From 7e0d3739456cf13bfc28bb1a1056317de5125546 Mon Sep 17 00:00:00 2001 From: Tomer Aviassaf Date: Mon, 8 Jul 2024 09:43:57 +0300 Subject: [PATCH 1/5] add basic checks --- ...rkspaceAdministratorLoginPasswordHidden.py | 35 ++++++ .../resource/SynapseWorkspaceCMKEncryption.py | 23 ++++ .../fail.json | 60 ++++++++++ .../pass.json | 51 +++++++++ .../fail.json | 68 ++++++++++++ .../pass.json | 103 ++++++++++++++++++ ...rkspaceAdministratorLoginPasswordHidden.py | 26 +++++ .../test_SynapseWorkspaceCMKEncryption.py | 26 +++++ 8 files changed, 392 insertions(+) create mode 100644 checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py create mode 100644 checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py create mode 100644 tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/fail.json create mode 100644 tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/pass.json create mode 100644 tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/fail.json create mode 100644 tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/pass.json create mode 100644 tests/arm/checks/resource/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py create mode 100644 tests/arm/checks/resource/test_SynapseWorkspaceCMKEncryption.py diff --git a/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py b/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py new file mode 100644 index 00000000000..2d0f5dd8ac4 --- /dev/null +++ b/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py @@ -0,0 +1,35 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.arm.base_resource_check import BaseResourceCheck + + +class SynapseWorkspaceAdministratorLoginPasswordHidden(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure Azure Synapse Workspace administrator login password is not exposed" + id = "CKV_AZURE_239" + supported_resources = ['Microsoft.Synapse/workspaces'] + categories = [CheckCategories.SECRETS] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + # if "properties" in conf: + # if conf["properties"]: + # if 'encryption' in conf["properties"]: + # if 'encryption' in conf["properties"]: + # if 'cmk' in conf["properties"]['encryption']: + # return CheckResult.PASSED + # return CheckResult.FAILED + if "resources" in conf: + if conf["resources"]: + for resource in conf["resources"]: + if "parameters" in resource: + if ("sqlAdministratorLoginPassword" in resource["parameters"]): + return CheckResult.FAILED + return CheckResult.PASSED + + +check = SynapseWorkspaceAdministratorLoginPasswordHidden() \ No newline at end of file diff --git a/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py b/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py new file mode 100644 index 00000000000..48ed63b4cb5 --- /dev/null +++ b/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py @@ -0,0 +1,23 @@ +from checkov.arm.base_resource_check import BaseResourceCheck +from checkov.common.models.enums import CheckResult, CheckCategories + + +class SynapseWorkspaceCMKEncryption(BaseResourceCheck): + def __init__(self): + name = "Ensure Azure Synapse Workspace is encrypted with a CMK" + id = "CKV_AZURE_239" + supported_resources = ['Microsoft.Synapse/workspaces'] + categories = [CheckCategories.NETWORKING] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf) -> CheckResult: + if "properties" in conf: + if conf["properties"]: + if 'encryption' in conf["properties"]: + if 'encryption' in conf["properties"]: + if 'cmk' in conf["properties"]['encryption']: + return CheckResult.PASSED + return CheckResult.FAILED + + +check = SynapseWorkspaceCMKEncryption() \ No newline at end of file diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/fail.json b/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/fail.json new file mode 100644 index 00000000000..43cc4ec43b4 --- /dev/null +++ b/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/fail.json @@ -0,0 +1,60 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "properties": { + "defaultDataLakeStorage": { + "accountUrl": "[parameters('storageAccountUrl')]", + "filesystem": "[parameters('filesystem')]" + }, + "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]", + "sqlAdministratorLoginPassword": { + "value": "[parameters('sqlAdministratorLoginPassword')]" + } + } + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Synapse workspace" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for the Synapse workspace" + } + }, + "storageAccountUrl": { + "type": "string", + "metadata": { + "description": "URL of the default Data Lake Storage account" + } + }, + "filesystem": { + "type": "string", + "metadata": { + "description": "Filesystem name in the Data Lake Storage account" + } + }, + "sqlAdministratorLogin": { + "type": "string", + "metadata": { + "description": "SQL administrator login name" + } + }, + "sqlAdministratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "SQL administrator login password" + } + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/pass.json b/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/pass.json new file mode 100644 index 00000000000..821248ca556 --- /dev/null +++ b/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/pass.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "properties": { + "defaultDataLakeStorage": { + "accountUrl": "[parameters('storageAccountUrl')]", + "filesystem": "[parameters('filesystem')]" + }, + "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]" + } + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Synapse workspace" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for the Synapse workspace" + } + }, + "storageAccountUrl": { + "type": "string", + "metadata": { + "description": "URL of the default Data Lake Storage account" + } + }, + "filesystem": { + "type": "string", + "metadata": { + "description": "Filesystem name in the Data Lake Storage account" + } + }, + "sqlAdministratorLogin": { + "type": "string", + "metadata": { + "description": "SQL administrator login name" + } + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/fail.json b/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/fail.json new file mode 100644 index 00000000000..de321703226 --- /dev/null +++ b/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/fail.json @@ -0,0 +1,68 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "properties": { + "defaultDataLakeStorage": { + "accountUrl": "[parameters('storageAccountUrl')]", + "filesystem": "[parameters('fileSystem')]" + }, + "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]", + "sqlAdministratorLoginPassword": { + "value": "[parameters('sqlAdministratorLoginPassword')]" + }, + "managedVirtualNetwork": "[parameters('managedVirtualNetwork')]" + } + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Synapse workspace." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location of the Synapse workspace." + } + }, + "storageAccountUrl": { + "type": "string", + "metadata": { + "description": "URL of the default Data Lake Storage account." + } + }, + "fileSystem": { + "type": "string", + "metadata": { + "description": "File system name of the default Data Lake Storage account." + } + }, + "sqlAdministratorLogin": { + "type": "string", + "metadata": { + "description": "SQL administrator login name." + } + }, + "sqlAdministratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "SQL administrator login password." + } + }, + "managedVirtualNetwork": { + "type": "string", + "defaultValue": "default", + "metadata": { + "description": "Managed Virtual Network name." + } + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/pass.json b/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/pass.json new file mode 100644 index 00000000000..0427c914271 --- /dev/null +++ b/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/pass.json @@ -0,0 +1,103 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "properties": { + "defaultDataLakeStorage": { + "accountUrl": "[parameters('storageAccountUrl')]", + "filesystem": "[parameters('fileSystem')]" + }, + "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]", + "sqlAdministratorLoginPassword": { + "value": "[parameters('sqlAdministratorLoginPassword')]" + }, + "managedVirtualNetwork": "[parameters('managedVirtualNetwork')]", + "encryption": { + "cmk": { + "key": { + "name": "[parameters('keyName')]", + "vaultBaseUrl": "[parameters('keyVaultUrl')]" + }, + "identity": { + "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]" + } + } + } + }, + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + } + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Synapse workspace." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location of the Synapse workspace." + } + }, + "storageAccountUrl": { + "type": "string", + "metadata": { + "description": "URL of the default Data Lake Storage account." + } + }, + "fileSystem": { + "type": "string", + "metadata": { + "description": "File system name of the default Data Lake Storage account." + } + }, + "sqlAdministratorLogin": { + "type": "string", + "metadata": { + "description": "SQL administrator login name." + } + }, + "sqlAdministratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "SQL administrator login password." + } + }, + "managedVirtualNetwork": { + "type": "string", + "defaultValue": "default", + "metadata": { + "description": "Managed Virtual Network name." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The name of the customer-managed key." + } + }, + "keyVaultUrl": { + "type": "string", + "metadata": { + "description": "The URL of the Key Vault containing the customer-managed key." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the user-assigned managed identity." + } + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py b/tests/arm/checks/resource/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py new file mode 100644 index 00000000000..d62352ea458 --- /dev/null +++ b/tests/arm/checks/resource/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py @@ -0,0 +1,26 @@ +import os +import unittest + +from checkov.arm.checks.resource.SynapseWorkspaceAdministratorLoginPasswordHidden import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestSynapseWorkspaceAdministratorLoginPasswordHidden(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_SynapseWorkspaceAdministratorLoginPasswordHidden" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + self.assertEqual(summary['passed'], 1) + self.assertEqual(summary['failed'], 1) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/arm/checks/resource/test_SynapseWorkspaceCMKEncryption.py b/tests/arm/checks/resource/test_SynapseWorkspaceCMKEncryption.py new file mode 100644 index 00000000000..129c5f1b53c --- /dev/null +++ b/tests/arm/checks/resource/test_SynapseWorkspaceCMKEncryption.py @@ -0,0 +1,26 @@ +import os +import unittest + +from checkov.arm.checks.resource.SynapseWorkspaceCMKEncryption import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestSynapseWorkspaceCMKEncryption(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_SynapseWorkspaceCMKEncryption" + report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + self.assertEqual(summary['passed'], 1) + self.assertEqual(summary['failed'], 1) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file From 5fc2fbc41df8953d9db02a90763e328d866642ac Mon Sep 17 00:00:00 2001 From: Tomer Aviassaf Date: Mon, 8 Jul 2024 11:27:31 +0300 Subject: [PATCH 2/5] add graph checks --- ...SynapseLogMonitoringEnabledForSQLPool.yaml | 39 +++++ .../SynapseSQLPoolHasSecurityAlertPolicy.yaml | 24 +++ ...apseSQLPoolHasVulnerabilityAssessment.yaml | 30 ++++ .../SynapseWorkspaceHasExtendedAuditLogs.yaml | 24 +++ .../expected.yaml | 7 + .../fail.json | 80 +++++++++ .../pass.json | 80 +++++++++ .../expected.yaml | 7 + .../fail.json | 57 +++++++ .../fail2.json | 39 +++++ .../pass.json | 62 +++++++ .../expected.yaml | 7 + .../fail.json | 114 +++++++++++++ .../fail2.json | 156 ++++++++++++++++++ .../pass.json | 156 ++++++++++++++++++ .../expected.yaml | 7 + .../fail.json | 14 ++ .../fail2.json | 54 ++++++ .../pass.json | 54 ++++++ .../checks/test_yaml_policies.py | 12 ++ 20 files changed, 1023 insertions(+) create mode 100644 checkov/arm/checks/graph_checks/SynapseLogMonitoringEnabledForSQLPool.yaml create mode 100644 checkov/arm/checks/graph_checks/SynapseSQLPoolHasSecurityAlertPolicy.yaml create mode 100644 checkov/arm/checks/graph_checks/SynapseSQLPoolHasVulnerabilityAssessment.yaml create mode 100644 checkov/arm/checks/graph_checks/SynapseWorkspaceHasExtendedAuditLogs.yaml create mode 100644 tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml create mode 100644 tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/fail.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/pass.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml create mode 100644 tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml create mode 100644 tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml create mode 100644 tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json create mode 100644 tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json diff --git a/checkov/arm/checks/graph_checks/SynapseLogMonitoringEnabledForSQLPool.yaml b/checkov/arm/checks/graph_checks/SynapseLogMonitoringEnabledForSQLPool.yaml new file mode 100644 index 00000000000..510aaab474b --- /dev/null +++ b/checkov/arm/checks/graph_checks/SynapseLogMonitoringEnabledForSQLPool.yaml @@ -0,0 +1,39 @@ +metadata: + id: "CKV2_AZURE_54" + name: "Ensure log monitoring is enabled for Synapse SQL Pool" + category: "LOGGING" + +definition: + and: + - cond_type: connection + resource_types: + - Microsoft.Synapse/workspaces/sqlPools + connected_resource_types: + - Microsoft.Synapse/workspaces/sqlPools/auditingSettings + operator: exists + - cond_type: filter + attribute: resource_type + value: + - Microsoft.Synapse/workspaces/sqlPools + operator: within + + - or: + - and: + - cond_type: attribute + resource_types: + - Microsoft.Synapse/workspaces/sqlPools/auditingSettings + attribute: state + operator: exists + + - cond_type: attribute + resource_types: + - Microsoft.Synapse/workspaces/sqlPools/auditingSettings + attribute: state + operator: equals + value: Enabled + + - cond_type: attribute + resource_types: + - Microsoft.Synapse/workspaces/sqlPools/auditingSettings + attribute: state + operator: not_exists \ No newline at end of file diff --git a/checkov/arm/checks/graph_checks/SynapseSQLPoolHasSecurityAlertPolicy.yaml b/checkov/arm/checks/graph_checks/SynapseSQLPoolHasSecurityAlertPolicy.yaml new file mode 100644 index 00000000000..1763b01b9e8 --- /dev/null +++ b/checkov/arm/checks/graph_checks/SynapseSQLPoolHasSecurityAlertPolicy.yaml @@ -0,0 +1,24 @@ +metadata: + id: "CKV2_AZURE_51" + name: "Ensure Synapse SQL Pool has a security alert policy" + category: "GENERAL_SECURITY" + +definition: + and: + - cond_type: connection + resource_types: + - Microsoft.Synapse/workspaces/sqlPools + connected_resource_types: + - Microsoft.Sql/servers/securityAlertPolicies + operator: exists + - cond_type: attribute + resource_types: + - Microsoft.Sql/servers/securityAlertPolicies + attribute: 'state' + operator: equals + value: 'Enabled' + - cond_type: filter + attribute: resource_type + value: + - Microsoft.Synapse/workspaces/sqlPools + operator: within \ No newline at end of file diff --git a/checkov/arm/checks/graph_checks/SynapseSQLPoolHasVulnerabilityAssessment.yaml b/checkov/arm/checks/graph_checks/SynapseSQLPoolHasVulnerabilityAssessment.yaml new file mode 100644 index 00000000000..b4de946b5af --- /dev/null +++ b/checkov/arm/checks/graph_checks/SynapseSQLPoolHasVulnerabilityAssessment.yaml @@ -0,0 +1,30 @@ +metadata: + id: "CKV2_AZURE_52" + name: "Ensure Synapse SQL Pool has vulnerability assessment attached" + category: "GENERAL_SECURITY" + +definition: + and: + - resource_types: + - Microsoft.Synapse/workspaces/sqlPools + connected_resource_types: + - Microsoft.Sql/servers/securityAlertPolicies + operator: exists + cond_type: connection + - resource_types: + - Microsoft.Sql/servers/securityAlertPolicies + connected_resource_types: + - Microsoft.Sql/servers/vulnerabilityAssessments + operator: exists + cond_type: connection + - cond_type: attribute + resource_types: + - Microsoft.Sql/servers/vulnerabilityAssessments + attribute: 'recurring_scans.*.enabled' + operator: equals + value: true + - cond_type: filter + attribute: resource_type + value: + - Microsoft.Sql/servers/securityAlertPolicies + operator: within \ No newline at end of file diff --git a/checkov/arm/checks/graph_checks/SynapseWorkspaceHasExtendedAuditLogs.yaml b/checkov/arm/checks/graph_checks/SynapseWorkspaceHasExtendedAuditLogs.yaml new file mode 100644 index 00000000000..f58bae025a9 --- /dev/null +++ b/checkov/arm/checks/graph_checks/SynapseWorkspaceHasExtendedAuditLogs.yaml @@ -0,0 +1,24 @@ +metadata: + id: "CKV2_AZURE_53" + name: "Ensure Azure Synapse Workspace has extended audit logs" + category: "LOGGING" + +definition: + and: + - cond_type: filter + attribute: resource_type + value: + - Microsoft.Synapse/workspaces + operator: within + - cond_type: connection + resource_types: + - Microsoft.Synapse/workspaces + connected_resource_types: + - Microsoft.Synapse/workspaces/extendedAuditingPolicies + operator: exists + - cond_type: attribute + resource_types: + - Microsoft.Synapse/workspaces/extendedAuditingPolicies + attribute: 'state' + operator: equals + value: 'Enabled' \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml new file mode 100644 index 00000000000..6cc0925b453 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml @@ -0,0 +1,7 @@ +pass: + - "Microsoft.MachineLearningServices/workspaces.pass" + - "Microsoft.MachineLearningServices/workspaces.pass2" +fail: + - "Microsoft.MachineLearningServices/workspaces.fail" +evaluated_keys: + - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/fail.json b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/fail.json new file mode 100644 index 00000000000..931ba95bb9f --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/fail.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/sqlPools", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "location": "[parameters('location')]", + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "2147483648", + "sku": { + "name": "DW100c", + "tier": "DataWarehouse" + } + } + }, + { + "type": "Microsoft.Synapse/workspaces/sqlPools/auditingSettings", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces/sqlPools', parameters('workspaceName'), parameters('sqlPoolName'))]" + ], + "properties": { + "state": "Enabled", + "auditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ], + "isAzureMonitorTargetEnabled": false, + "retentionDays": 90, + "storageAccountSubscriptionId": "[parameters('storageAccountSubscriptionId')]", + "storageAccountResourceGroupName": "[parameters('storageAccountResourceGroupName')]", + "storageAccountName": "[parameters('storageAccountName')]", + "isStorageSecondaryKeyInUse": false + } + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Synapse workspace." + } + }, + "sqlPoolName": { + "type": "string", + "metadata": { + "description": "The name of the SQL pool." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The location of the Synapse workspace." + } + }, + "storageAccountSubscriptionId": { + "type": "string", + "metadata": { + "description": "The subscription ID of the storage account for auditing logs." + } + }, + "storageAccountResourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group name of the storage account for auditing logs." + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "The name of the storage account for auditing logs." + } + } + } +} \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/pass.json b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/pass.json new file mode 100644 index 00000000000..2c54d261560 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/pass.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/sqlPools", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "location": "[parameters('location')]", + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "2147483648", + "sku": { + "name": "DW100c", + "tier": "DataWarehouse" + } + } + }, + { + "type": "Microsoft.Synapse/workspaces/sqlPools/auditingSettings", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces/sqlPools', parameters('workspaceName'), parameters('sqlPoolName'))]" + ], + "properties": { + "state": "Enabled", + "auditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ], + "isAzureMonitorTargetEnabled": true, + "retentionDays": 90, + "storageAccountSubscriptionId": "[parameters('storageAccountSubscriptionId')]", + "storageAccountResourceGroupName": "[parameters('storageAccountResourceGroupName')]", + "storageAccountName": "[parameters('storageAccountName')]", + "isStorageSecondaryKeyInUse": false + } + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Synapse workspace." + } + }, + "sqlPoolName": { + "type": "string", + "metadata": { + "description": "The name of the SQL pool." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The location of the Synapse workspace." + } + }, + "storageAccountSubscriptionId": { + "type": "string", + "metadata": { + "description": "The subscription ID of the storage account for auditing logs." + } + }, + "storageAccountResourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group name of the storage account for auditing logs." + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "The name of the storage account for auditing logs." + } + } + } +} \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml new file mode 100644 index 00000000000..6cc0925b453 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml @@ -0,0 +1,7 @@ +pass: + - "Microsoft.MachineLearningServices/workspaces.pass" + - "Microsoft.MachineLearningServices/workspaces.pass2" +fail: + - "Microsoft.MachineLearningServices/workspaces.fail" +evaluated_keys: + - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail.json new file mode 100644 index 00000000000..efba85f3252 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail.json @@ -0,0 +1,57 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/sqlPools", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]", + "capacity": "[parameters('skuCapacity')]" + } + } + }, + { + "type": "Microsoft.Sql/servers/securityAlertPolicies", + "apiVersion": "2021-11-01", + "name": "[concat(parameters('sqlServerName'), '/', 'Default')]", + "properties": { + "state": "Disabled", + "emailAccountAdmins": false, + "emailAddresses": [], + "disabledAlerts": [], + "retentionDays": 0 + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces/sqlPools', parameters('workspaceName'), parameters('sqlPoolName'))]" + ] + } + ], + "parameters": { + "workspaceName": { + "type": "string" + }, + "sqlPoolName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "skuTier": { + "type": "string" + }, + "skuCapacity": { + "type": "int" + }, + "sqlServerName": { + "type": "string" + } + } +} \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json new file mode 100644 index 00000000000..964f4bdb1f1 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json @@ -0,0 +1,39 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/sqlPools", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]", + "capacity": "[parameters('skuCapacity')]" + } + } + } + ], + "parameters": { + "workspaceName": { + "type": "string" + }, + "sqlPoolName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "skuTier": { + "type": "string" + }, + "skuCapacity": { + "type": "int" + } + } +} \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json new file mode 100644 index 00000000000..086ab8646ba --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json @@ -0,0 +1,62 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/sqlPools", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]", + "capacity": "[parameters('skuCapacity')]" + } + } + }, + { + "type": "Microsoft.Sql/servers/securityAlertPolicies", + "apiVersion": "2021-11-01", + "name": "[concat(parameters('sqlServerName'), '/', 'Default')]", + "properties": { + "state": "Enabled", + "emailAccountAdmins": true, + "emailAddresses": [ + "[parameters('alertEmail')]" + ], + "disabledAlerts": [], + "retentionDays": 0 + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces/sqlPools', parameters('workspaceName'), parameters('sqlPoolName'))]" + ] + } + ], + "parameters": { + "workspaceName": { + "type": "string" + }, + "sqlPoolName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "skuTier": { + "type": "string" + }, + "skuCapacity": { + "type": "int" + }, + "sqlServerName": { + "type": "string" + }, + "alertEmail": { + "type": "string" + } + } +} \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml new file mode 100644 index 00000000000..6cc0925b453 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml @@ -0,0 +1,7 @@ +pass: + - "Microsoft.MachineLearningServices/workspaces.pass" + - "Microsoft.MachineLearningServices/workspaces.pass2" +fail: + - "Microsoft.MachineLearningServices/workspaces.fail" +evaluated_keys: + - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json new file mode 100644 index 00000000000..a5349767975 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json @@ -0,0 +1,114 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "properties": { + "defaultDataLakeStorage": { + "accountUrl": "[parameters('dataLakeStorageAccountUrl')]", + "filesystem": "[parameters('dataLakeStorageFileSystem')]" + }, + "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]", + "sqlAdministratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]", + "managedVirtualNetwork": "[parameters('managedVirtualNetwork')]", + "managedResourceGroupName": "[parameters('managedResourceGroupName')]" + } + }, + { + "type": "Microsoft.Synapse/workspaces/sqlPools", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]", + "capacity": "[parameters('skuCapacity')]" + }, + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "268435456000" + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces', parameters('workspaceName'))]" + ] + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Synapse workspace" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for the Synapse workspace" + } + }, + "dataLakeStorageAccountUrl": { + "type": "string", + "metadata": { + "description": "URL of the Data Lake Storage account" + } + }, + "dataLakeStorageFileSystem": { + "type": "string", + "metadata": { + "description": "Name of the file system in the Data Lake Storage account" + } + }, + "sqlAdministratorLogin": { + "type": "string", + "metadata": { + "description": "SQL administrator login" + } + }, + "sqlAdministratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "SQL administrator login password" + } + }, + "managedVirtualNetwork": { + "type": "string", + "metadata": { + "description": "Managed virtual network" + } + }, + "managedResourceGroupName": { + "type": "string", + "metadata": { + "description": "Managed resource group name" + } + }, + "sqlPoolName": { + "type": "string", + "metadata": { + "description": "Name of the SQL pool" + } + }, + "skuName": { + "type": "string", + "metadata": { + "description": "SKU name for the SQL pool" + } + }, + "skuTier": { + "type": "string", + "metadata": { + "description": "SKU tier for the SQL pool" + } + }, + "skuCapacity": { + "type": "int", + "metadata": { + "description": "SKU capacity for the SQL pool" + } + } + } +} diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json new file mode 100644 index 00000000000..ca2fee136fb --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json @@ -0,0 +1,156 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "properties": { + "defaultDataLakeStorage": { + "accountUrl": "[parameters('dataLakeStorageAccountUrl')]", + "filesystem": "[parameters('dataLakeStorageFileSystem')]" + }, + "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]", + "sqlAdministratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]", + "managedVirtualNetwork": "[parameters('managedVirtualNetwork')]", + "managedResourceGroupName": "[parameters('managedResourceGroupName')]" + } + }, + { + "type": "Microsoft.Synapse/workspaces/sqlPools", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]", + "capacity": "[parameters('skuCapacity')]" + }, + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "268435456000" + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces', parameters('workspaceName'))]" + ] + }, + { + "type": "Microsoft.Sql/servers/vulnerabilityAssessments", + "apiVersion": "2021-02-01-preview", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'), '/default')]", + "properties": { + "storageContainerPath": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/', parameters('storageContainerName'))]", + "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-02-01').keys[0].value]", + "recurringScans": { + "isEnabled": false, + "emailSubscriptionAdmins": true + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces/sqlPools', parameters('workspaceName'), parameters('sqlPoolName'))]" + ] + }, + { + "type": "Microsoft.Sql/servers/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'), '/default')]", + "properties": { + "state": "Enabled", + "emailAccountAdmins": true, + "storageEndpoint": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net')]", + "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-02-01').keys[0].value]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces/sqlPools', parameters('workspaceName'), parameters('sqlPoolName'))]" + ] + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Synapse workspace" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for the Synapse workspace" + } + }, + "dataLakeStorageAccountUrl": { + "type": "string", + "metadata": { + "description": "URL of the Data Lake Storage account" + } + }, + "dataLakeStorageFileSystem": { + "type": "string", + "metadata": { + "description": "Name of the file system in the Data Lake Storage account" + } + }, + "sqlAdministratorLogin": { + "type": "string", + "metadata": { + "description": "SQL administrator login" + } + }, + "sqlAdministratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "SQL administrator login password" + } + }, + "managedVirtualNetwork": { + "type": "string", + "metadata": { + "description": "Managed virtual network" + } + }, + "managedResourceGroupName": { + "type": "string", + "metadata": { + "description": "Managed resource group name" + } + }, + "sqlPoolName": { + "type": "string", + "metadata": { + "description": "Name of the SQL pool" + } + }, + "skuName": { + "type": "string", + "metadata": { + "description": "SKU name for the SQL pool" + } + }, + "skuTier": { + "type": "string", + "metadata": { + "description": "SKU tier for the SQL pool" + } + }, + "skuCapacity": { + "type": "int", + "metadata": { + "description": "SKU capacity for the SQL pool" + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Name of the storage account for vulnerability assessment and security alert logs" + } + }, + "storageContainerName": { + "type": "string", + "metadata": { + "description": "Name of the storage container for vulnerability assessment logs" + } + } + } +} diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json new file mode 100644 index 00000000000..363eff3174a --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json @@ -0,0 +1,156 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "properties": { + "defaultDataLakeStorage": { + "accountUrl": "[parameters('dataLakeStorageAccountUrl')]", + "filesystem": "[parameters('dataLakeStorageFileSystem')]" + }, + "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]", + "sqlAdministratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]", + "managedVirtualNetwork": "[parameters('managedVirtualNetwork')]", + "managedResourceGroupName": "[parameters('managedResourceGroupName')]" + } + }, + { + "type": "Microsoft.Synapse/workspaces/sqlPools", + "apiVersion": "2021-06-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]", + "capacity": "[parameters('skuCapacity')]" + }, + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "268435456000" + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces', parameters('workspaceName'))]" + ] + }, + { + "type": "Microsoft.Sql/servers/vulnerabilityAssessments", + "apiVersion": "2021-02-01-preview", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'), '/default')]", + "properties": { + "storageContainerPath": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/', parameters('storageContainerName'))]", + "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-02-01').keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": true + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces/sqlPools', parameters('workspaceName'), parameters('sqlPoolName'))]" + ] + }, + { + "type": "Microsoft.Sql/servers/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'), '/default')]", + "properties": { + "state": "Enabled", + "emailAccountAdmins": true, + "storageEndpoint": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net')]", + "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-02-01').keys[0].value]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces/sqlPools', parameters('workspaceName'), parameters('sqlPoolName'))]" + ] + } + ], + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Synapse workspace" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for the Synapse workspace" + } + }, + "dataLakeStorageAccountUrl": { + "type": "string", + "metadata": { + "description": "URL of the Data Lake Storage account" + } + }, + "dataLakeStorageFileSystem": { + "type": "string", + "metadata": { + "description": "Name of the file system in the Data Lake Storage account" + } + }, + "sqlAdministratorLogin": { + "type": "string", + "metadata": { + "description": "SQL administrator login" + } + }, + "sqlAdministratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "SQL administrator login password" + } + }, + "managedVirtualNetwork": { + "type": "string", + "metadata": { + "description": "Managed virtual network" + } + }, + "managedResourceGroupName": { + "type": "string", + "metadata": { + "description": "Managed resource group name" + } + }, + "sqlPoolName": { + "type": "string", + "metadata": { + "description": "Name of the SQL pool" + } + }, + "skuName": { + "type": "string", + "metadata": { + "description": "SKU name for the SQL pool" + } + }, + "skuTier": { + "type": "string", + "metadata": { + "description": "SKU tier for the SQL pool" + } + }, + "skuCapacity": { + "type": "int", + "metadata": { + "description": "SKU capacity for the SQL pool" + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Name of the storage account for vulnerability assessment and security alert logs" + } + }, + "storageContainerName": { + "type": "string", + "metadata": { + "description": "Name of the storage container for vulnerability assessment logs" + } + } + } +} diff --git a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml new file mode 100644 index 00000000000..6cc0925b453 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml @@ -0,0 +1,7 @@ +pass: + - "Microsoft.MachineLearningServices/workspaces.pass" + - "Microsoft.MachineLearningServices/workspaces.pass2" +fail: + - "Microsoft.MachineLearningServices/workspaces.fail" +evaluated_keys: + - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail.json b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail.json new file mode 100644 index 00000000000..e4a273c3416 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail.json @@ -0,0 +1,14 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01-preview", + "name": "exampleSynapseWorkspace", + "location": "[resourceGroup().location]", + "properties": {}, + "resources": [] + } + ] +} diff --git a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json new file mode 100644 index 00000000000..7e6784db947 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Azure Synapse Analytics workspace." + } + }, + "retentionDays": { + "type": "int", + "defaultValue": 90, + "metadata": { + "description": "Number of days to retain audit logs." + } + }, + "auditActionsAndGroups": { + "type": "array", + "defaultValue": [ + "DATA_READ", + "DATA_WRITE", + "DATA_DELETE" + ], + "metadata": { + "description": "Actions and groups to audit." + } + } + }, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01-preview", + "name": "[parameters('workspaceName')]", + "location": "[resourceGroup().location]", + "properties": {}, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/extendedAuditingPolicies", + "apiVersion": "2021-06-01-preview", + "name": "[concat(parameters('workspaceName'), '/Default')]", + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces', parameters('workspaceName'))]" + ], + "properties": { + "state": "Disabled", + "retentionDays": "[parameters('retentionDays')]", + "auditActionsAndGroups": "[parameters('auditActionsAndGroups')]" + } + } + ] + } + ] +} diff --git a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json new file mode 100644 index 00000000000..b20808b6d1a --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Azure Synapse Analytics workspace." + } + }, + "retentionDays": { + "type": "int", + "defaultValue": 90, + "metadata": { + "description": "Number of days to retain audit logs." + } + }, + "auditActionsAndGroups": { + "type": "array", + "defaultValue": [ + "DATA_READ", + "DATA_WRITE", + "DATA_DELETE" + ], + "metadata": { + "description": "Actions and groups to audit." + } + } + }, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01-preview", + "name": "[parameters('workspaceName')]", + "location": "[resourceGroup().location]", + "properties": {}, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/extendedAuditingPolicies", + "apiVersion": "2021-06-01-preview", + "name": "[concat(parameters('workspaceName'), '/Default')]", + "dependsOn": [ + "[resourceId('Microsoft.Synapse/workspaces', parameters('workspaceName'))]" + ], + "properties": { + "state": "Enabled", + "retentionDays": "[parameters('retentionDays')]", + "auditActionsAndGroups": "[parameters('auditActionsAndGroups')]" + } + } + ] + } + ] +} diff --git a/tests/arm/graph_builder/checks/test_yaml_policies.py b/tests/arm/graph_builder/checks/test_yaml_policies.py index e7789d79b5e..18bc6e9d017 100644 --- a/tests/arm/graph_builder/checks/test_yaml_policies.py +++ b/tests/arm/graph_builder/checks/test_yaml_policies.py @@ -43,6 +43,18 @@ def test_AzureSpringCloudConfigWithVnet(self): def test_AzureMLWorkspacePublicNetwork(self): self.go("AzureMLWorkspacePublicNetwork") + def test_SynapseLogMonitoringEnabledForSQLPool(self): + self.go("SynapseLogMonitoringEnabledForSQLPool") + + def test_SynapseSQLPoolHasSecurityAlertPolicy(self): + self.go("SynapseSQLPoolHasSecurityAlertPolicy") + + def test_SynapseSQLPoolHasVulnerabilityAssessment(self): + self.go("SynapseSQLPoolHasVulnerabilityAssessment") + + def test_SynapseWorkspaceHasExtendedAuditLogs(self): + self.go("SynapseWorkspaceHasExtendedAuditLogs") + def test_registry_load(self): registry = self.get_checks_registry() self.assertGreater(len(registry.checks), 0) From c71d1c2388048f672ddb226e84bea8b7a1c319c4 Mon Sep 17 00:00:00 2001 From: Tomer Aviassaf Date: Mon, 8 Jul 2024 13:10:56 +0300 Subject: [PATCH 3/5] add teeraform check - Ensure Synapse SQL pools are encrypted --- .../azure/SynapseSQLPoolDataEncryption.py | 19 +++++++++ .../main.tf | 42 +++++++++++++++++++ .../test_SynapseSQLPoolDataEncryption.py | 41 ++++++++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py create mode 100644 tests/terraform/checks/resource/azure/example_SynapseSQLPoolDataEncryption/main.tf create mode 100644 tests/terraform/checks/resource/azure/test_SynapseSQLPoolDataEncryption.py diff --git a/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py b/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py new file mode 100644 index 00000000000..22aa6ca4c7d --- /dev/null +++ b/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py @@ -0,0 +1,19 @@ +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck + + +class SynapseSQLPoolDataEncryption(BaseResourceCheck): + def __init__(self): + name = "Ensure Synapse SQL pools are encrypted" + id = "CKV_AZURE_241" + supported_resources = ['azurerm_synapse_sql_pool'] + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf): + if 'data_encrypted' in conf and conf['data_encrypted'][0] == True: + return CheckResult.PASSED + return CheckResult.FAILED + + +check = SynapseSQLPoolDataEncryption() \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/example_SynapseSQLPoolDataEncryption/main.tf b/tests/terraform/checks/resource/azure/example_SynapseSQLPoolDataEncryption/main.tf new file mode 100644 index 00000000000..103e03e2b1a --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_SynapseSQLPoolDataEncryption/main.tf @@ -0,0 +1,42 @@ +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_example" { + name = "MyAzureSynapseWorkspace" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id + sql_administrator_login = "sqladminuser" + + identity { + type = "SystemAssigned" + } +} + +resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_pass" { + name = "examplesqlpool" + data_encrypted = true + synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id + sku_name = "DW100c" + create_mode = "Default" + storage_account_type = "GRS" +} + +resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_fail_A" { + name = "examplesqlpool" + data_encrypted = false + synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id + sku_name = "DW100c" + create_mode = "Default" + storage_account_type = "GRS" +} + +resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_fail_B" { + name = "examplesqlpool" + synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id + sku_name = "DW100c" + create_mode = "Default" + storage_account_type = "GRS" +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/test_SynapseSQLPoolDataEncryption.py b/tests/terraform/checks/resource/azure/test_SynapseSQLPoolDataEncryption.py new file mode 100644 index 00000000000..ae7414ff301 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_SynapseSQLPoolDataEncryption.py @@ -0,0 +1,41 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.azure.SynapseSQLPoolDataEncryption import check +from checkov.terraform.runner import Runner + + +class TestSynapseSQLPoolDataEncryption(unittest.TestCase): + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_SynapseSQLPoolDataEncryption" + report = runner.run( + root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]) + ) + summary = report.get_summary() + + passing_resources = { + "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_pass", + } + failing_resources = { + "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_A", + "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_B", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() From 5140ca45c3c9dec31051e152e7ccff84194ac24a Mon Sep 17 00:00:00 2001 From: Tomer Aviassaf Date: Mon, 8 Jul 2024 14:08:04 +0300 Subject: [PATCH 4/5] update graph checks expected files --- .../arm/checks/resource/SynapseWorkspaceCMKEncryption.py | 2 +- .../SynapseLogMonitoringEnabledForSQLPool/expected.yaml | 5 ++--- .../SynapseLogMonitoringEnabledForSQLPool/fail.json | 2 +- .../SynapseLogMonitoringEnabledForSQLPool/pass.json | 2 +- .../SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml | 6 +++--- .../{fail.json => fail1.json} | 2 +- .../SynapseSQLPoolHasSecurityAlertPolicy/fail2.json | 2 +- .../SynapseSQLPoolHasSecurityAlertPolicy/pass.json | 2 +- .../SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml | 6 +++--- .../SynapseSQLPoolHasVulnerabilityAssessment/fail.json | 2 +- .../SynapseSQLPoolHasVulnerabilityAssessment/fail2.json | 2 +- .../SynapseSQLPoolHasVulnerabilityAssessment/pass.json | 2 +- .../SynapseWorkspaceHasExtendedAuditLogs/expected.yaml | 6 +++--- .../{fail.json => fail1.json} | 2 +- .../SynapseWorkspaceHasExtendedAuditLogs/fail2.json | 2 +- .../SynapseWorkspaceHasExtendedAuditLogs/pass.json | 2 +- 16 files changed, 23 insertions(+), 24 deletions(-) rename tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/{fail.json => fail1.json} (94%) rename tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/{fail.json => fail1.json} (89%) diff --git a/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py b/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py index 48ed63b4cb5..b2187f63543 100644 --- a/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py +++ b/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py @@ -7,7 +7,7 @@ def __init__(self): name = "Ensure Azure Synapse Workspace is encrypted with a CMK" id = "CKV_AZURE_239" supported_resources = ['Microsoft.Synapse/workspaces'] - categories = [CheckCategories.NETWORKING] + categories = [CheckCategories.ENCRYPTION] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf) -> CheckResult: diff --git a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml index 6cc0925b453..5570e1eda9f 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml +++ b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml @@ -1,7 +1,6 @@ pass: - - "Microsoft.MachineLearningServices/workspaces.pass" - - "Microsoft.MachineLearningServices/workspaces.pass2" + - "Microsoft.Synapse/workspaces/sqlPools.pass" fail: - - "Microsoft.MachineLearningServices/workspaces.fail" + - "Microsoft.Synapse/workspaces/sqlPools.fail" evaluated_keys: - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/fail.json b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/fail.json index 931ba95bb9f..04ca5f8f0dc 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/fail.json +++ b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/fail.json @@ -5,7 +5,7 @@ { "type": "Microsoft.Synapse/workspaces/sqlPools", "apiVersion": "2021-06-01", - "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "name": "fail", "location": "[parameters('location')]", "properties": { "collation": "SQL_Latin1_General_CP1_CI_AS", diff --git a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/pass.json b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/pass.json index 2c54d261560..ce35f6b02ed 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/pass.json +++ b/tests/arm/graph_builder/checks/resources/SynapseLogMonitoringEnabledForSQLPool/pass.json @@ -5,7 +5,7 @@ { "type": "Microsoft.Synapse/workspaces/sqlPools", "apiVersion": "2021-06-01", - "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "name": "pass", "location": "[parameters('location')]", "properties": { "collation": "SQL_Latin1_General_CP1_CI_AS", diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml index 6cc0925b453..6317086c1c3 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml @@ -1,7 +1,7 @@ pass: - - "Microsoft.MachineLearningServices/workspaces.pass" - - "Microsoft.MachineLearningServices/workspaces.pass2" + - "Microsoft.Synapse/workspaces/sqlPools.pass" fail: - - "Microsoft.MachineLearningServices/workspaces.fail" + - "Microsoft.Synapse/workspaces/sqlPools.fail1" + - "Microsoft.Synapse/workspaces/sqlPools.fail2" evaluated_keys: - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail1.json similarity index 94% rename from tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail.json rename to tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail1.json index efba85f3252..9accc816915 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail.json +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail1.json @@ -5,7 +5,7 @@ { "type": "Microsoft.Synapse/workspaces/sqlPools", "apiVersion": "2021-06-01", - "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "name": "fail1", "location": "[parameters('location')]", "properties": { "sku": { diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json index 964f4bdb1f1..b52a5e0c005 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json @@ -5,7 +5,7 @@ { "type": "Microsoft.Synapse/workspaces/sqlPools", "apiVersion": "2021-06-01", - "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "name": "fail2", "location": "[parameters('location')]", "properties": { "sku": { diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json index 086ab8646ba..ea4360c2ec4 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json @@ -5,7 +5,7 @@ { "type": "Microsoft.Synapse/workspaces/sqlPools", "apiVersion": "2021-06-01", - "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "name": "pass", "location": "[parameters('location')]", "properties": { "sku": { diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml index 6cc0925b453..6317086c1c3 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml @@ -1,7 +1,7 @@ pass: - - "Microsoft.MachineLearningServices/workspaces.pass" - - "Microsoft.MachineLearningServices/workspaces.pass2" + - "Microsoft.Synapse/workspaces/sqlPools.pass" fail: - - "Microsoft.MachineLearningServices/workspaces.fail" + - "Microsoft.Synapse/workspaces/sqlPools.fail1" + - "Microsoft.Synapse/workspaces/sqlPools.fail2" evaluated_keys: - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json index a5349767975..077c946b1af 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json @@ -21,7 +21,7 @@ { "type": "Microsoft.Synapse/workspaces/sqlPools", "apiVersion": "2021-06-01", - "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "name": "fail1", "location": "[parameters('location')]", "properties": { "sku": { diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json index ca2fee136fb..cce7b3ea427 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json @@ -21,7 +21,7 @@ { "type": "Microsoft.Synapse/workspaces/sqlPools", "apiVersion": "2021-06-01", - "name": "[concat(parameters('workspaceName'), '/', parameters('sqlPoolName'))]", + "name": "fail2", "location": "[parameters('location')]", "properties": { "sku": { diff --git a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json index 363eff3174a..d188fd02918 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json +++ b/tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json @@ -5,7 +5,7 @@ { "type": "Microsoft.Synapse/workspaces", "apiVersion": "2021-06-01", - "name": "[parameters('workspaceName')]", + "name": "pass", "location": "[parameters('location')]", "properties": { "defaultDataLakeStorage": { diff --git a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml index 6cc0925b453..2fefa6e09e9 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml +++ b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml @@ -1,7 +1,7 @@ pass: - - "Microsoft.MachineLearningServices/workspaces.pass" - - "Microsoft.MachineLearningServices/workspaces.pass2" + - "Microsoft.Synapse/workspaces.pass" fail: - - "Microsoft.MachineLearningServices/workspaces.fail" + - "Microsoft.Synapse/workspaces.fail1" + - "Microsoft.Synapse/workspaces.fail2" evaluated_keys: - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail.json b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail1.json similarity index 89% rename from tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail.json rename to tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail1.json index e4a273c3416..0629c5b3c86 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail.json +++ b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail1.json @@ -5,7 +5,7 @@ { "type": "Microsoft.Synapse/workspaces", "apiVersion": "2021-06-01-preview", - "name": "exampleSynapseWorkspace", + "name": "fail1", "location": "[resourceGroup().location]", "properties": {}, "resources": [] diff --git a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json index 7e6784db947..d6fc02ff779 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json +++ b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json @@ -31,7 +31,7 @@ { "type": "Microsoft.Synapse/workspaces", "apiVersion": "2021-06-01-preview", - "name": "[parameters('workspaceName')]", + "name": "fail2", "location": "[resourceGroup().location]", "properties": {}, "resources": [ diff --git a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json index b20808b6d1a..8f70c17bc8c 100644 --- a/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json +++ b/tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json @@ -31,7 +31,7 @@ { "type": "Microsoft.Synapse/workspaces", "apiVersion": "2021-06-01-preview", - "name": "[parameters('workspaceName')]", + "name": "pass", "location": "[resourceGroup().location]", "properties": {}, "resources": [ From c40ad5f298cb8fc3de114054913f0d436cf7d3f3 Mon Sep 17 00:00:00 2001 From: Tomer Aviassaf Date: Mon, 8 Jul 2024 14:14:31 +0300 Subject: [PATCH 5/5] remove dummy --- .../SynapseWorkspaceAdministratorLoginPasswordHidden.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py b/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py index 2d0f5dd8ac4..c45645d55f0 100644 --- a/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py +++ b/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py @@ -16,13 +16,6 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: - # if "properties" in conf: - # if conf["properties"]: - # if 'encryption' in conf["properties"]: - # if 'encryption' in conf["properties"]: - # if 'cmk' in conf["properties"]['encryption']: - # return CheckResult.PASSED - # return CheckResult.FAILED if "resources" in conf: if conf["resources"]: for resource in conf["resources"]: