Merge pull request #33 from using-system/features/fix-checkov-issues

using-system · web-flow · commit f4d0bc301512 · 2023-12-02T17:51:20.000+01:00
Features/fix checkov issues
diff --git a/github/actions/checkov/entrypoint.sh b/github/actions/checkov/entrypoint.sh
@@ -4,4 +4,4 @@ if [ ! -f $1/checkov.yml ]; then
   cp /config_empty.yml $1/checkov.yml
 fi
 
-checkov -d $1 --config-file $1/checkov.yml
+checkov -d $1 --config-file $1/checkov.yml -o github_failed_only
diff --git a/terraform/modules/az-aca/README.md b/terraform/modules/az-aca/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-acae-storage/README.md b/terraform/modules/az-acae-storage/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-acae/README.md b/terraform/modules/az-acae/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-acr/README.md b/terraform/modules/az-acr/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
@@ -40,6 +40,7 @@ No modules.
 | <a name="input_sku"></a> [sku](#input\_sku) | The SKU name of the container registry. | `string` | `"Premium"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to associate with resources. | `map(string)` | n/a | yes |
 | <a name="input_trust_policy_enabled"></a> [trust\_policy\_enabled](#input\_trust\_policy\_enabled) | Determines if the trust policy is enabled | `bool` | `true` | no |
+| <a name="input_zone_redundancy_enabled"></a> [zone\_redundancy\_enabled](#input\_zone\_redundancy\_enabled) | Determines if the zone redundancy is enabled | `bool` | `true` | no |
 
 ## Outputs
 
diff --git a/terraform/modules/az-acr/main.tf b/terraform/modules/az-acr/main.tf
@@ -21,10 +21,13 @@ resource "azurerm_container_registry" "acr" {
     for_each = var.georeplication_locations
 
     content {
-      location = georeplications.value
+      location                = georeplications.value
+      zone_redundancy_enabled = true
     }
   }
 
+  zone_redundancy_enabled = var.zone_redundancy_enabled
+
   identity {
     type         = var.identity_type
     identity_ids = var.identity_ids
diff --git a/terraform/modules/az-acr/tests/acr_not_secure.tftest.hcl b/terraform/modules/az-acr/tests/acr_not_secure.tftest.hcl
@@ -25,6 +25,7 @@ run "plan" {
     trust_policy_enabled            = false
     retention_policy_enabled        = false
     enable_lock_on_acr              = false
+    zone_redundancy_enabled         = false
     network_rule_bypass_option      = "AzureServices"
 
     tags                        = { Environment = "Test" }
@@ -105,6 +106,11 @@ run "plan" {
     error_message  = "acr georeplications must be empty"
   }
 
+  assert {
+    condition       = azurerm_container_registry.acr.zone_redundancy_enabled == false
+    error_message  = "acr zone_redundancy_enabled must be set to true"
+  }
+
   assert {
     condition       = length(azurerm_container_registry.acr.tags) == 1
     error_message  = "acr tags must contains one element"
@@ -133,6 +139,7 @@ run "apply" {
       trust_policy_enabled            = false
       retention_policy_enabled        = false
       enable_lock_on_acr              = false
+      zone_redundancy_enabled         = false
       network_rule_bypass_option      = "AzureServices"
 
       tags                        = { Environment = "Test" }
diff --git a/terraform/modules/az-acr/tests/acr_secure.tftest.hcl b/terraform/modules/az-acr/tests/acr_secure.tftest.hcl
@@ -101,6 +101,11 @@ run "plan" {
     error_message  = "acr georeplications must be empty"
   }
 
+  assert {
+    condition       = azurerm_container_registry.acr.zone_redundancy_enabled == true
+    error_message  = "acr zone_redundancy_enabled must be set to true"
+  }
+
   assert {
     condition       = length(azurerm_container_registry.acr.tags) == 1
     error_message  = "acr tags must contains one element"
diff --git a/terraform/modules/az-acr/variables.tf b/terraform/modules/az-acr/variables.tf
@@ -69,6 +69,12 @@ variable "trust_policy_enabled" {
   default     = true
 }
 
+variable "zone_redundancy_enabled" {
+  description = "Determines if the zone redundancy is enabled"
+  type        = bool
+  default     = true
+}
+
 variable "identity_type" {
   description = "The type of identity used for the acr."
   type        = string
diff --git a/terraform/modules/az-ad-security-group-members/README.md b/terraform/modules/az-ad-security-group-members/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.45.0 |
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.46.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-ad-security-group/README.md b/terraform/modules/az-ad-security-group/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.45.0 |
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.46.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-aks/README.md b/terraform/modules/az-aks/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.4 |
 
 ## Modules
@@ -25,7 +25,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_configuration"></a> [configuration](#input\_configuration) | AKS configuration | <pre>object({<br>    version                      = string<br>    sku                          = string<br>    private_cluster              = bool<br>    user_assigned_identity_id    = string<br>    admin_username               = optional(string)<br>    local_account_disabled       = optional(bool, true)<br>    disk_encryption_set_id       = optional(string)<br>    public_ssh_key               = optional(string)<br>    automatic_channel_upgrade    = optional(string)<br>    kv_key_management_service_id = optional(string)<br>    node_pool = object({<br>      type                        = string<br>      count                       = number<br>      vm_size                     = string<br>      availability_zones          = list(number)<br>      os_disk_size                = number,<br>      max_pods                    = optional(number, 110)<br>      temporary_name_for_rotation = optional(string)<br>    })<br>    rbac = object({<br>      enabled                = bool<br>      admin_group_object_ids = optional(list(string), [])<br>      tenant_id              = string<br>    })<br>    addon = object({<br>      enable_open_service_mesh = bool<br>      enable_azure_policy      = bool<br>    })<br>    network_profile = object({<br>      network_plugin    = optional(string, "azure"),<br>      network_policy    = optional(string, "azure"),<br>      load_balancer_sku = optional(string, "standard"),<br>      outbound_type     = optional(string, "userDefinedRouting"),<br>    })<br><br>  })</pre> | n/a | yes |
+| <a name="input_configuration"></a> [configuration](#input\_configuration) | AKS configuration | <pre>object({<br>    version                      = string<br>    sku                          = string<br>    private_cluster              = bool<br>    user_assigned_identity_id    = string<br>    admin_username               = optional(string)<br>    local_account_disabled       = optional(bool, true)<br>    disk_encryption_set_id       = optional(string)<br>    public_ssh_key               = optional(string)<br>    automatic_channel_upgrade    = optional(string)<br>    kv_key_management_service_id = optional(string)<br>    node_pool = object({<br>      type                         = string<br>      count                        = number<br>      vm_size                      = string<br>      availability_zones           = list(number)<br>      os_disk_size                 = number,<br>      max_pods                     = optional(number, 110)<br>      temporary_name_for_rotation  = optional(string)<br>      only_critical_addons_enabled = optional(bool, true)<br>    })<br>    rbac = object({<br>      enabled                = bool<br>      admin_group_object_ids = optional(list(string), [])<br>      tenant_id              = string<br>    })<br>    addon = object({<br>      enable_open_service_mesh = bool<br>      enable_azure_policy      = bool<br>    })<br>    network_profile = object({<br>      network_plugin    = optional(string, "azure"),<br>      network_policy    = optional(string, "azure"),<br>      load_balancer_sku = optional(string, "standard"),<br>      outbound_type     = optional(string, "userDefinedRouting"),<br>    })<br><br>  })</pre> | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | Azure Region Location | `any` | n/a | yes |
 | <a name="input_log_analytics_id"></a> [log\_analytics\_id](#input\_log\_analytics\_id) | Log analytics identifier | `any` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Naming of the aks | `any` | n/a | yes |
diff --git a/terraform/modules/az-aks/main.tf b/terraform/modules/az-aks/main.tf
@@ -21,17 +21,18 @@ resource "azurerm_kubernetes_cluster" "aks" {
   automatic_channel_upgrade = var.configuration.automatic_channel_upgrade
 
   default_node_pool {
-    name                        = "defaultpool"
-    node_count                  = var.configuration.node_pool.count
-    vm_size                     = var.configuration.node_pool.vm_size
-    zones                       = var.configuration.node_pool.availability_zones
-    os_disk_type                = "Ephemeral"
-    os_disk_size_gb             = var.configuration.node_pool.os_disk_size
-    type                        = var.configuration.node_pool.type
-    vnet_subnet_id              = var.subnet_id
-    max_pods                    = var.configuration.node_pool.max_pods
-    temporary_name_for_rotation = var.configuration.node_pool.temporary_name_for_rotation
-    enable_host_encryption      = true
+    name                         = "defaultpool"
+    node_count                   = var.configuration.node_pool.count
+    vm_size                      = var.configuration.node_pool.vm_size
+    zones                        = var.configuration.node_pool.availability_zones
+    os_disk_type                 = "Ephemeral"
+    os_disk_size_gb              = var.configuration.node_pool.os_disk_size
+    type                         = var.configuration.node_pool.type
+    vnet_subnet_id               = var.subnet_id
+    max_pods                     = var.configuration.node_pool.max_pods
+    temporary_name_for_rotation  = var.configuration.node_pool.temporary_name_for_rotation
+    enable_host_encryption       = true
+    only_critical_addons_enabled = var.configuration.node_pool.only_critical_addons_enabled
   }
 
