bridgecrewio · quixoticmonk · Aug 9, 2024 · Aug 12, 2024 · Sep 2, 2024 · Sep 8, 2024
diff --git a/checkov/terraform/checks/provider/__init__.py b/checkov/terraform/checks/provider/__init__.py
@@ -1,6 +1,7 @@
 from checkov.terraform.checks.provider.aws import *  # noqa
-from checkov.terraform.checks.provider.linode import *  # noqa
+from checkov.terraform.checks.provider.awscc import *  # noqa
 from checkov.terraform.checks.provider.bridgecrew import *  # noqa
+from checkov.terraform.checks.provider.linode import *  # noqa
 from checkov.terraform.checks.provider.oci import *  # noqa
 from checkov.terraform.checks.provider.openstack import *  # noqa
 from checkov.terraform.checks.provider.panos import *  # noqa
diff --git a/checkov/terraform/checks/provider/awscc/__init__.py b/checkov/terraform/checks/provider/awscc/__init__.py
@@ -0,0 +1,5 @@
+from os.path import dirname, basename, isfile, join
+import glob
+
+modules = glob.glob(join(dirname(__file__), "*.py"))
+__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith("__init__.py")]
diff --git a/checkov/terraform/checks/provider/awscc/credentials.py b/checkov/terraform/checks/provider/awscc/credentials.py
@@ -0,0 +1,37 @@
+import re
+from typing import Any, Dict, List
+
+from checkov.common.models.consts import access_key_pattern, secret_key_pattern
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.provider.base_check import BaseProviderCheck
+
+
+class AWSCCCredentials(BaseProviderCheck):
+    def __init__(self) -> None:
+        name = "Ensure no hard coded AWS access key and secret key exists in provider"
+        id = "CKV_AWSCC_41"
+        supported_provider = ["awscc"]
+        categories = [CheckCategories.SECRETS]
+        super().__init__(name=name, id=id, categories=categories, supported_provider=supported_provider)
+
+    def scan_provider_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
+        """
+        see: https://registry.terraform.io/providers/hashicorp/awscc/latest/docs#authentication
+        """
+        result = CheckResult.PASSED
+        if self.secret_found(conf, "access_key", access_key_pattern):
+            result = CheckResult.FAILED
+        if self.secret_found(conf, "secret_key", secret_key_pattern):
+            result = CheckResult.FAILED
+        return result
+
+    def secret_found(self, conf: Dict[str, List[Any]], field: str, pattern: str) -> bool:
+        if field in conf.keys():
+            value = conf[field][0]
+            if isinstance(value, str) and re.match(pattern, value) is not None:
+                conf[f'{self.id}_secret_{field}'] = value
+                return True
+        return False
+
+
+check = AWSCCCredentials()
diff --git a/tests/terraform/checks/provider/awscc/__init__.py b/tests/terraform/checks/provider/awscc/__init__.py
diff --git a/tests/terraform/checks/provider/awscc/test_credentials.py b/tests/terraform/checks/provider/awscc/test_credentials.py
@@ -0,0 +1,74 @@
+import unittest
+
+import hcl2
+
+from checkov.terraform.checks.provider.awscc.credentials import check
+from checkov.common.models.enums import CheckResult
+
+
+class TestCredentials(unittest.TestCase):
+    def test_success_empty(self):
+        hcl_res = hcl2.loads(
+            """
+            provider "awscc" {}
+            """
+        )
+        provider_conf = hcl_res["provider"][0]["awscc"]
+        scan_result = check.scan_provider_conf(conf=provider_conf)
+        self.assertEqual(CheckResult.PASSED, scan_result)
+
+    def test_success_region(self):
+        hcl_res = hcl2.loads(
+            """
+            provider "awscc" {
+                region = "us-west-2"
+            }
+            """
+        )
+        provider_conf = hcl_res["provider"][0]["awscc"]
+        scan_result = check.scan_provider_conf(conf=provider_conf)
+        self.assertEqual(CheckResult.PASSED, scan_result)
+
+    def test_failure_both_keys(self):
+        hcl_res = hcl2.loads(
+            """
+            provider "awscc" {
+                region     = "us-west-2"
+                access_key = "AKIAIOSFODNN7EXAMPLE"
+                secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+            }
+            """
+        )
+        provider_conf = hcl_res["provider"][0]["awscc"]
+        scan_result = check.scan_provider_conf(conf=provider_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_failure_access_key(self):
+        hcl_res = hcl2.loads(
+            """
+            provider "awscc" {
+                region     = "us-west-2"
+                access_key = "AKIAIOSFODNN7EXAMPLE"
+            }
+            """
+        )
+        provider_conf = hcl_res["provider"][0]["awscc"]
+        scan_result = check.scan_provider_conf(conf=provider_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+    def test_failure_secret_key(self):
+        hcl_res = hcl2.loads(
+            """
+            provider "awscc" {
+                region     = "us-west-2"
+                secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+            }
+            """
+        )
+        provider_conf = hcl_res["provider"][0]["awscc"]
+        scan_result = check.scan_provider_conf(conf=provider_conf)
+        self.assertEqual(CheckResult.FAILED, scan_result)
+
+
+if __name__ == "__main__":
+    unittest.main()