fix(terraform): CKV2_IBM_1 - ignore case for load balancer of type private_path (#7010)

Aashiq-J · tsmithv11 · web-flow · commit f4566e9b239a · 2025-04-08T01:39:39.000-07:00
* fix: ignore case for load balancer of type private_path

* Fix and add test

---------

Co-authored-by: Taylor &lt;tsmith.v11@gmail.com&gt;
Co-authored-by: Taylor &lt;28880387+tsmithv11@users.noreply.github.com&gt;
diff --git a/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml b/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml
@@ -2,17 +2,20 @@ metadata:
   id: "CKV2_IBM_1"
   name: "Ensure load balancer for VPC is private (disable public access)"
   category: "GENERAL_SECURITY"
-
 definition:
   and:
-
     - cond_type: "attribute"
       resource_types: "ibm_is_lb"
       attribute: "type"
       operator: "exists"
-
-    - cond_type: "attribute"
-      resource_types: "ibm_is_lb"
-      attribute: "type"
-      operator: "equals_ignore_case"
-      value: "private"
+    - or:
+      - cond_type: "attribute"
+        resource_types: "ibm_is_lb"
+        attribute: "type"
+        operator: "equals_ignore_case"
+        value: "private"
+      - cond_type: "attribute"
+        resource_types: "ibm_is_lb"
+        attribute: "type"
+        operator: "equals_ignore_case"
+        value: "private_path"
diff --git a/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/expected.yaml b/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/expected.yaml
@@ -1,4 +1,5 @@
 pass:
   - "ibm_is_lb.pass"
+  - "ibm_is_lb.pass_private_path"
 fail:
   - "ibm_is_lb.fail"
diff --git a/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/main.tf b/tests/terraform/graph/checks/resources/IBM_LoadBalancerforVPCisPrivate/main.tf
@@ -17,3 +17,11 @@ resource "ibm_is_lb" "fail" {
   subnets = [var.pud-subnet]
   profile = "network-fixed"
 }
+
+# Case 3: Pass: type = "private"
+
+resource "ibm_is_lb" "pass_private_path" {
+  name    = "pud-load-balancer"
+  subnets = [var.pud-subnet]
+  type = "private_path"
+}
diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py
@@ -511,7 +511,7 @@ def test_AzureMSSQLserverConfigPrivEndpt(self):
     def test_AzureSynapseWorkspaceVAisEnabled(self):
         self.go("AzureSynapseWorkspaceVAisEnabled")
 
-    def test_IBM_AppLBforVPCisPrivate(self):
+    def test_IBM_LoadBalancerforVPCisPrivate(self):
         self.go("IBM_LoadBalancerforVPCisPrivate")
 
     def test_IBM_VPCclassicAccessIsDisabled(self):
