Checkmarx · joaoReigota1 · Feb 14, 2022 · Feb 7, 2022 · Feb 8, 2022 · Feb 8, 2022
@@ -39,9 +39,11 @@ FROM alpine:3.14.3
 RUN wget https://releases.hashicorp.com/terraform/1.1.3/terraform_1.1.3_linux_amd64.zip \
     && unzip terraform_1.1.3_linux_amd64.zip && rm terraform_1.1.3_linux_amd64.zip \
     && mv terraform /usr/bin/terraform \
+    && wget https://releases.hashicorp.com/terraform-provider-azurerm/2.95.0/terraform-provider-azurerm_2.95.0_linux_amd64.zip \
     && wget https://releases.hashicorp.com/terraform-provider-aws/3.72.0/terraform-provider-aws_3.72.0_linux_amd64.zip \
+    && unzip terraform-provider-azurerm_2.95.0_linux_amd64.zip && rm terraform-provider-azurerm_2.95.0_linux_amd64.zip\
     && unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip \
-    && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 ~/.terraform.d/plugins/linux_amd64 \
+    && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-azurerm_v2.95.0_x5 ~/.terraform.d/plugins/linux_amd64 \
     && apk add --no-cache \
     git=2.32.0-r0
 

@@ -38,9 +38,11 @@ RUN wget https://releases.hashicorp.com/terraform/1.1.3/terraform_1.1.3_linux_am
 RUN unzip terraform_1.1.3_linux_amd64.zip && rm terraform_1.1.3_linux_amd64.zip
 RUN mv terraform /usr/bin/terraform
 
+RUN wget https://releases.hashicorp.com/terraform-provider-azurerm/2.95.0/terraform-provider-azurerm_2.95.0_linux_amd64.zip
 RUN wget https://releases.hashicorp.com/terraform-provider-aws/3.72.0/terraform-provider-aws_3.72.0_linux_amd64.zip
+RUN unzip terraform-provider-azurerm_2.95.0_linux_amd64.zip && rm terraform-provider-azurerm_2.95.0_linux_amd64.zip
 RUN unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip
-RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 ~/.terraform.d/plugins/linux_amd64
+RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-azurerm_v2.95.0_x5 ~/.terraform.d/plugins/linux_amd64
 
 
 # Install Git

@@ -56,9 +56,11 @@ RUN wget https://releases.hashicorp.com/terraform/1.1.3/terraform_1.1.3_linux_am
 RUN unzip terraform_1.1.3_linux_amd64.zip && rm terraform_1.1.3_linux_amd64.zip
 RUN mv terraform /usr/bin/terraform
 
+RUN wget https://releases.hashicorp.com/terraform-provider-azurerm/2.95.0/terraform-provider-azurerm_2.95.0_linux_amd64.zip
 RUN wget https://releases.hashicorp.com/terraform-provider-aws/3.72.0/terraform-provider-aws_3.72.0_linux_amd64.zip
+RUN unzip terraform-provider-azurerm_2.95.0_linux_amd64.zip && rm terraform-provider-azurerm_2.95.0_linux_amd64.zip
 RUN unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip
-RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 ~/.terraform.d/plugins/linux_amd64
+RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-azurerm_v2.95.0_x5 ~/.terraform.d/plugins/linux_amd64
 
 
 COPY --from=build_env /app/bin/kics /app/bin/kics

@@ -57,9 +57,11 @@ RUN wget https://releases.hashicorp.com/terraform/1.1.3/terraform_1.1.3_linux_am
 RUN unzip terraform_1.1.3_linux_amd64.zip && rm terraform_1.1.3_linux_amd64.zip
 RUN mv terraform /usr/bin/terraform
 
+RUN wget https://releases.hashicorp.com/terraform-provider-azurerm/2.95.0/terraform-provider-azurerm_2.95.0_linux_amd64.zip
 RUN wget https://releases.hashicorp.com/terraform-provider-aws/3.72.0/terraform-provider-aws_3.72.0_linux_amd64.zip
+RUN unzip terraform-provider-azurerm_2.95.0_linux_amd64.zip && rm terraform-provider-azurerm_2.95.0_linux_amd64.zip
 RUN unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip
-RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 ~/.terraform.d/plugins/linux_amd64
+RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-azurerm_v2.95.0_x5 ~/.terraform.d/plugins/linux_amd64
 
 
 COPY --from=build_env /app/bin/kics /app/bin/kics

@@ -78,9 +78,11 @@ RUN wget https://releases.hashicorp.com/terraform/1.1.3/terraform_1.1.3_linux_am
 RUN unzip terraform_1.1.3_linux_amd64.zip && rm terraform_1.1.3_linux_amd64.zip
 RUN mv terraform /usr/bin/terraform
 
