Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(terraform): add CKV_AWS_375, CKV_AWS_376, CKV_AWS_377 to add three new SageMaker checks #6732

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

braidoa
Copy link

@braidoa braidoa commented Sep 25, 2024

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

I've added three checks for Amazon SageMaker attributes.

New/Edited policies (Delete if not relevant)

id = "CKV_AWS_375"
name = "Ensure Amazon SageMaker endpoint has a name specified"

id = "CKV_AWS_376"
name = "Ensure Amazon SageMaker endpoint configuration has at least one production variant specified"

id = "CKV_AWS_377"
name = "Ensure Amazon SageMaker notebook instances use lifecycle configurations"

Description

Violations in each rule will occur when a SageMaker resource is missing the respective attribute.

Fix

Someone can fix these issues by specifying the attributes.

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Introduce three new checks for Amazon SageMaker resources in Terraform to ensure compliance with best practices. The SagemakerEndpointConfigurationEndpointNameSpecified class checks that SageMaker endpoints have a specified name, while the SagemakerEndpointConfigurationProductionVariantsSpecified class ensures that endpoint configurations have at least one production variant. Additionally, the SagemakerNotebookLifecycleConfigSpecified class verifies that SageMaker notebook instances utilize lifecycle configurations. These checks are implemented in the checkov library and are accompanied by corresponding test cases to validate their functionality.

TopicDetails
Test Cases Implement test cases to validate the new SageMaker checks for endpoint configurations and notebook instances.
Modified files (3)
  • tests/terraform/checks/resource/aws/example_SagemakerNotebookLifecycleConfigSpecified/main.tf
  • tests/terraform/checks/resource/aws/example_SagemakerEndpointConfigurationNameSpecified/main.tf
  • tests/terraform/checks/resource/aws/example_SagemakerEndpointConfigurationProductionVariantsSpecified/main.tf
Latest Contributors(0)
UserCommitDate
SageMaker Checks Add checks for SageMaker resources to ensure compliance with naming and configuration standards.
Modified files (3)
  • checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationProductionVariantsSpecified.py
  • checkov/terraform/checks/resource/aws/SagemakerNotebookLifecycleConfigSpecified.py
  • checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationNameSpecified.py
Latest Contributors(0)
UserCommitDate
This pull request is reviewed by Baz. Join @braidoa and the rest of your team on (Baz).

@braidoa
Copy link
Author

braidoa commented Oct 10, 2024

Hi folks. Is anyone available to review this?

Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution, @braidoa! My concern about these checks is that Checkov is meant to be a security tool and these don't appear to be security checks. Am I misunderstanding?

super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def get_inspected_key(self):
return "name"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requiring name isn't really a security check. You can also use name_prefix which would be valid but flagged by this check.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment below. 😄

if isinstance(production_variants, list):
return CheckResult.PASSED if production_variants else CheckResult.FAILED
elif isinstance(production_variants, dict):
return CheckResult.PASSED if 'variant_name' in production_variants and production_variants['variant_name'] else CheckResult.FAILED
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain the security concern of Terraform assigning a random name?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a GRC (specifically governance) concern. For example, my org requires specified SageMaker names and tags in spreadsheets, project management boards, planning docs, etc. A random, unspecific name could confuse users and result in downstream problems. So we prohibit random names in SageMaker endpoints for better governance.

@tsmithv11
Copy link
Collaborator

@braidoa we reviewed internally and the first 2 checks feel like ones you can use as custom for your organization. If you'd like to update the PR to just include the last one Ensure Amazon SageMaker notebook instances use lifecycle configurations, we'd gladly accept it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants