-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CKV_AZURE_189 is not being marked as passed in Bicep code #6429
Comments
Hey @mmassey1993 when using changing the value from "publicNetworkAccess: 'Disabled' to lowercase 'disabled' seems to have fixed this issue for me. Example of updated code: Seems to be the format that listed in the following documenatation: Other notes: |
@mannycepeda1989 Thank you that has worked. However i use the same Disabled value for other things and it works perfectly fine. Would be nice if there was consistency or if it just use a lower() function to ensure its always the lowercase if that is what's needed. |
The check also fails if the value is a parameter. Even if that parameters is "disabled" by default, it will still fail. Can checkov evaluate the parameter values? @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { |
Describe the issue
The checkov scan is failing on CKV_AZURE_189 (Ensure public network access for key vault is disabled) even though the correct property is in place
Examples
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: keyVaultName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
enablePurgeProtection: true
enableSoftDelete: true
enabledForTemplateDeployment: true
enabledForDiskEncryption: true
enabledForDeployment: true
enableRbacAuthorization: true
publicNetworkAccess: 'Disabled'
}
}
I would expect this to work as public network access value is disabled
Additional context
I had an issue with a different checkov check, and the issue was because it was not checking for string values of "Enabled" or "Disabled" correctly in BICEP compared to terraform
The text was updated successfully, but these errors were encountered: