From dedeb19c7fec13bad19410f969ea453547e9f1bf Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 3 Nov 2025 17:17:55 +0000 Subject: [PATCH 1/5] initial implementation --- .../metadata.json | 14 ++ .../query.rego | 102 ++++++++++++++ .../test/negative1.tf | 21 +++ .../test/positive1.tf | 53 +++++++ .../test/positive2.tf | 133 ++++++++++++++++++ .../test/positive3.tf | 34 +++++ .../test/positive4.tf | 40 ++++++ .../test/positive5.tf | 56 ++++++++ .../test/positive_expected_result.json | 86 +++++++++++ .../terraform_azure.yaml | 4 + 10 files changed, 543 insertions(+) create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/metadata.json create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/negative1.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive1.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/metadata.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/metadata.json new file mode 100644 index 00000000000..b79f1f6977a --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "b3b9ce2f-c229-4133-9a2b-4e649cf2347e", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "There should be a 'azurerm_monitor_activity_log_alert' resource configured to capture 'delete public ip address rule' events", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_activity_log_alert", + "platform": "Terraform", + "descriptionID": "b3b9ce2f", + "cloudProvider": "azure", + "cwe": "778", + "riskScore": "3.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego new file mode 100644 index 00000000000..661190142ff --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego @@ -0,0 +1,102 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +filter_fields := ["caller", "level", "levels", "status", "statuses", "sub_status", "sub_statuses"] + +CxPolicy[result] { + resources := {input.document[index].id : log_alerts | + log_alerts := input.document[index].resource.azurerm_monitor_activity_log_alert + } + + value := at_least_one_valid_log_alert(resources) + value.result != "has_valid_log" + + results := get_results(value)[_] + + result := { + "documentId": results.doc_id, + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": tf_lib.get_resource_name(results.resource, results.name), + "searchKey": sprintf("azurerm_monitor_activity_log_alert[%s].criteria", [results.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "keyActualValue": results.keyActualValue, + "searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_activity_log_alert", results.name, "criteria"], []) + } +} + +at_least_one_valid_log_alert(resources) = {"result" : "has_valid_log"} { + resources[doc_index][x].criteria.category == "Administrative" + resources[doc_index][x].criteria.operation_name == "Microsoft.Network/publicIPAddresses/delete" + not has_filter(resources[doc_index][x].criteria) + common_lib.valid_key(resources[doc_index][x].action, "action_group_id") + +} else = {"result" : "has_log_without_action", "logs": logs} { + logs := {doc_index: filtered | + resources[doc_index] + filtered := {key: resource | + resource := resources[doc_index][key] + resource.criteria.category == "Administrative" + resource.criteria.operation_name == "Microsoft.Network/publicIPAddresses/delete" + not has_filter(resource.criteria)} + } + logs[_] != {} + +} else = {"result" : "has_log_with_filter", "logs": logs} { + logs := {doc_index: filtered | + resources[doc_index] + filtered := {key: resource | + resource := resources[doc_index][key] + resource.criteria.category == "Administrative" + resource.criteria.operation_name == "Microsoft.Network/publicIPAddresses/delete"} + } + logs[_] != {} + +} else = {"result" : "has_invalid_logs_only", "logs": resources} + +get_results(value) = results { # Case of one or more resources failing due to not setting an "action.action_group_id" field + value.result == "has_log_without_action" + + results := [z | + log := value.logs[doc_id][name] + z := { + "doc_id" : doc_id, + "resource" : log, + "name" : name, + "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", [name]) + }] + +} else = results { # Case of one or more resources failing due to setting filter(s) + value.result == "has_log_with_filter" + + results := [z | + filters = get_filters(value.logs[doc_id][name].criteria) + z := { + "doc_id" : doc_id, + "resource" : value.logs[doc_id][name], + "name" : name, + "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete public ip address rule' events but sets %d filter(s): %s", [name, count(filters),concat(", ",filters)]) + }] + +} else = results { # Case of all resources failing due to invalid category and/or operation_name + results := [z | + log := value.logs[doc_id][name] + z := { + "doc_id" : doc_id, + "resource" : log, + "name" : name, + "keyActualValue" : "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'delete public ip address rule' events" + }] +} + +has_filter(criteria) { + common_lib.valid_key(criteria, filter_fields[_]) +} + +get_filters(criteria) = [x | + y := filter_fields[_] + common_lib.valid_key(criteria, y) + x := y +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/negative1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/negative1.tf new file mode 100644 index 00000000000..e3e5597a3a9 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/negative1.tf @@ -0,0 +1,21 @@ +resource "azurerm_monitor_activity_log_alert" "negative1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Negative sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + + webhook_properties = { + from = "terraform" + } + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive1.tf new file mode 100644 index 00000000000..222daf577da --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive1.tf @@ -0,0 +1,53 @@ +resource "azurerm_monitor_activity_log_alert" "positive1_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive1_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Policy" # wrong category + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive1_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Policy" # wrong category + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2.tf new file mode 100644 index 00000000000..9a4e8673267 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2.tf @@ -0,0 +1,133 @@ +# Case of correct "operation_name" and "category" but a type of filter is set +resource "azurerm_monitor_activity_log_alert" "positive2_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + level = "Informational" # filters by level + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + levels = ["Informational", "Warning"] # filters by levels + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_4" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_5" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + statuses = ["Succeeded", "Failed"] # filters by statuses + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_6" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + sub_status = "Accepted" # filters by sub_status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_7" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + sub_statuses = ["Accepted", "Conflict"] # filters by sub_statuses + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3.tf new file mode 100644 index 00000000000..62cff1f4479 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3.tf @@ -0,0 +1,34 @@ +# Case of correct "operation_name" and "category" but the "action.action_group_id" field is missing +resource "azurerm_monitor_activity_log_alert" "positive3_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + } + + # Missing action +} + +resource "azurerm_monitor_activity_log_alert" "positive3_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + } + + action { + # Missing action_group_id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4.tf new file mode 100644 index 00000000000..3e1b379f72b --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4.tf @@ -0,0 +1,40 @@ + +# Query prioritizes flagging the log alert(s) that is "correct" but has filter(s) over the ones with wrong "operation_name"/"category" +resource "azurerm_monitor_activity_log_alert" "positive4_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive4_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5.tf new file mode 100644 index 00000000000..d85882ee825 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5.tf @@ -0,0 +1,56 @@ + +# Query prioritizes flagging the log alert(s) that is "correct" but missing the "action_group_id" field over all others +resource "azurerm_monitor_activity_log_alert" "positive5_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + } + + # Missing action block +} + +resource "azurerm_monitor_activity_log_alert" "positive5_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive5_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json new file mode 100644 index 00000000000..851a0be54c3 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json @@ -0,0 +1,86 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 44, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 47, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 66, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 85, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 104, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 123, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 25, + "fileName": "positive3.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive4.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive5.tf" + } +] diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml index 407c810f4d1..370c401dfbf 100644 --- a/assets/similarityID_transition/terraform_azure.yaml +++ b/assets/similarityID_transition/terraform_azure.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Sensitive Port Is Exposed To Wide Private Network observations: "" change: 5 + - queryId: b3b9ce2f-c229-4133-9a2b-4e649cf2347e + queryName: Beta - Activity Log Alert For Delete Public IP Address Rule + observations: "" + change: 2 From c8bdb3f92095929a30ec5bb01dbb637557cc39ce Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 4 Nov 2025 12:28:34 +0000 Subject: [PATCH 2/5] adjusted tests for correct per project scope --- .../positive2_1.tf} | 57 ---------------- .../positive2_2.tf} | 20 +++--- .../positive2/positive_expected_result.json | 44 +++++++++++++ .../test/positive3/positive3_1.tf | 16 +++++ .../positive3_2.tf} | 16 ----- .../positive3/positive_expected_result.json | 14 ++++ .../test/positive4/positive4_1.tf | 21 ++++++ .../test/positive4/positive4_2.tf | 17 +++++ .../positive4/positive_expected_result.json | 8 +++ .../positive5_1.tf} | 19 +++--- .../test/positive5/positive5_2.tf | 17 +++++ .../positive5/positive_expected_result.json | 8 +++ .../test/positive_expected_result.json | 66 ------------------- 13 files changed, 163 insertions(+), 160 deletions(-) rename assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/{positive2.tf => positive2/positive2_1.tf} (57%) rename assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/{positive5.tf => positive2/positive2_2.tf} (66%) create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive_expected_result.json create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_1.tf rename assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/{positive3.tf => positive3/positive3_2.tf} (55%) create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive_expected_result.json create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_1.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_2.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive_expected_result.json rename assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/{positive4.tf => positive5/positive5_1.tf} (78%) create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_2.