From d36358b5216f3b81d0a2ca0f7b765aa81105a056 Mon Sep 17 00:00:00 2001
From: Chris Ayers <clayers@gmail.com>
Date: Sat, 25 Mar 2023 13:44:01 +0000
Subject: [PATCH 1/8] updated costcenter

---
 example/prod/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/prod/main.tf b/example/prod/main.tf
index e8f82fd..9eed721 100644
--- a/example/prod/main.tf
+++ b/example/prod/main.tf
@@ -19,6 +19,6 @@ resource "azurerm_resource_group" "rg" {
   name     = "rg-terraformdemo-${var.environment}-${var.location}"
   location = var.location
   tags = {
-    "CostCenter" = "it"
+    "CostCenter" = "ops"
   }
 }

From 4337749213dc8f5052d38134dc096847435f47d8 Mon Sep 17 00:00:00 2001
From: Chris Ayers <clayers@gmail.com>
Date: Sat, 25 Mar 2023 14:09:57 +0000
Subject: [PATCH 2/8] updated regex match

---
 .tfsec/custom_tfchecks.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.tfsec/custom_tfchecks.yaml b/.tfsec/custom_tfchecks.yaml
index 16d976d..600f800 100644
--- a/.tfsec/custom_tfchecks.yaml
+++ b/.tfsec/custom_tfchecks.yaml
@@ -12,7 +12,8 @@ checks:
   matchSpec:
     name: name
     action: regexMatches
-    value: "^rg-[a-zA-Z]+-[a-zA-Z]+-[a-zA-Z]+"
+    value:
+    value: "^(?!rg-[a-zA-Z]+-[a-zA-Z]+-[a-zA-Z]+).*$"
   errorMessage: improperly named resource group
   relatedLinks:
   - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming

From 9d98e2e37077db6d48740b577248da56df57e95b Mon Sep 17 00:00:00 2001
From: Chris Ayers <clayers@gmail.com>
Date: Sat, 25 Mar 2023 14:42:37 +0000
Subject: [PATCH 3/8] updated custom checks

---
 .tfsec/custom_tfchecks.yaml | 120 +++++++++++++++++++-----------------
 1 file changed, 65 insertions(+), 55 deletions(-)

diff --git a/.tfsec/custom_tfchecks.yaml b/.tfsec/custom_tfchecks.yaml
index 600f800..97e450a 100644
--- a/.tfsec/custom_tfchecks.yaml
+++ b/.tfsec/custom_tfchecks.yaml
@@ -1,56 +1,66 @@
----
 checks:
-- code: rg-naming-pattern
-  description: Custom check to check resource group naming
-  impact: resource groups should be named consistently
-  resolution: use the pattern rg-app-env-region
-  requiredTypes:
-  - resource
-  requiredLabels:
-  - azurerm_resource_group
-  severity: HIGH
-  matchSpec:
-    name: name
-    action: regexMatches
-    value:
-    value: "^(?!rg-[a-zA-Z]+-[a-zA-Z]+-[a-zA-Z]+).*$"
-  errorMessage: improperly named resource group
-  relatedLinks:
-  - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming
-- code: tags-resources
-  description: Custom check to ensure the CostCenter tag is applied to Azure Resources
-  impact: By not having CostCenter we can't keep track of billing
-  resolution: Add the CostCenter tag
-  requiredTypes:
-  - resource
-  requiredLabels:
-  - azurerm_subscription
-  - azurerm_resource_group
-  - azurerm_linux_web_app
-  - azurerm_windows_web_app
-  - azurerm_storage_account
-  - azurerm_service_plan
-  - azurerm_app_service
-  severity: HIGH
-  matchSpec:
-    name: tags
-    action: contains
-    value: CostCenter
-  errorMessage: The required CostCenter tag was missing
-  relatedLinks:
-  - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging
-- code: app-service-deprecated
-  description: Custom check to warn on deprecated app service
-  impact: using deprecated app service resource instead of azurerm_linux_web_app or azurerm_windows_web_app
-  resolution: Use azurerm_linux_web_app or azurerm_windows_web_app
-  requiredTypes:
-  - resource
-  requiredLabels:
-  - azurerm_app_service
-  severity: HIGH
-  matchSpec:
-    name: azurerm_app_service
-    action: isPresent
-  errorMessage: Using a deprecated resource - azurerm_app_service
-  relatedLinks:
-  - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service
+  - {
+      code: rg-naming-pattern,
+      description: "Custom check to check resource group naming",
+      impact: "resource groups should be named consistently",
+      resolution: "use the pattern rg-app-env-region",
+      requiredTypes: [resource],
+      requiredLabels: [azurerm_resource_group],
+      severity: HIGH,
+      matchSpec:
+        {
+          action: not,
+          predicateMatchSpec:
+            [
+              {
+                name: name,
+                action: regexMatches,
+                value: "^rg-[a-zA-Z]+-[a-zA-Z]+-[a-zA-Z]+",
+              },
+            ],
+        },
+      errorMessage: "improperly named resource group",
+      relatedLinks:
+        [
+          "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming",
+        ],
+    }
+  - {
+      code: tags-resources,
+      description: "Custom check to ensure the CostCenter tag is applied to Azure Resources",
+      impact: "By not having CostCenter we can't keep track of billing",
+      resolution: "Add the CostCenter tag",
+      requiredTypes: [resource],
+      requiredLabels:
+        [
+          azurerm_subscription,
+          azurerm_resource_group,
+          azurerm_linux_web_app,
+          azurerm_windows_web_app,
+          azurerm_storage_account,
+          azurerm_service_plan,
+          azurerm_app_service,
+        ],
+      severity: HIGH,
+      matchSpec: { name: tags, action: contains, value: CostCenter },
+      errorMessage: "The required CostCenter tag was missing",
+      relatedLinks:
+        [
+          "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging",
+        ],
+    }
+  - {
+      code: app-service-deprecated,
+      description: "Custom check to warn on deprecated app service",
+      impact: "using deprecated app service resource instead of azurerm_linux_web_app or azurerm_windows_web_app",
+      resolution: "Use azurerm_linux_web_app or azurerm_windows_web_app",
+      requiredTypes: [resource],
+      requiredLabels: [azurerm_app_service],
+      severity: HIGH,
+      matchSpec: { name: azurerm_app_service, action: isPresent },
+      errorMessage: "Using a deprecated resource - azurerm_app_service",
+      relatedLinks:
+        [
+          "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service",
+        ],
+    }

From a53eb389a536e85404d8ad7b09cdf306c71efe2d Mon Sep 17 00:00:00 2001
From: Chris Ayers <clayers@gmail.com>
Date: Sat, 25 Mar 2023 14:50:56 +0000
Subject: [PATCH 4/8] updated sample path

---
 .github/workflows/checkov.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml
index 44477b6..c3f6c4a 100644
--- a/.github/workflows/checkov.yml
+++ b/.github/workflows/checkov.yml
@@ -21,7 +21,7 @@ jobs:
         id: checkov
         uses: bridgecrewio/checkov-action@master
         with:
-          directory: .
+          directory: example
           #file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
           #check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
           #skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list

From eac31a28eccffa1bd5fbc678676b26640009ce36 Mon Sep 17 00:00:00 2001
From: Chris Ayers <clayers@gmail.com>
Date: Sat, 25 Mar 2023 16:26:43 +0000
Subject: [PATCH 5/8] added nsg

---
 example/modules/vnet/main.tf | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/example/modules/vnet/main.tf b/example/modules/vnet/main.tf
index 12f7b63..6ca5f1b 100644
--- a/example/modules/vnet/main.tf
+++ b/example/modules/vnet/main.tf
@@ -2,11 +2,18 @@ data "azurerm_resource_group" "rg" {
   name = var.rg_name
 }
 
+resource "azurerm_network_security_group" "nsg" {
+  name                = "${var.prefix}-nsg"
+  location            = azurerm_resource_group.rg.name
+  resource_group_name = azurerm_resource_group.rg.location
+}
+
 resource "azurerm_virtual_network" "vnet" {
   name                = "${var.prefix}-network"
   resource_group_name = azurerm_resource_group.rg.name
   location            = azurerm_resource_group.rg.location
   address_space       = ["10.0.0.0/16"]
+  security_group_id   = azurerm_network_security_group.nsg.id
 }
 
 resource "azurerm_subnet" "snet" {
@@ -14,4 +21,4 @@ resource "azurerm_subnet" "snet" {
   virtual_network_name = azurerm_virtual_network.rg.name
   resource_group_name  = azurerm_resource_group.rg.name
   address_prefixes     = ["10.0.1.0/24"]
-}
\ No newline at end of file
+}

From 6c9bf428759e00a03753af902eb5ad0a73f6715d Mon Sep 17 00:00:00 2001
From: Chris Ayers <clayers@gmail.com>
Date: Sat, 25 Mar 2023 16:29:09 +0000
Subject: [PATCH 6/8] added subnet nsg

---
 example/modules/vnet/main.tf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/example/modules/vnet/main.tf b/example/modules/vnet/main.tf
index 6ca5f1b..236ec5f 100644
--- a/example/modules/vnet/main.tf
+++ b/example/modules/vnet/main.tf
@@ -13,7 +13,6 @@ resource "azurerm_virtual_network" "vnet" {
   resource_group_name = azurerm_resource_group.rg.name
   location            = azurerm_resource_group.rg.location
   address_space       = ["10.0.0.0/16"]
-  security_group_id   = azurerm_network_security_group.nsg.id
 }
 
 resource "azurerm_subnet" "snet" {
@@ -22,3 +21,9 @@ resource "azurerm_subnet" "snet" {
   resource_group_name  = azurerm_resource_group.rg.name
   address_prefixes     = ["10.0.1.0/24"]
 }
+
+
+resource "azurerm_subnet_network_security_group_association" "example" {
+  subnet_id                 = azurerm_subnet.snet.id
+  network_security_group_id = azurerm_network_security_group.nsg.id
+}
\ No newline at end of file

From cc7961ca22bec2762902e53c6984a7a83cea7ac7 Mon Sep 17 00:00:00 2001
From: Chris Ayers <clayers@gmail.com>
Date: Sat, 25 Mar 2023 16:30:36 +0000
Subject: [PATCH 7/8] demo change

---
 example/modules/vnet/main.tf | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/example/modules/vnet/main.tf b/example/modules/vnet/main.tf
index 236ec5f..e130396 100644
--- a/example/modules/vnet/main.tf
+++ b/example/modules/vnet/main.tf
@@ -22,8 +22,7 @@ resource "azurerm_subnet" "snet" {
   address_prefixes     = ["10.0.1.0/24"]
 }
 
-
-resource "azurerm_subnet_network_security_group_association" "example" {
-  subnet_id                 = azurerm_subnet.snet.id
-  network_security_group_id = azurerm_network_security_group.nsg.id
-}
\ No newline at end of file
+# resource "azurerm_subnet_network_security_group_association" "example" {
+#   subnet_id                 = azurerm_subnet.snet.id
+#   network_security_group_id = azurerm_network_security_group.nsg.id
+# }
\ No newline at end of file

From d6e92b4d1ba32e7abfbb7addd96733d64c125616 Mon Sep 17 00:00:00 2001
From: Chris Ayers <clayers@gmail.com>
Date: Sat, 25 Mar 2023 17:52:31 +0000
Subject: [PATCH 8/8] added nsg

---
 example/modules/vnet/main.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/example/modules/vnet/main.tf b/example/modules/vnet/main.tf
index e130396..7a22481 100644
--- a/example/modules/vnet/main.tf
+++ b/example/modules/vnet/main.tf
@@ -22,7 +22,7 @@ resource "azurerm_subnet" "snet" {
   address_prefixes     = ["10.0.1.0/24"]
 }
 
-# resource "azurerm_subnet_network_security_group_association" "example" {
-#   subnet_id                 = azurerm_subnet.snet.id
-#   network_security_group_id = azurerm_network_security_group.nsg.id
-# }
\ No newline at end of file
+resource "azurerm_subnet_network_security_group_association" "example" {
+  subnet_id                 = azurerm_subnet.snet.id
+  network_security_group_id = azurerm_network_security_group.nsg.id
+}
\ No newline at end of file