feat(terraform): add CKV_AWS_375, CKV_AWS_376, CKV_AWS_377 to add three new SageMaker checks

[braidoa]

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

I've added three checks for Amazon SageMaker attributes.

New/Edited policies (Delete if not relevant)

id = "CKV_AWS_375"
name = "Ensure Amazon SageMaker endpoint has a name specified"

• checks for the "name" attribute
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_model

id = "CKV_AWS_376"
name = "Ensure Amazon SageMaker endpoint configuration has at least one production variant specified"

• checks for at least 1 "production_variants" attribute
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_endpoint_configuration

id = "CKV_AWS_377"
name = "Ensure Amazon SageMaker notebook instances use lifecycle configurations"

• checks for the "lifecycle_config_name" attribute
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance

Description

Violations in each rule will occur when a SageMaker resource is missing the respective attribute.

Fix

Someone can fix these issues by specifying the attributes.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my feature, policy, or fix is effective and works
• New and existing tests pass locally with my changes

---

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Introduce three new checks for Amazon SageMaker resources in Terraform. The SagemakerEndpointConfigurationEndpointNameSpecified class ensures that SageMaker endpoints have a name specified, while the SagemakerEndpointConfigurationProductionVariantsSpecified class checks for at least one production variant in endpoint configurations. Additionally, the SagemakerNotebookLifecycleConfigSpecified class verifies that SageMaker notebook instances use lifecycle configurations. These checks enhance the validation of SageMaker resources by ensuring essential attributes are present.

Topic	Details
Endpoint Name Check	Ensure that SageMaker endpoints have a name specified to comply with naming conventions. Modified files (2) checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationNameSpecified.py tests/terraform/checks/resource/aws/example_SagemakerEndpointConfigurationNameSpecified/main.tf Latest Contributors(0) User Commit Date
Production Variants Check	Verify that SageMaker endpoint configurations include at least one production variant to ensure proper deployment. Modified files (2) checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationProductionVariantsSpecified.py tests/terraform/checks/resource/aws/example_SagemakerEndpointConfigurationProductionVariantsSpecified/main.tf Latest Contributors(0) User Commit Date
Lifecycle Config Check	Ensure that SageMaker notebook instances utilize lifecycle configurations for better management. Modified files (2) checkov/terraform/checks/resource/aws/SagemakerNotebookLifecycleConfigSpecified.py tests/terraform/checks/resource/aws/example_SagemakerNotebookLifecycleConfigSpecified/main.tf Latest Contributors(0) User Commit Date

This pull request is reviewed by Baz. Join @braidoa and the rest of your team on (Baz).

[braidoa]

Hi folks. Is anyone available to review this?

[tsmithv11]

Thanks for the contribution, @braidoa! My concern about these checks is that Checkov is meant to be a security tool and these don't appear to be security checks. Am I misunderstanding?

[tsmithv11]

Requiring name isn't really a security check. You can also use name_prefix which would be valid but flagged by this check.

[tsmithv11]

Can you explain the security concern of Terraform assigning a random name?