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive_expected_result.json diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_1.tf similarity index 57% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_1.tf index 9a4e8673267..b60e96ceb27 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_1.tf @@ -74,60 +74,3 @@ resource "azurerm_monitor_activity_log_alert" "positive2_4" { action_group_id = azurerm_monitor_action_group.main.id } } - -resource "azurerm_monitor_activity_log_alert" "positive2_5" { - name = "example-activitylogalert" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - scopes = [azurerm_resource_group.example.id] - description = "Positive sample" - - criteria { - resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Network/publicIPAddresses/delete" - category = "Administrative" - statuses = ["Succeeded", "Failed"] # filters by statuses - } - - action { - action_group_id = azurerm_monitor_action_group.main.id - } -} - -resource "azurerm_monitor_activity_log_alert" "positive2_6" { - name = "example-activitylogalert" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - scopes = [azurerm_resource_group.example.id] - description = "Positive sample" - - criteria { - resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Network/publicIPAddresses/delete" - category = "Administrative" - sub_status = "Accepted" # filters by sub_status - } - - action { - action_group_id = azurerm_monitor_action_group.main.id - } -} - -resource "azurerm_monitor_activity_log_alert" "positive2_7" { - name = "example-activitylogalert" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - scopes = [azurerm_resource_group.example.id] - description = "Positive sample" - - criteria { - resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Network/publicIPAddresses/delete" - category = "Administrative" - sub_statuses = ["Accepted", "Conflict"] # filters by sub_statuses - } - - action { - action_group_id = azurerm_monitor_action_group.main.id - } -} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_2.tf similarity index 66% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_2.tf index d85882ee825..6c1261e04ff 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_2.tf @@ -1,6 +1,4 @@ - -# Query prioritizes flagging the log alert(s) that is "correct" but missing the "action_group_id" field over all others -resource "azurerm_monitor_activity_log_alert" "positive5_1" { +resource "azurerm_monitor_activity_log_alert" "positive2_5" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -11,12 +9,15 @@ resource "azurerm_monitor_activity_log_alert" "positive5_1" { resource_id = azurerm_storage_account.to_monitor.id operation_name = "Microsoft.Network/publicIPAddresses/delete" category = "Administrative" + statuses = ["Succeeded", "Failed"] # filters by statuses } - # Missing action block + action { + action_group_id = azurerm_monitor_action_group.main.id + } } -resource "azurerm_monitor_activity_log_alert" "positive5_2" { +resource "azurerm_monitor_activity_log_alert" "positive2_6" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -27,9 +28,7 @@ resource "azurerm_monitor_activity_log_alert" "positive5_2" { resource_id = azurerm_storage_account.to_monitor.id operation_name = "Microsoft.Network/publicIPAddresses/delete" category = "Administrative" - caller = "admin@contoso.com" # filters by caller - level = "Informational" # filters by level - status = "Succeeded" # filters by status + sub_status = "Accepted" # filters by sub_status } action { @@ -37,7 +36,7 @@ resource "azurerm_monitor_activity_log_alert" "positive5_2" { } } -resource "azurerm_monitor_activity_log_alert" "positive5_3" { +resource "azurerm_monitor_activity_log_alert" "positive2_7" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -46,8 +45,9 @@ resource "azurerm_monitor_activity_log_alert" "positive5_3" { criteria { resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + operation_name = "Microsoft.Network/publicIPAddresses/delete" category = "Administrative" + sub_statuses = ["Accepted", "Conflict"] # filters by sub_statuses } action { diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive_expected_result.json new file mode 100644 index 00000000000..3055d42ebac --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive_expected_result.json @@ -0,0 +1,44 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 47, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 66, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive2_2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 27, + "fileName": "positive2_2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 46, + "fileName": "positive2_2.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_1.tf new file mode 100644 index 00000000000..eba2aa792c3 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_1.tf @@ -0,0 +1,16 @@ +# Case of correct "operation_name" and "category" but the "action.action_group_id" field is missing +resource "azurerm_monitor_activity_log_alert" "positive3_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + } + + # Missing action +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_2.tf similarity index 55% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_2.tf index 62cff1f4479..5d7b96f1080 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_2.tf @@ -1,20 +1,4 @@ # Case of correct "operation_name" and "category" but the "action.action_group_id" field is missing -resource "azurerm_monitor_activity_log_alert" "positive3_1" { - name = "example-activitylogalert" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - scopes = [azurerm_resource_group.example.id] - description = "Positive sample" - - criteria { - resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Network/publicIPAddresses/delete" - category = "Administrative" - } - - # Missing action -} - resource "azurerm_monitor_activity_log_alert" "positive3_2" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive_expected_result.json new file mode 100644 index 00000000000..1da9a652604 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3_2.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_1.tf new file mode 100644 index 00000000000..fe9dfecb09e --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_1.tf @@ -0,0 +1,21 @@ +# Query prioritizes flagging the log alert(s) that is "correct" but has filter(s) over the ones with wrong "operation_name"/"category" +resource "azurerm_monitor_activity_log_alert" "positive4_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Network/publicIPAddresses/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_2.tf new file mode 100644 index 00000000000..fe894643730 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_2.tf @@ -0,0 +1,17 @@ +resource "azurerm_monitor_activity_log_alert" "positive4_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive_expected_result.json new file mode 100644 index 00000000000..c9d18748502 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive4_1.