fix: Update CKV_AZURE_167 to correct check on retention policy

bridgecrewio · Oct 8, 2024 · d003ade · d003ade
1 parent 51c5054
commit d003ade
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 19 deletions.
diff --git a/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py b/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py
@@ -1,5 +1,7 @@
 from checkov.common.models.enums import CheckCategories
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from typing import Any
+from checkov.common.models.consts import ANY_VALUE
 
 
 class ACREnableRetentionPolicy(BaseResourceValueCheck):
@@ -10,8 +12,10 @@ def __init__(self) -> None:
         categories = (CheckCategories.GENERAL_SECURITY,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def get_inspected_key(self) -> str:
-        return "retention_policy/enabled"
+    def get_inspected_key(self):
+        return "retention_policy_in_days"
 
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
 
 check = ACREnableRetentionPolicy()
diff --git a/tests/terraform/checks/resource/azure/example_ACREnableRetentionPolicy/main.tf b/tests/terraform/checks/resource/azure/example_ACREnableRetentionPolicy/main.tf
@@ -6,9 +6,7 @@ resource "azurerm_container_registry" "pass" {
   sku                       = "Premium"
   anonymous_pull_enabled    = false
   quarantine_policy_enabled = true
-  retention_policy {
-    enabled = true
-  }
+  retention_policy_in_days  = 7
 }
 
 
@@ -18,15 +16,3 @@ resource "azurerm_container_registry" "fail" {
   location            = azurerm_resource_group.rg.location
   sku                 = "Premium"
 }
-
-
-resource "azurerm_container_registry" "fail2" {
-  name                      = "containerRegistry1"
-  resource_group_name       = azurerm_resource_group.rg.name
-  location                  = azurerm_resource_group.rg.location
-  sku                       = "Standard"
-  quarantine_policy_enabled = false
-  retention_policy {
-    enabled = false
-  }
-}
diff --git a/tests/terraform/checks/resource/azure/test_ACREnableRetentionPolicy.py b/tests/terraform/checks/resource/azure/test_ACREnableRetentionPolicy.py
@@ -22,7 +22,6 @@ def test(self):
         }
         failing_resources = {
             'azurerm_container_registry.fail',
-            'azurerm_container_registry.fail2'
         }
         skipped_resources = {}
 
@@ -39,4 +38,4 @@ def test(self):
 
 
 if __name__ == '__main__':
-    unittest.main()
+    unittest.main()