handle python cdk

bridgecrewio · Feb 7, 2025 · cc2b79b · cc2b79b
1 parent 8c93704
commit cc2b79b
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 28 deletions.
diff --git a/cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py b/cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py
@@ -1,20 +1,19 @@
-from aws_cdk import core
+import aws_cdk as core
+from constructs import Construct
 from aws_cdk import aws_ecs as ecs
+from aws_cdk import aws_ec2 as ec2
 
 class MyECSClusterStack(core.Stack):
     def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
-        # Define ECS Cluster with Cluster Settings
-        cluster = ecs.CfnCluster(
-            self, 'MyECSCluster',
-            cluster_name='my-ecs-cluster',
-            cluster_settings=[{
-                'name': 'containerInsights',
-                'value': 'disabled'
-            }]
-            # Other properties for your ECS Cluster
-        )
+        vpc = ec2.Vpc(self, "Vpc",
+                      ip_protocol=ec2.IpProtocol.DUAL_STACK
+                      )
+
+        cluster = ecs.Cluster(self, "EcsCluster", vpc=vpc, container_insights=False)
+        cluster2 = ecs.Cluster(self, "EcsCluster", vpc=vpc)
+        cluster3 = ecs.Cluster(self, "EcsCluster", vpc=vpc, container_insights_v2=ecs.ContainerInsights.DISABLED)
 
 app = core.App()
 MyECSClusterStack(app, "MyECSClusterStack")

diff --git a/cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py b/cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py
@@ -1,21 +1,20 @@
-from aws_cdk import core
+import aws_cdk as core
+from constructs import Construct
 from aws_cdk import aws_ecs as ecs
+from aws_cdk import aws_ec2 as ec2
 
 class MyECSClusterStack(core.Stack):
-    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+    def __init__(self, scope: Construct, id: str, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
-        # Define ECS Cluster with Cluster Settings
-        cluster = ecs.CfnCluster(
-            self, 'MyECSCluster',
-            cluster_name='my-ecs-cluster',
-            cluster_settings=[{
-                'name': 'containerInsights',
-                'value': 'enabled'
-            }]
-            # Other properties for your ECS Cluster
+        vpc = ec2.Vpc(self, "Vpc",
+            ip_protocol=ec2.IpProtocol.DUAL_STACK
         )
 
+        cluster = ecs.Cluster(self, "EcsCluster", vpc=vpc, container_insights=True)
+        cluster2 = ecs.Cluster(self, "EcsCluster2", vpc=vpc, container_insights_v2=ecs.ContainerInsights.ENHANCED)
+        cluster3 = ecs.Cluster(self, "EcsCluster3", vpc=vpc, container_insights_v2=ecs.ContainerInsights.ENABLED)
+
 app = core.App()
 MyECSClusterStack(app, "MyECSClusterStack")
 app.synth()
diff --git a/checkov/cdk/checks/python/ECSClusterContainerInsights.yaml b/checkov/cdk/checks/python/ECSClusterContainerInsights.yaml
@@ -9,9 +9,23 @@ scope:
   languages:
     - python
 definition:
-  pattern: aws_cdk.aws_ecs.CfnCluster(<ANY>)
-  conditions:
-    - not_pattern: |
-        aws_cdk.aws_ecs.CfnCluster(<ANY>, cluster_settings=[<ANY>, {'name': 'containerInsights', 'value': 'enabled'} ,<ANY>], <ANY>)
-    - not_pattern: |
-        aws_cdk.aws_ecs.CfnCluster(<ANY>, cluster_settings=[<ANY>, {'value': 'enabled', 'name': 'containerInsights'} ,<ANY>], <ANY>)
+  patterns:
+    or:
+      - pattern: aws_cdk.aws_ecs.CfnCluster(<ANY>)
+        conditions:
+          - not_pattern: |
+              aws_cdk.aws_ecs.CfnCluster(<ANY>, cluster_settings=[<ANY>, {'name': 'containerInsights', 'value': 'enabled'} ,<ANY>], <ANY>)
+          - not_pattern: |
+              aws_cdk.aws_ecs.CfnCluster(<ANY>, cluster_settings=[<ANY>, {'value': 'enabled', 'name': 'containerInsights'} ,<ANY>], <ANY>)
+          - not_pattern: |
+              aws_cdk.aws_ecs.CfnCluster(<ANY>, cluster_settings=[<ANY>, {'name': 'containerInsights', 'value': 'enhanced'} ,<ANY>], <ANY>)
+          - not_pattern: |
+              aws_cdk.aws_ecs.CfnCluster(<ANY>, cluster_settings=[<ANY>, {'value': 'enhanced', 'name': 'containerInsights'} ,<ANY>], <ANY>)
+      - pattern: aws_cdk.aws_ecs.Cluster(<ANY>)
+        conditions:
+          - not_pattern: |
+              aws_cdk.aws_ecs.Cluster(<ANY>, container_insights=True, <ANY>)
+          - not_pattern: |
+              aws_cdk.aws_ecs.Cluster(<ANY>, container_insights_v2=aws_ecs.ContainerInsights.ENABLED, <ANY>)
+          - not_pattern: |
+              aws_cdk.aws_ecs.Cluster(<ANY>, container_insights_v2=aws_ecs.ContainerInsights.ENHANCED, <ANY>)