   identity {
diff --git a/terraform/modules/az-aks/variables.tf b/terraform/modules/az-aks/variables.tf
@@ -24,13 +24,14 @@ variable "configuration" {
     automatic_channel_upgrade    = optional(string)
     kv_key_management_service_id = optional(string)
     node_pool = object({
-      type                        = string
-      count                       = number
-      vm_size                     = string
-      availability_zones          = list(number)
-      os_disk_size                = number,
-      max_pods                    = optional(number, 110)
-      temporary_name_for_rotation = optional(string)
+      type                         = string
+      count                        = number
+      vm_size                      = string
+      availability_zones           = list(number)
+      os_disk_size                 = number,
+      max_pods                     = optional(number, 110)
+      temporary_name_for_rotation  = optional(string)
+      only_critical_addons_enabled = optional(bool, true)
     })
     rbac = object({
       enabled                = bool
diff --git a/terraform/modules/az-analytics/README.md b/terraform/modules/az-analytics/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-assigned-identity/README.md b/terraform/modules/az-assigned-identity/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-bastion/README.md b/terraform/modules/az-bastion/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-des/README.md b/terraform/modules/az-des/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-dns-zone-vnet-link/README.md b/terraform/modules/az-dns-zone-vnet-link/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-dns-zone/README.md b/terraform/modules/az-dns-zone/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-iam/README.md b/terraform/modules/az-iam/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-kv-key/README.md b/terraform/modules/az-kv-key/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-kv-secret/README.md b/terraform/modules/az-kv-secret/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-kv/README.md b/terraform/modules/az-kv/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-kv/tests/setup_with_vnet/main.tf b/terraform/modules/az-kv/tests/setup_with_vnet/main.tf
@@ -8,23 +8,18 @@ resource "azurerm_virtual_network" "test" {
   resource_group_name = data.azurerm_resource_group.test.name
   address_space       = ["10.0.0.0/16"]
 
-  subnet {
-    name           = "Subnet1"
-    address_prefix = "10.0.0.0/23"
-  }
-
   tags = {
     environment = "Test"
   }
 }
 
-data "azurerm_subnet" "test" {
-
-  depends_on = [azurerm_virtual_network.test]
-
+resource "azurerm_subnet" "test" {
   name                 = "Subnet1"
-  virtual_network_name = azurerm_virtual_network.test.name
   resource_group_name  = data.azurerm_resource_group.test.name
+  virtual_network_name = azurerm_virtual_network.test.name
+  address_prefixes     = ["10.0.0.0/23"]
+
+  service_endpoints = ["Microsoft.KeyVault"]
 }
 
 output "resource_group_name" {
@@ -36,5 +31,5 @@ output "resource_group_location" {
 }
 
 output "subnet_id" {
-  value = data.azurerm_subnet.test.id
+  value = azurerm_subnet.test.id
 }
diff --git a/terraform/modules/az-nat-gtw-subnet-assoc/README.md b/terraform/modules/az-nat-gtw-subnet-assoc/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-nat-gtw/README.md b/terraform/modules/az-nat-gtw/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-nsg/README.md b/terraform/modules/az-nsg/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-pep/README.md b/terraform/modules/az-pep/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-rg/README.md b/terraform/modules/az-rg/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-routetable/README.md b/terraform/modules/az-routetable/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-storage-share/README.md b/terraform/modules/az-storage-share/README.md
@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.78.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.82.0 |
 
 ## Modules
 
diff --git a/terraform/modules/az-storage/README.md b/terraform/modules/az-storage/README.md
diff --git a/terraform/modules/az-storage/tests/storage_without_cmk.tftest.hcl b/terraform/modules/az-storage/tests/storage_without_cmk.tftest.hcl
diff --git a/terraform/modules/az-storage/variables.tf b/terraform/modules/az-storage/variables.tf
diff --git a/terraform/modules/az-vm-attach-disk/README.md b/terraform/modules/az-vm-attach-disk/README.md
diff --git a/terraform/modules/az-vm-linux/README.md b/terraform/modules/az-vm-linux/README.md
diff --git a/terraform/modules/az-vm-shutdown/README.md b/terraform/modules/az-vm-shutdown/README.md
diff --git a/terraform/modules/az-vnet-peering/README.md b/terraform/modules/az-vnet-peering/README.md
diff --git a/terraform/modules/az-vnet/README.md b/terraform/modules/az-vnet/README.md

Original file line number	Diff line number	Diff line change
`@@ -21,10 +21,13 @@ resource "azurerm_container_registry" "acr" {`
`21`	`21`	`for_each = var.georeplication_locations`
`22`	`22`
`23`	`23`	`content {`
`24`		`- location = georeplications.value`
	`24`	`+ location = georeplications.value`
	`25`	`+ zone_redundancy_enabled = true`
`25`	`26`	`}`
`26`	`27`	`}`
`27`	`28`
	`29`	`+ zone_redundancy_enabled = var.zone_redundancy_enabled`
	`30`	`+`
`28`	`31`	`identity {`
`29`	`32`	`type = var.identity_type`
`30`	`33`	`identity_ids = var.identity_ids`