From 6b97a046434f6d89d3cc36e60fd767389c2d106c Mon Sep 17 00:00:00 2001
From: Fennerr <41741346+Fennerr@users.noreply.github.com>
Date: Fri, 22 Sep 2023 11:22:56 +0200
Subject: [PATCH] fix(eks_control_plane_endpoint_access_restricted): handle
 endpoint private access (#2824)

Co-authored-by: Pepe Fagoaga <pepe@verica.io>
---
 ...ontrol_plane_endpoint_access_restricted.py |  2 +-
 ...l_plane_endpoint_access_restricted_test.py | 46 ++++++++++++++++++-
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/prowler/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.py b/prowler/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.py
index d26456a7..49086b72 100644
--- a/prowler/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.py
+++ b/prowler/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.py
@@ -15,7 +15,7 @@ class eks_control_plane_endpoint_access_restricted(Check):
             report.status_extended = (
                 f"Cluster endpoint access is private for EKS cluster {cluster.name}."
             )
-            if cluster.endpoint_public_access and not cluster.endpoint_private_access:
+            if cluster.endpoint_public_access:
                 if "0.0.0.0/0" in cluster.public_access_cidrs:
                     report.status = "FAIL"
                     report.status_extended = f"Cluster control plane access is not restricted for EKS cluster {cluster.name}."
diff --git a/tests/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted_test.py b/tests/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted_test.py
index e4392c4e..c6f4aa8d 100644
--- a/tests/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted_test.py
+++ b/tests/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted_test.py
@@ -26,7 +26,7 @@ class Test_eks_control_plane_endpoint_access_restricted:
             result = check.execute()
             assert len(result) == 0
 
-    def test_control_plane_private(self):
+    def test_control_plane_access_private(self):
         eks_client = mock.MagicMock
         eks_client.clusters = []
         eks_client.clusters.append(
@@ -59,6 +59,8 @@ class Test_eks_control_plane_endpoint_access_restricted:
             )
             assert result[0].resource_id == cluster_name
             assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION
 
     def test_control_plane_access_restricted(self):
         eks_client = mock.MagicMock
@@ -93,8 +95,10 @@ class Test_eks_control_plane_endpoint_access_restricted:
             )
             assert result[0].resource_id == cluster_name
             assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION
 
-    def test_control_plane_not_restricted(self):
+    def test_control_plane_public(self):
         eks_client = mock.MagicMock
         eks_client.clusters = []
         eks_client.clusters.append(
@@ -127,3 +131,41 @@ class Test_eks_control_plane_endpoint_access_restricted:
             )
             assert result[0].resource_id == cluster_name
             assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION
+
+    def test_control_plane_public_and_private(self):
+        eks_client = mock.MagicMock
+        eks_client.clusters = []
+        eks_client.clusters.append(
+            EKSCluster(
+                name=cluster_name,
+                arn=cluster_arn,
+                region=AWS_REGION,
+                logging=None,
+                endpoint_public_access=True,
+                endpoint_private_access=True,
+                public_access_cidrs=["123.123.123.123/32", "0.0.0.0/0"],
+            )
+        )
+
+        with mock.patch(
+            "prowler.providers.aws.services.eks.eks_service.EKS",
+            eks_client,
+        ):
+            from prowler.providers.aws.services.eks.eks_control_plane_endpoint_access_restricted.eks_control_plane_endpoint_access_restricted import (
+                eks_control_plane_endpoint_access_restricted,
+            )
+
+            check = eks_control_plane_endpoint_access_restricted()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert search(
+                "Cluster control plane access is not restricted for EKS cluster",
+                result[0].status_extended,
+            )
+            assert result[0].resource_id == cluster_name
+            assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION