fix(terraform): fix CKV_AZURE_136 for replicas (#6895)

* fix check * fix type * Change unknown to passed
bridgecrewio · Dec 9, 2024 · fac2c72 · fac2c72
1 parent a94c168
commit fac2c72
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 4 deletions.
diff --git a/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py b/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py
@@ -1,16 +1,24 @@
-from checkov.common.models.enums import CheckCategories
+from typing import Any, Dict, List
+
+from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
 
 class PostgreSQLFlexiServerGeoBackupEnabled(BaseResourceValueCheck):
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Ensure that PostgreSQL Flexible server enables geo-redundant backups"
         id = "CKV_AZURE_136"
         supported_resources = ['azurerm_postgresql_flexible_server']
         categories = [CheckCategories.BACKUP_AND_RECOVERY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def get_inspected_key(self):
+    def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
+        # Replicas can't have geo-redundant backups
+        if conf.get('create_mode') and conf.get('create_mode')[0] == 'Replica':
+            return CheckResult.PASSED
+        return super().scan_resource_conf(conf)
+
+    def get_inspected_key(self) -> str:
         return 'geo_redundant_backup_enabled'
 
 

diff --git a/tests/terraform/checks/resource/azure/example_PostgreSQLFlexiServerGeoBackupEnabled/main.tf b/tests/terraform/checks/resource/azure/example_PostgreSQLFlexiServerGeoBackupEnabled/main.tf
@@ -58,4 +58,34 @@ resource "azurerm_postgresql_flexible_server" "fail2" {
 
 }
 
+# unknown: replica
+resource "azurerm_postgresql_flexible_server" "replica" {
+  count               = var.replica_count
+  name                = "${local.database_name}-replica-${count.index}"
+  resource_group_name = var.resource_group.name
+  location            = var.resource_group.location
+  delegated_subnet_id = var.shared.subnet_id
+  private_dns_zone_id = var.shared.dns_zone.id
+  sku_name            = var.sku_name
+  storage_mb          = var.storage_mb
+  version             = var.postgresql_version
+
+  # replication
+  create_mode      = "Replica"  # <-- This makes the server a replica.
+  source_server_id = azurerm_postgresql_flexible_server.primary.id
+
+  tags = local.standard_tags
+  lifecycle {
+    precondition {
+      condition     = !startswith(var.sku_name, "B_")
+      error_message = "Replicas are not supported for burstable SKUs."
+    }
+    ignore_changes = [
+      zone,
+      high_availability.0.standby_availability_zone,
+      tags
+    ]
+  }
+}
+
 
diff --git a/tests/terraform/checks/resource/azure/test_PostgreSQLFlexiServerGeoBackupEnabled.py b/tests/terraform/checks/resource/azure/test_PostgreSQLFlexiServerGeoBackupEnabled.py
@@ -20,6 +20,7 @@ def test(self):
 
         passing_resources = {
             "azurerm_postgresql_flexible_server.pass",
+            "azurerm_postgresql_flexible_server.replica"
         }
         failing_resources = {
             "azurerm_postgresql_flexible_server.fail1",
@@ -30,7 +31,7 @@ def test(self):
         passed_check_resources = {c.resource for c in report.passed_checks}
         failed_check_resources = {c.resource for c in report.failed_checks}
 
-        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["passed"], 2)
         self.assertEqual(summary["failed"], 2)
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)