Checkov attribute reference

Question

I am currently learning policy-as-code with the help of Checkov. In the process, I am also writing my own policies.

I would like to write a policy that checks the content inside "managed_rule_set". I know how to reference the attributes from the terraform-file correctly, but not how to do it in this particular case. I define the custom policies via a yaml-file and orient myself on the documentation of checkov.

Terraform-file: tf-file

    resource "azurerm_web_application_firewall_policy" "waf_network" {
  name                = "waf-${var.tag_project}-network-${var.tag_environment}"
  resource_group_name = azurerm_resource_group.rg_network.name
  location            = "azurerm_resource_group.rg_network.location"
  
  policy_settings {
    enabled = true
    mode    = "Prevention"
  }

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.1"
    }
    managed_rule_set {
      type    = "Microsoft_BotManagerRuleSet"
      version = "0.1"
    }
  }

  tags = merge(local.common_tags, local.intrinsic_tags)
}

Has anyone an idea? Thanks!

Please post the code in the question and not using a screenshot. It's much easier for someone to try and reproduce problems that way. — Marko E, Jan 27 '22 at 14:51
Please provide enough code so others can better understand or reproduce the problem. — Community, Feb 09 '22 at 09:32

score 3 · Answer 1 · edited Jan 31 '22 at 17:51

3

depending on what you want to achieve you can use .*. to reference all the managed_rule_set blocks, like that

- cond_type: "attribute"
resource_types: 
    - "azurerm_web_application_firewall_policy"
    attribute: "managed_rules.managed_rule_set.*.type"
    operator: "contains"
    value: "OWASP"

edited Jan 31 '22 at 17:51

Tyler2P

2,324
26
22
31

answered Jan 31 '22 at 15:44

gruebel

31
1
1

Yes thank you. That's exactly what I've been looking for. – jk1234 Feb 10 '22 at 19:16
Ok so this worked. I can validate the value of "type" for managed_rule_set. Is their a way to proof the value of "version" in managed_rule_set? I have tried it with this attribute (not working): "managed_rules.managed_rule_set.*.version" – jk1234 Feb 11 '22 at 11:33
Have you seen the `Evaluating list attributes` section here: https://www.checkov.io/3.Custom%20Policies/YAML%20Custom%20Policies.html – Matt Sep 12 '22 at 13:03

Checkov attribute reference

1 Answers1