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_1.tf similarity index 78% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_1.tf index 3e1b379f72b..f9328e9ce70 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_1.tf @@ -1,6 +1,5 @@ - -# Query prioritizes flagging the log alert(s) that is "correct" but has filter(s) over the ones with wrong "operation_name"/"category" -resource "azurerm_monitor_activity_log_alert" "positive4_1" { +# Query prioritizes flagging the log alert(s) that is "correct" but missing the "action_group_id" field over all others +resource "azurerm_monitor_activity_log_alert" "positive5_1" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -11,17 +10,12 @@ resource "azurerm_monitor_activity_log_alert" "positive4_1" { resource_id = azurerm_storage_account.to_monitor.id operation_name = "Microsoft.Network/publicIPAddresses/delete" category = "Administrative" - caller = "admin@contoso.com" # filters by caller - level = "Informational" # filters by level - status = "Succeeded" # filters by status } - action { - action_group_id = azurerm_monitor_action_group.main.id - } + # Missing action block } -resource "azurerm_monitor_activity_log_alert" "positive4_2" { +resource "azurerm_monitor_activity_log_alert" "positive5_2" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -30,8 +24,11 @@ resource "azurerm_monitor_activity_log_alert" "positive4_2" { criteria { resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + operation_name = "Microsoft.Network/publicIPAddresses/delete" category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status } action { diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_2.tf new file mode 100644 index 00000000000..dfe8d9f3ce9 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_2.tf @@ -0,0 +1,17 @@ +resource "azurerm_monitor_activity_log_alert" "positive5_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive_expected_result.json new file mode 100644 index 00000000000..da9ecb0d7ab --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive5_1.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json index 851a0be54c3..b3aa30a78c6 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json @@ -16,71 +16,5 @@ "severity": "MEDIUM", "line": 44, "fileName": "positive1.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 47, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 66, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 85, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 104, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 123, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 25, - "fileName": "positive3.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 10, - "fileName": "positive4.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", - "severity": "MEDIUM", - "line": 10, - "fileName": "positive5.tf" } ] From 3b79ee25f3e423054025f31c58a72138f7b88440 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 5 Nov 2025 15:17:46 +0000 Subject: [PATCH 3/5] issueType improvement --- .../query.rego | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego index 661190142ff..a27ef3342ab 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego @@ -20,7 +20,7 @@ CxPolicy[result] { "resourceType": "azurerm_monitor_activity_log_alert", "resourceName": tf_lib.get_resource_name(results.resource, results.name), "searchKey": sprintf("azurerm_monitor_activity_log_alert[%s].criteria", [results.name]), - "issueType": "IncorrectValue", + "issueType": results.issueType, "keyExpectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", "keyActualValue": results.keyActualValue, "searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_activity_log_alert", results.name, "criteria"], []) @@ -64,6 +64,7 @@ get_results(value) = results { # Case of one or more resources failing due t z := { "doc_id" : doc_id, "resource" : log, + "issueType": "MissingAttribute", "name" : name, "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", [name]) }] @@ -76,6 +77,7 @@ get_results(value) = results { # Case of one or more resources failing due t z := { "doc_id" : doc_id, "resource" : value.logs[doc_id][name], + "issueType": "IncorrectValue", "name" : name, "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete public ip address rule' events but sets %d filter(s): %s", [name, count(filters),concat(", ",filters)]) }] @@ -86,6 +88,7 @@ get_results(value) = results { # Case of one or more resources failing due t z := { "doc_id" : doc_id, "resource" : log, + "issueType": "IncorrectValue", "name" : name, "keyActualValue" : "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'delete public ip address rule' events" }] From c7850d066b99c34391aa06993f482aafa4d97865 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 6 Nov 2025 10:45:40 +0000 Subject: [PATCH 4/5] query renaming --- .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive2/positive2_1.tf | 0 .../test/positive2/positive2_2.tf | 0 .../test/positive2/positive_expected_result.json | 14 +++++++------- .../test/positive3/positive3_1.tf | 0 .../test/positive3/positive3_2.tf | 0 .../test/positive3/positive_expected_result.json | 4 ++-- .../test/positive4/positive4_1.tf | 0 .../test/positive4/positive4_2.tf | 0 .../test/positive4/positive_expected_result.json | 2 +- .../test/positive5/positive5_1.tf | 0 .../test/positive5/positive5_2.tf | 0 .../test/positive5/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 6 +++--- .../similarityID_transition/terraform_azure.yaml | 2 +- 18 files changed, 15 insertions(+), 15 deletions(-) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/metadata.json (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/query.rego (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/negative1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive2/positive2_1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive2/positive2_2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive2/positive_expected_result.json (82%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive3/positive3_1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive3/positive3_2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive3/positive_expected_result.json (82%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive4/positive4_1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive4/positive4_2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive4/positive_expected_result.json (82%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive5/positive5_1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive5/positive5_2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive5/positive_expected_result.json (82%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_public_ip_address_rule => activity_log_alert_for_delete_public_ip_address_rule_not_configured}/test/positive_expected_result.json (82%) diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/metadata.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/metadata.json similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/metadata.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/metadata.json diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/query.rego similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/query.rego rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/query.rego diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/negative1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/negative1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/negative1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/negative1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive2_1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive2_1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive2_2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive2_2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive2_2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json similarity index 82% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index 3055d42ebac..db0d5cb17e5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -1,42 +1,42 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive2_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 28, "fileName": "positive2_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 47, "fileName": "positive2_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 66, "fileName": "positive2_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 8, "fileName": "positive2_2.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 27, "fileName": "positive2_2.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 46, "fileName": "positive2_2.tf" diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive3_1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive3_1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive3_2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive3_2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive3_2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json similarity index 82% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 1da9a652604..8f5b85d8d7b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive3_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive3_2.tf" diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive4_1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive4_1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive4_2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive4_2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive4_2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json similarity index 82% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index c9d18748502..9e174c03f4d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive4_1.tf" diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive5/positive5_1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive5/positive5_1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive5/positive5_2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive5_2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive5/positive5_2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive5/positive_expected_result.json similarity index 82% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive5/positive_expected_result.json index da9ecb0d7ab..faf32d4be6b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive5/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive5/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive5_1.tf" diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive_expected_result.json similarity index 82% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive_expected_result.json index b3aa30a78c6..a6ac2cb65b5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive_expected_result.json @@ -1,18 +1,18 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 8, "fileName": "positive1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 26, "fileName": "positive1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 44, "fileName": "positive1.tf" diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml index 370c401dfbf..a7b419996ec 100644 --- a/assets/similarityID_transition/terraform_azure.yaml +++ b/assets/similarityID_transition/terraform_azure.yaml @@ -4,6 +4,6 @@ similarityIDChangeList: observations: "" change: 5 - queryId: b3b9ce2f-c229-4133-9a2b-4e649cf2347e - queryName: Beta - Activity Log Alert For Delete Public IP Address Rule + queryName: Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured observations: "" change: 2 From b42ddc324b02a20cebd1550c95226288d6969c93 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 6 Nov 2025 11:03:24 +0000 Subject: [PATCH 5/5] metadata fix --- .../metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/metadata.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/metadata.json index b79f1f6977a..fc40fd72df1 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/metadata.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/metadata.json @@ -1,6 +1,6 @@ { "id": "b3b9ce2f-c229-4133-9a2b-4e649cf2347e", - "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule", + "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "category": "Observability", "descriptionText": "There should be a 'azurerm_monitor_activity_log_alert' resource configured to capture 'delete public ip address rule' events",