CKV_AZURE_189 is not being marked as passed in Bicep code #6429
Comments
|
Hey @mmassey1993 when using changing the value from "publicNetworkAccess: 'Disabled' to lowercase 'disabled' seems to have fixed this issue for me. Example of updated code: Seems to be the format that listed in the following documenatation: Other notes: |
|
@mannycepeda1989 Thank you that has worked. However i use the same Disabled value for other things and it works perfectly fine. Would be nice if there was consistency or if it just use a lower() function to ensure its always the lowercase if that is what's needed. |
|
The check also fails if the value is a parameter. Even if that parameters is "disabled" by default, it will still fail. Can checkov evaluate the parameter values? @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { |
Describe the issue
The checkov scan is failing on CKV_AZURE_189 (Ensure public network access for key vault is disabled) even though the correct property is in place
Examples
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: keyVaultName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
enablePurgeProtection: true
enableSoftDelete: true
enabledForTemplateDeployment: true
enabledForDiskEncryption: true
enabledForDeployment: true
enableRbacAuthorization: true
publicNetworkAccess: 'Disabled'
}
}
I would expect this to work as public network access value is disabled
Additional context
I had an issue with a different checkov check, and the issue was because it was not checking for string values of "Enabled" or "Disabled" correctly in BICEP compared to terraform
The text was updated successfully, but these errors were encountered: