TestCase):
+class TestMySQLEncryptionEnabled(unittest.TestCase):
 
     def test_failure_1(self):
         hcl_res = hcl2.loads("""

diff --git a/...azure/test_PostgersSQLEncryptionEnaled.py → ...azure/test_PostgreSQLEncryptionEnabled.py b/...azure/test_PostgersSQLEncryptionEnaled.py → ...azure/test_PostgreSQLEncryptionEnabled.py
@@ -2,11 +2,11 @@
 
 import hcl2
 
-from checkov.terraform.checks.resource.azure.PostgersSQLEncryptionEnaled import check
+from checkov.terraform.checks.resource.azure.PostgreSQLEncryptionEnabled import check
 from checkov.common.models.enums import CheckResult
 
 
-class TestPostgersSQLEncryptionEnaled(unittest.TestCase):
+class TestPostgreSQLEncryptionEnabled(unittest.TestCase):
 
     def test_failure_1(self):
         hcl_res = hcl2.loads("""

diff --git a/tests/terraform/checks/resource/azure/test_PostgreSQLMinTLSVersion.py b/tests/terraform/checks/resource/azure/test_PostgreSQLMinTLSVersion.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.azure.PostgreSQLMinTLSVersion import check
+from checkov.terraform.runner import Runner
+
+
+class TestPostgreSQLMinTLSVersion(unittest.TestCase):
+
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_PostgreSQLMinTLSVersion"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "azurerm_postgresql_server.pass",
+        }
+        failing_resources = {
+            "azurerm_postgresql_server.fail",
+            "azurerm_postgresql_server.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()