+RUN wget https://releases.hashicorp.com/terraform-provider-azurerm/2.95.0/terraform-provider-azurerm_2.95.0_linux_amd64.zip
 RUN wget https://releases.hashicorp.com/terraform-provider-aws/3.72.0/terraform-provider-aws_3.72.0_linux_amd64.zip
+RUN unzip terraform-provider-azurerm_2.95.0_linux_amd64.zip && rm terraform-provider-azurerm_2.95.0_linux_amd64.zip
 RUN unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip
-RUN mkdir /app/bin/.terraform.d && mkdir /app/bin/.terraform.d/plugins && mkdir /app/bin/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 /app/bin/.terraform.d/plugins/linux_amd64
+RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-azurerm_v2.95.0_x5 ~/.terraform.d/plugins/linux_amd64
 
 USER ${KUSER}
 

@@ -4,6 +4,7 @@ From version 1.5, KICS integrates with Terraformer to scan resources deployed in
 
 **Cloud providers supported:**
 - AWS
+- AZURE
 
 ## Configure AWS Credentials
 
@@ -35,6 +36,67 @@ $Env:AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
 ```
 
 
+## Configure AZURE Credentials
+KICS provides two possibilities to use Terraformer with AZURE. Each one requires AZURE account credentials that you need to set as environment variables.
+
+#### Using Service Principal with Client Certificate
+
+MacOS and Linux:
+```sh
+export ARM_SUBSCRIPTION_ID="<ARM_SUBSCRIPTION_ID>"
+export ARM_CLIENT_ID="<ARM_CLIENT_ID>"
+export ARM_CLIENT_CERTIFICATE_PATH="<ARM_CLIENT_CERTIFICATE_PATH>"
+export ARM_CLIENT_CERTIFICATE_PASSWORD="<ARM_CLIENT_CERTIFICATE_PASSWORD>"
+export ARM_TENANT_ID="<ARM_TENANT_ID>"
+```
+
+Windows:
+
+```sh
+SET ARM_SUBSCRIPTION_ID=<ARM_SUBSCRIPTION_ID>
+SET ARM_CLIENT_ID="<ARM_CLIENT_ID>"
+SET ARM_CLIENT_CERTIFICATE_PATH="<ARM_CLIENT_CERTIFICATE_PATH>"
+SET ARM_CLIENT_CERTIFICATE_PASSWORD="<ARM_CLIENT_CERTIFICATE_PASSWORD>"
+SET ARM_TENANT_ID="<ARM_TENANT_ID>"
+```
+
+Powershell:
+
+```sh
+$Env:ARM_SUBSCRIPTION_ID="<ARM_SUBSCRIPTION_ID>"
+$Env:ARM_CLIENT_ID="<ARM_CLIENT_ID>"
+$Env:ARM_CLIENT_CERTIFICATE_PATH="<ARM_CLIENT_CERTIFICATE_PATH>"
+$Env:ARM_CLIENT_CERTIFICATE_PASSWORD="<ARM_CLIENT_CERTIFICATE_PASSWORD>"
+$Env:ARM_TENANT_ID="<ARM_TENANT_ID>"
+```
+
+#### Service Principal with Client Secret
+
+MacOS and Linux:
+```sh
+export ARM_SUBSCRIPTION_ID="<ARM_SUBSCRIPTION_ID>"
+export ARM_CLIENT_ID="<ARM_CLIENT_ID>"
+export ARM_CLIENT_SECRET="<ARM_CLIENT_SECRET>"
+export ARM_TENANT_ID="<ARM_TENANT_ID>"
+```
+
+Windows:
+
+```sh
+SET ARM_SUBSCRIPTION_ID=<ARM_SUBSCRIPTION_ID>
+SET ARM_CLIENT_ID="<ARM_CLIENT_ID>"
+SET ARM_CLIENT_SECRET="<ARM_CLIENT_SECRET>"
+SET ARM_TENANT_ID="<ARM_TENANT_ID>"
+```
+
+Powershell:
+
+```sh
+$Env:ARM_SUBSCRIPTION_ID="<ARM_SUBSCRIPTION_ID>"
+$Env:ARM_CLIENT_ID="<ARM_CLIENT_ID>"
+$Env:ARM_CLIENT_SECRET="<ARM_CLIENT_SECRET>"
+$Env:ARM_TENANT_ID="<ARM_TENANT_ID>"
+```
 
 ## KICS Terraformer Path Syntax
 
@@ -46,10 +108,12 @@ terraformer::{CloudProvider}:{Resources}:{Regions}
 
 Possible values:
 - `aws`
+- `azure`
 
 **Resources:** A slash-separated list of the resources intended to be imported and scanned.
-
-You can find a complete list of possible values [here](https://github.com/GoogleCloudPlatform/terraformer/blob/master/docs/aws.md#supported-services)
+You can find a complete list of possible values in the links below:
+- [aws](https://github.com/GoogleCloudPlatform/terraformer/blob/master/docs/aws.md#supported-services)
+- [azure](https://github.com/GoogleCloudPlatform/terraformer/blob/master/docs/azure.md#list-of-supported-azure-resources)
 
 To import all resources please use: `*`
 
@@ -74,7 +138,7 @@ If the flag `-o, --output-path` is passed the folder `kics-extract-terraformer`
             variables.tf
 ```
 
-### Docker
+### [AWS] Run KICS Terraformer integration with Docker
 
 To run KICS Terraformer integration with Docker simply pass the AWS Credentials that were set as environment variables to the `docker run` command and use the terraformer path syntax
 
@@ -87,92 +151,37 @@ docker run -e AWS_SECRET_ACCESS_KEY -e AWS_ACCESS_KEY_ID -e AWS_SESSION_TOKEN ch
 docker run -e AWS_SECRET_ACCESS_KEY -e AWS_ACCESS_KEY_ID -e AWS_SESSION_TOKEN -v ${PWD}:/path/ checkmarx/kics:latest scan -p "terraformer::aws:vpc:eu-west-2" -v --no-progress -o /path/results
 ```
 
-
-
 <img src="./img/docker_terraformer.gif" />
 
-### Executable
-
-
-### **Disclaimer:** In order to run terraformer with KICS executable please follow these prerequisites:
-
-### Install Terraform
-
-Follow the steps described in Hashicorp documentation https://learn.hashicorp.com/tutorials/terraform/install-cli#install-terraform to install terraform.
 
-### Install AWS Provider Plugin
+### [AZURE] Run KICS Terraformer integration with Docker
+To run KICS Terraformer integration with Docker simply pass the AZURE Credentials that were set as environment variables to the docker run command and use the terraformer path syntax. Choose one of the following options:
 
-It is required that the AWS Provider plugin for terraform to be present.
-
-To install AWS Provider plugin:
-- Download the plugin from [Terraform Providers](https://releases.hashicorp.com/terraform-provider-aws/3.72.0/) according to your architecture.
-- Unzip the file to:
-
-### Linux:
-```
-$HOME/.terraform.d/plugins/linux_{arch}/
-
-Example:
-~/.terraform.d/plugins/linux_amd64/terraform-provider-aws_v3.71.0_x5
-```
-
-### MacOS
+#### Using Service Principal with Client Certificate
+Note that you should fill the `<certificate_path>` with the path that points to the directory where your certificate is located, and the `<certificate-name>` should point to the certificate name located in `<certificate_path>`.
 
+```sh
+docker run -v <certificate_path>:/certificate -e ARM_CLIENT_CERTIFICATE_PATH=/certificate/<certificate_name>.pfx -e ARM_CLIENT_CERTIFICATE_PASSWORD -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_SUBSCRIPTION_ID checkmarx/kics:latest scan -p "terraformer::azure:storage_account:eastus" -v --no-progress
 ```
-$HOME/.terraform.d/plugins/darwin_{arch}
-
-Example:
-$HOME/.terraform.d/plugins/darwin_amd64/terraform-provider-aws_3.72.0_darwin_amd64
+```sh
+docker run -v <certificate_path>:/certificate -v ${PWD}:/path/ -e ARM_CLIENT_CERTIFICATE_PATH=/certificate/<certificate_name>.pfx -e ARM_CLIENT_CERTIFICATE_PASSWORD -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_SUBSCRIPTION_ID checkmarx/kics:latest scan -p "terraformer::azure:storage_account:eastus" -v --no-progress -o /path/results
 ```
 
-### Windows:
-
-For Windows a little more work is required, since you can't globally install the AWS Provider plugin, you need to have it present in every directory you wish to import the resources to.
-
-Please follow these steps:
-
-- Create a versions.tf file in the folder you wish to run KICS and import the resources to.
-
-- Paste the code found under `USE PROVIDER` from terraform AWS Provider [Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) in the versions.tf file you just created.
-
-- run the command `terraform init` on the directory containing `versions.tf`. A new folder named `.terraform` should have been created containing the plugin. This folder must be present in every directory you wish to run KICS on using terraformer.
+![client_certificate_terraformer_azure](https://user-images.githubusercontent.com/74001161/152843317-7e83b70c-2a44-4f22-8a5e-fa9434950269.gif)
 
-**NOTE:** `.terraform.hcl.lock` can be deleted
 
-Example tf file:
-
-```hcl
-terraform {
-  required_providers {
-    aws = {
-      source = "hashicorp/aws"
-      version = "3.72.0"
-    }
-  }
-}
-
-provider "aws" {
-  # Configuration options
-}
+#### Service Principal with Client Secret
+```sh
+docker run -e ARM_SUBSCRIPTION_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET -e ARM_TENANT_ID checkmarx/kics:latest scan -p "terraformer::azure:storage_account:eastus" -v --no-progress
 ```
-
-## Examples:
-
-Example path:
-
 ```sh
-kics scan -p 'terraformer::aws:vpc/subnet:eu-west-2/eu-west-1'
+docker run -e ARM_SUBSCRIPTION_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET -e ARM_TENANT_ID -v ${PWD}:/path/ checkmarx/kics:latest scan -p "terraformer::azure:storage_account:eastus" -v --no-progress -o /path/results
 ```
 
