Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(terraform): add CKV_AWS_375, CKV_AWS_376, CKV_AWS_377 to add three new SageMaker checks #6732

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

braidoa
Copy link

@braidoa braidoa commented Sep 25, 2024

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

I've added three checks for Amazon SageMaker attributes.

New/Edited policies (Delete if not relevant)

id = "CKV_AWS_375"
name = "Ensure Amazon SageMaker endpoint has a name specified"

id = "CKV_AWS_376"
name = "Ensure Amazon SageMaker endpoint configuration has at least one production variant specified"

id = "CKV_AWS_377"
name = "Ensure Amazon SageMaker notebook instances use lifecycle configurations"

Description

Violations in each rule will occur when a SageMaker resource is missing the respective attribute.

Fix

Someone can fix these issues by specifying the attributes.

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Introduce three new checks for Amazon SageMaker resources in Terraform. The SagemakerEndpointConfigurationEndpointNameSpecified class ensures that SageMaker endpoints have a name specified, while the SagemakerEndpointConfigurationProductionVariantsSpecified class checks for at least one production variant in endpoint configurations. Additionally, the SagemakerNotebookLifecycleConfigSpecified class verifies that SageMaker notebook instances use lifecycle configurations. These checks enhance the validation of SageMaker resources by ensuring essential attributes are present.

TopicDetails
Endpoint Name Check Ensure that SageMaker endpoints have a name specified to comply with naming conventions.
Modified files (2)
  • checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationNameSpecified.py
  • tests/terraform/checks/resource/aws/example_SagemakerEndpointConfigurationNameSpecified/main.tf
Latest Contributors(0)
UserCommitDate
Production Variants Check Verify that SageMaker endpoint configurations include at least one production variant to ensure proper deployment.
Modified files (2)
  • checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationProductionVariantsSpecified.py
  • tests/terraform/checks/resource/aws/example_SagemakerEndpointConfigurationProductionVariantsSpecified/main.tf
Latest Contributors(0)
UserCommitDate
Lifecycle Config Check Ensure that SageMaker notebook instances utilize lifecycle configurations for better management.
Modified files (2)
  • checkov/terraform/checks/resource/aws/SagemakerNotebookLifecycleConfigSpecified.py
  • tests/terraform/checks/resource/aws/example_SagemakerNotebookLifecycleConfigSpecified/main.tf
Latest Contributors(0)
UserCommitDate
This pull request is reviewed by Baz. Join @braidoa and the rest of your team on (Baz).

@braidoa
Copy link
Author

braidoa commented Oct 10, 2024

Hi folks. Is anyone available to review this?

Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution, @braidoa! My concern about these checks is that Checkov is meant to be a security tool and these don't appear to be security checks. Am I misunderstanding?

super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def get_inspected_key(self):
return "name"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requiring name isn't really a security check. You can also use name_prefix which would be valid but flagged by this check.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment below. 😄

if isinstance(production_variants, list):
return CheckResult.PASSED if production_variants else CheckResult.FAILED
elif isinstance(production_variants, dict):
return CheckResult.PASSED if 'variant_name' in production_variants and production_variants['variant_name'] else CheckResult.FAILED
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain the security concern of Terraform assigning a random name?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a GRC (specifically governance) concern. For example, my org requires specified SageMaker names and tags in spreadsheets, project management boards, planning docs, etc. A random, unspecific name could confuse users and result in downstream problems. So we prohibit random names in SageMaker endpoints for better governance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants