fix(terraform): Fix protocols for CKV2_AWS_74 and fix for CKV2_K8S_5 (#7134)

* fix protocols

* fix CKV2_K8S_5

Author: tsmithv11

checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml

@@ -58,3 +58,9 @@ definition:
                 resource_types:
                   - ClusterRole
                   - Role
+              - cond_type: attribute
+                attribute: rules.resourceNames
+                operator: exists
+                resource_types:
+                  - ClusterRole
+                  - Role

checkov/terraform/checks/graph_checks/aws/LBWeakCiphers.yaml

@@ -3,26 +3,36 @@ metadata:
   name: "Ensure AWS Load Balancers use strong ciphers"
   category: "NETWORKING"
 definition:
-  and:
+  or:
     - cond_type: "attribute"
       resource_types:
         - "aws_alb_listener"
         - "aws_lb_listener"
-      attribute: "ssl_policy"
-      operator: "exists"  # The default is ELBSecurityPolicy-2016-08 which is weak
-    - cond_type: "attribute"
-      resource_types:
-      - "aws_alb_listener"
-      - "aws_lb_listener"
-      attribute: "ssl_policy"
+      attribute: "protocol"
       operator: "not_within"
       value:
-        - "ELBSecurityPolicy-2016-08"
-        - "ELBSecurityPolicy-2015-05"
-        - "ELBSecurityPolicy-TLS-1-0-2015-04"
-        - "ELBSecurityPolicy-TLS-1-1-2017-01"
-        - "ELBSecurityPolicy-2015-03"
-        - "ELBSecurityPolicy-2015-02"
-        - "ELBSecurityPolicy-2014-10"
-        - "ELBSecurityPolicy-Default"
-        - "ELBSecurityPolicy-2014-01"
+        - "HTTPS"
+        - "TLS"
+    - and:
+      - cond_type: "attribute"
+        resource_types:
+          - "aws_alb_listener"
+          - "aws_lb_listener"
+        attribute: "ssl_policy"
+        operator: "exists"  # The default is ELBSecurityPolicy-2016-08 which is weak
+      - cond_type: "attribute"
+        resource_types:
+        - "aws_alb_listener"
+        - "aws_lb_listener"
+        attribute: "ssl_policy"
+        operator: "not_within"
+        value:
+          - "ELBSecurityPolicy-2016-08"
+          - "ELBSecurityPolicy-2015-05"
+          - "ELBSecurityPolicy-TLS-1-0-2015-04"
+          - "ELBSecurityPolicy-TLS-1-1-2017-01"
+          - "ELBSecurityPolicy-2015-03"
+          - "ELBSecurityPolicy-2015-02"
+          - "ELBSecurityPolicy-2014-10"
+          - "ELBSecurityPolicy-Default"
+          - "ELBSecurityPolicy-2014-01"

tests/kubernetes/graph/checks/resources/ReadAllSecrets/Passing/RoleResourceName.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "my-role"
+  namespace: my-namespace
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames:
+    - "my-secret-resource"
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "my-role-binding"
+  namespace: my-namespace
+subjects:
+- kind: ServiceAccount
+  name: "my-service-account"
+roleRef:
+  kind: Role
+  name: "my-role"
+  apiGroup: rbac.authorization.k8s.io

tests/kubernetes/graph/checks/resources/ReadAllSecrets/expected.yaml

@@ -1,4 +1,5 @@
 pass:
   - "ClusterRoleBinding.default.read-pods-global"
+  - "RoleBinding.my-namespace.my-role-binding"
 fail:
   - "ClusterRoleBinding.default.read-secrets-global"

tests/terraform/graph/checks/resources/LBWeakCiphers/expected.yaml

@@ -5,3 +5,5 @@ fail:
 pass:
   - "aws_lb_listener.front_end_passing"
   - "aws_alb_listener.secure_listener"
+  - "aws_alb_listener.secure_listener2"
+  - "aws_lb_listener.tcp"

tests/terraform/graph/checks/resources/LBWeakCiphers/main.tf

@@ -78,4 +78,33 @@ resource "aws_alb_listener" "secure_listener" {
       status_code  = "200"
     }
   }
+}
+
+resource "aws_alb_listener" "secure_listener2" {
+  load_balancer_arn = aws_lb.secure_lb.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06"
+
+  certificate_arn = "arn:aws:acm:region:account:certificate/certificate-id"
+
+  default_action {
+    type             = "fixed-response"
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "OK"
+      status_code  = "200"
+    }
+  }
+}
+
+resource "aws_lb_listener" "tcp" {
+  load_balancer_arn = aws_lb.external_lb.arn
+  port              = 443
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.external_tg.arn
+  }
 }