Skip to content

Commit

Permalink
feat(arm): add CKV_AZURE_177 to ensure that Windows VM enables automa…
Browse files Browse the repository at this point in the history 
…tic updates (#6484)

* added a new arm policy for resource: WinVMAutomaticUpdates

* update arm policy for resource: WinVMAutomaticUpdates

* update arm policy for resource: WinVMAutomaticUpdates

---------

Co-authored-by: AdamDev <AdamVarsan@gmail.com>
  • Loading branch information
@tehila86127 @AdamDev
tehila86127 and AdamDev committed Jul 14, 2024
1 parent 72bf890 commit 5eaaed6
Show file tree
Hide file tree
Showing 4 changed files with 458 additions and 0 deletions.
20 changes: 20 additions & 0 deletions checkov/arm/checks/resource/WinVMAutomaticUpdates.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck


class WinVMAutomaticUpdates(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Windows VM enables automatic updates"
id = "CKV_AZURE_177"
supported_resources = ("Microsoft.Compute/virtualMachines", "Microsoft.Compute/virtualMachineScaleSets")
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED,)

def get_inspected_key(self) -> str:
if self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
return "properties/virtualMachineProfile/osProfile/windowsConfiguration/enableAutomaticUpdates"
return "properties/osProfile/windowsConfiguration/enableAutomaticUpdates"


check = WinVMAutomaticUpdates()
165 changes: 165 additions & 0 deletions tests/arm/checks/resource/example_WinVMAutomaticUpdates/fail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmSku": {
"type": "string",
"defaultValue": "Standard_D2s_v3",
"metadata": {
"description": "Size of VMs in the VM Scale Set."
}
},
"vmssName": {
"type": "string",
"metadata": {
"description": "Unique name for the scale set. Must be 3-61 characters in length and unique across the VNet."
},
"maxLength": 61
},
"instanceCount": {
"type": "int",
"metadata": {
"description": "Number of VM instances (100 or less)."
},
"defaultValue": 2
},
"adminUsername": {
"type": "string",
"metadata": {
"description": "Admin username on all VMs."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Admin password on all VMs."
}
},
"existingVnetName": {
"type": "string",
"metadata": {
"description": "Name of the existing virtual network to deploy the scale set into."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location parameter"
}
},
"existingSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the existing subnet to deploy the scale set into."
}
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"name": "fail",
"location": "[parameters('location')]",
"apiVersion": "2020-12-01",
"sku": {
"name": "[parameters('vmSku')]",
"capacity": "[parameters('instanceCount')]"
},
"properties": {
"overprovision": false,
"upgradePolicy": {
"mode": "Manual"
},
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"createOption": "FromImage",
"caching": "ReadWrite"
},
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2016-Datacenter",
"version": "latest"
}
},
"osProfile": {
"computerNamePrefix": "[parameters('vmssName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"enableAutomaticUpdates": false,
"provisionVmAgent": true
}
},
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "nic",
"properties": {
"primary": true,
"ipConfigurations": [
{
"name": "ipconfig",
"properties": {
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('existingSubnetName'))]"
}
}
}
]
}
}
]
}
}
}
},
{
"name": "fail",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2019-12-01",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces/', variables('networkInterfaceName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"osDisk": {
"createOption": "fromImage",
"managedDisk": {
"storageAccountType": "[variables('osDiskType')]"
}
},
"imageReference": {
"publisher": "MicrosoftVisualStudio",
"offer": "visualstudio2019latest",
"sku": "vs-2019-comm-latest-ws2019",
"version": "latest"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
}
]
},
"osProfile": {
"computerName": "[parameters('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"enableAutomaticUpdates": false,
"provisionVmAgent": true
}
}
}
}
]
}
Loading

0 comments on commit 5eaaed6

Please sign in to comment.