feat(misconf): add agentpools to azure container schema (#9714)

Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: nikpivkin <[email protected]>

Author: yagreut

pkg/iac/adapters/terraform/azure/container/adapt.go

@@ -35,6 +35,7 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
 		APIServerAuthorizedIPRanges: nil,
 		AzurePolicyEnabled:          iacTypes.BoolDefault(false, resource.GetMetadata()),
 		DiskEncryptionSetID:         iacTypes.StringDefault("", resource.GetMetadata()),
+		AgentPools:                  []container.AgentPool{},
 		RoleBasedAccessControl: container.RoleBasedAccessControl{
 			Metadata: resource.GetMetadata(),
 			Enabled:  iacTypes.BoolDefault(false, resource.GetMetadata()),
@@ -119,10 +120,29 @@ func adaptCluster(resource *terraform.Block) container.KubernetesCluster {
 		cluster.AzurePolicyEnabled = azurePolicyEnabledAttr.AsBoolValueOrDefault(false, resource)
 	}
 
-	// disk encryption set ID
 	if diskEncryptionSetIDAttr := resource.GetAttribute("disk_encryption_set_id"); diskEncryptionSetIDAttr.IsNotNil() {
 		cluster.DiskEncryptionSetID = diskEncryptionSetIDAttr.AsStringValueOrDefault("", resource)
 	}
 
+	cluster.AgentPools = adaptAgentPools(resource)
+
 	return cluster
 }
+
+func adaptAgentPools(resource *terraform.Block) []container.AgentPool {
+	var pools []container.AgentPool
+
+	if defaultNodePoolBlock := resource.GetBlock("default_node_pool"); defaultNodePoolBlock.IsNotNil() {
+		pools = append(pools, adaptAgentPool(defaultNodePoolBlock))
+	}
+
+	return pools
+}
+
+func adaptAgentPool(block *terraform.Block) container.AgentPool {
+	return container.AgentPool{
+		Metadata:            block.GetMetadata(),
+		DiskEncryptionSetID: block.GetAttribute("disk_encryption_set_id").AsStringValueOrDefault("", block),
+		NodeType:            block.GetAttribute("type").AsStringValueOrDefault("VirtualMachineScaleSets", block),
+	}
+}

pkg/iac/adapters/terraform/azure/container/adapt_test.go

@@ -281,6 +281,52 @@ resource "azurerm_kubernetes_cluster" "misreporting_example" {
 				},
 			},
 		},
+		{
+			name: "with default_node_pool",
+			terraform: `
+			resource "azurerm_kubernetes_cluster" "example" {
+				default_node_pool {
+					name = "default"
+					node_count = 1
+					vm_size = "Standard_DS2_v2"
+					type = "VirtualMachineScaleSets"
+					disk_encryption_set_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des"
+				}
+			}
+`,
+			expected: container.KubernetesCluster{
+				Metadata: iacTypes.NewTestMetadata(),
+				NetworkProfile: container.NetworkProfile{
+					Metadata:      iacTypes.NewTestMetadata(),
+					NetworkPolicy: iacTypes.String("", iacTypes.NewTestMetadata()),
+				},
+				EnablePrivateCluster: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+				AzurePolicyEnabled:   iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+				DiskEncryptionSetID:  iacTypes.String("", iacTypes.NewTestMetadata()),
+				AgentPools: []container.AgentPool{
+					{
+						Metadata:            iacTypes.NewTestMetadata(),
+						DiskEncryptionSetID: iacTypes.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/diskEncryptionSets/node-pool-des", iacTypes.NewTestMetadata()),
+						NodeType:            iacTypes.String("VirtualMachineScaleSets", iacTypes.NewTestMetadata()),
+					},
+				},
+				AddonProfile: container.AddonProfile{
+					Metadata: iacTypes.NewTestMetadata(),
+					OMSAgent: container.OMSAgent{
+						Metadata: iacTypes.NewTestMetadata(),
+						Enabled:  iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+					},
+					AzurePolicy: container.AzurePolicy{
+						Metadata: iacTypes.NewTestMetadata(),
+						Enabled:  iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+					},
+				},
+				RoleBasedAccessControl: container.RoleBasedAccessControl{
+					Metadata: iacTypes.NewTestMetadata(),
+					Enabled:  iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {

pkg/iac/providers/azure/container/container.go

@@ -17,6 +17,7 @@ type KubernetesCluster struct {
 	RoleBasedAccessControl      RoleBasedAccessControl
 	AzurePolicyEnabled          iacTypes.BoolValue
 	DiskEncryptionSetID         iacTypes.StringValue
+	AgentPools                  []AgentPool
 }
 
 type RoleBasedAccessControl struct {
@@ -44,3 +45,9 @@ type NetworkProfile struct {
 	Metadata      iacTypes.Metadata
 	NetworkPolicy iacTypes.StringValue // "", "calico", "azure"
 }
+
+type AgentPool struct {
+	Metadata            iacTypes.Metadata
+	DiskEncryptionSetID iacTypes.StringValue
+	NodeType            iacTypes.StringValue // "VirtualMachineScaleSets" or others
+}

pkg/iac/rego/schemas/cloud.json

@@ -4812,6 +4812,23 @@
         }
       }
     },
+    "fd.axjsq.dpdns.org.aquasecurity.trivy.pkg.iac.providers.azure.container.AgentPool": {
+      "type": "object",
+      "properties": {
+        "__defsec_metadata": {
+          "type": "object",
+          "$ref": "#/definitions/fd.axjsq.dpdns.org.aquasecurity.trivy.pkg.iac.types.Metadata"
+        },
+        "diskencryptionsetid": {
+          "type": "object",
+          "$ref": "#/definitions/fd.axjsq.dpdns.org.aquasecurity.trivy.pkg.iac.types.StringValue"
+        },
+        "nodetype": {
+          "type": "object",
+          "$ref": "#/definitions/fd.axjsq.dpdns.org.aquasecurity.trivy.pkg.iac.types.StringValue"
+        }
+      }
+    },
     "fd.axjsq.dpdns.org.aquasecurity.trivy.pkg.iac.providers.azure.container.AzurePolicy": {
       "type": "object",
       "properties": {
@@ -4848,6 +4865,13 @@
           "type": "object",
           "$ref": "#/definitions/fd.axjsq.dpdns.org.aquasecurity.trivy.pkg.iac.providers.azure.container.AddonProfile"
         },
+        "agentpools": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/fd.axjsq.dpdns.org.aquasecurity.trivy.pkg.iac.providers.azure.container.AgentPool"
+          }
+        },
         "apiserverauthorizedipranges": {
           "type": "array",
           "items": {