-These examples showcase KICS integration with terraformer for importing and scanning our VPCs in region `eu-west-2`.
-
-### Linux
+![client_secret_terraformer_azure](https://user-images.githubusercontent.com/74001161/152833926-68b7cc56-23c0-4297-b308-56f4c6746e09.gif)
 
-<img src="./img/linux_terraformer.gif" />
 
-### Windows
 
-<img src="./img/windows_terraformer.gif" />
 
 ## **NOTES**
 

@@ -0,0 +1,51 @@
+//go:build !dev
+// +build !dev
+
+package azure
+
+import (
+	"context"
+	"errors"
+	"sync"
+	"time"
+
+	importer "github.com/GoogleCloudPlatform/terraformer/cmd"
+	azureterraformer "github.com/GoogleCloudPlatform/terraformer/providers/azure"
+	"github.com/GoogleCloudPlatform/terraformer/terraformutils"
+)
+
+var terraformerTimeout = time.Minute * 3
+
+// ImporterFunc is the function kics uses to import resources (for testing porpuses)
+var ImporterFunc func(provider terraformutils.ProviderGenerator, options importer.ImportOptions, args []string) error = importer.Import
+
+// CloudProvider is the AZURE Cloud Provider
+type CloudProvider struct{}
+
+var provider = &azureterraformer.AzureProvider{}
+
+// Import imports the terraformer resources into the destination using terraformer
+func (a CloudProvider) Import(ctx context.Context, options *importer.ImportOptions, destination string) error {
+	ctxT, cancel := context.WithTimeout(ctx, terraformerTimeout)
+	defer cancel()
+	wg := sync.WaitGroup{}
+	done := make(chan error, 1)
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		done <- ImporterFunc(provider, *options, []string{options.ResourceGroup})
+	}()
+
+	go func() {
+		defer close(done)
+		wg.Wait()
+	}()
+
+	select {
+	case err := <-done:
+		return err
+	case <-ctxT.Done():
+		return errors.New("terraformer import execution timeout")
+	}
+}
@@ -0,0 +1,72 @@
+//go:build !dev
+// +build !dev
+
+package azure
+
+import (
+	"context"
+	"testing"
+
+	importer "github.com/GoogleCloudPlatform/terraformer/cmd"
+	"github.com/GoogleCloudPlatform/terraformer/terraformutils"
+)
+
+var mockOptions = &importer.ImportOptions{
+	Resources:     []string{"storage_account"},
+	Excludes:      []string{""},
+	PathPattern:   "destination",
+	PathOutput:    "generated",
+	State:         "local",
+	Bucket:        "",
+	Profile:       "",
+	Verbose:       false,
+	Zone:          "",
+	Regions:       []string{"eastus"},
+	Projects:      []string{""},
+	ResourceGroup: "",
+	Connect:       true,
+	Compact:       false,
+	Filter:        []string{},
+	Plan:          false,
+	Output:        "hcl",
+	RetryCount:    5,
+	RetrySleepMs:  300,
+}
+
+func TestCloudProvider_Import(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		options     *importer.ImportOptions
+		destination string
+	}
+	tests := []struct {
+		name    string
+		a       CloudProvider
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "test import",
+			a:    CloudProvider{},
+			args: args{
+				ctx:         context.Background(),
+				options:     mockOptions,
+				destination: "destination",
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := CloudProvider{}
+			ImporterFunc = mockImporter
+			if err := a.Import(tt.args.ctx, tt.args.options, tt.args.destination); (err != nil) != tt.wantErr {
+				t.Errorf("CloudProvider.Import() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+var mockImporter = func(provider terraformutils.ProviderGenerator, options importer.ImportOptions, args []string) error {
+	return nil
+}