From 1d712e34663afd1c2cb601ff61cc38f2963c6843 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 6 Nov 2025 15:20:04 +0000
Subject: [PATCH] initial implementation

---
 .../metadata.json                             | 14 ++++
 .../query.rego                                | 67 ++++++++++++++++
 .../test/negative.tf                          | 14 ++++
 .../test/positive.tf                          | 78 +++++++++++++++++++
 .../test/positive_expected_result.json        | 32 ++++++++
 .../terraform_azure.yaml                      |  4 +
 6 files changed, 209 insertions(+)
 create mode 100644 assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/metadata.json
 create mode 100644 assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/query.rego
 create mode 100644 assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/negative.tf
 create mode 100644 assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive.tf
 create mode 100644 assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json

diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/metadata.json b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/metadata.json
new file mode 100644
index 00000000000..e97ed711f77
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/metadata.json
@@ -0,0 +1,14 @@
+{
+  "id": "621fc7c5-c342-4223-b3dd-d1530acb43ae",
+  "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version",
+  "severity": "HIGH",
+  "category": "Insecure Configurations",
+  "descriptionText": "All 'azurerm_storage_account' resources should use the latest SMB protocol version to prevent exploitation of known vulnerabilities",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#smb-2",
+  "platform": "Terraform",
+  "descriptionID": "621fc7c5",
+  "cloudProvider": "azure",
+  "cwe": "327",
+  "riskScore": "6.0",
+  "experimental": "true"
+}
diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/query.rego b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/query.rego
new file mode 100644
index 00000000000..306e9e4b312
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/query.rego
@@ -0,0 +1,67 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_storage_account[name]
+
+	results := get_results(resource, name)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_storage_account",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": results.searchKey,
+		"issueType": results.issueType,
+		"keyExpectedValue": sprintf("'azurerm_storage_account[%s].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", [name]),
+		"keyActualValue": results.keyActualValue,
+		"searchLine": results.searchLine
+	}
+}
+
+get_results(resource, name) = results {
+	not common_lib.valid_key(resource, "share_properties")
+	results := {
+		"searchKey" : sprintf("azurerm_storage_account[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyActualValue" : sprintf("'azurerm_storage_account[%s].share_properties' is undefined or null", [name]),
+		"searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name], [])
+	}
+} else = results {
+	not common_lib.valid_key(resource.share_properties, "smb")
+	results := {
+		"searchKey" : sprintf("azurerm_storage_account[%s].share_properties", [name]),
+		"issueType": "MissingAttribute",
+		"keyActualValue" : sprintf("'azurerm_storage_account[%s].share_properties.smb' is undefined or null", [name]),
+		"searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "share_properties"], [])
+	}
+} else = results {
+	not common_lib.valid_key(resource.share_properties.smb, "versions")
+
+	results := {
+		"searchKey" : sprintf("azurerm_storage_account[%s].share_properties.smb", [name]),
+		"issueType": "MissingAttribute",
+		"keyActualValue" : sprintf("'azurerm_storage_account[%s].share_properties.smb.versions' is undefined or null", [name]),
+		"searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "share_properties", "smb"], [])
+	}
+} else = results {
+	resource.share_properties.smb.versions != ["SMB3.1.1"]
+
+	results := {
+		"searchKey" : sprintf("azurerm_storage_account[%s].share_properties.smb.versions", [name]),
+		"issueType": "IncorrectValue",
+		"keyActualValue" : get_actual_value(resource.share_properties.smb.versions, name),
+		"searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "share_properties", "smb", "versions"], [])
+	}
+}
+
+get_actual_value(versions, name) = str {
+	versions == []
+	str := sprintf("'azurerm_storage_account[%s].share_properties.smb.versions' is empty or null", [name])
+} else = str {
+	not common_lib.inArray(versions, "SMB3.1.1")
+	str := sprintf("'azurerm_storage_account[%s].share_properties.smb.versions' does not include 'SMB3.1.1' and instead includes %d outdated version(s)", [name, count(versions)])
+} else = str {
+	str := sprintf("'azurerm_storage_account[%s].share_properties.smb.versions' includes 'SMB3.1.1' but also includes %d outdated version(s)", [name, count(versions)-1])
+}
diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/negative.tf b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/negative.tf
new file mode 100644
index 00000000000..00571529103
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/negative.tf
@@ -0,0 +1,14 @@
+resource "azurerm_storage_account" "negative1" {
+  name                     = "negative1"
+  resource_group_name      = "testRG"
+  location                 = "northeurope"
+  account_tier             = "Premium"
+  account_replication_type = "LRS"
+  account_kind             = "FileStorage"
+
+  share_properties {
+      smb {
+        versions = ["SMB3.1.1"]
+      }
+  }
+}
diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive.tf b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive.tf
new file mode 100644
index 00000000000..890024438ff
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive.tf
@@ -0,0 +1,78 @@
+resource "azurerm_storage_account" "positive1" {
+  name                     = "positive1"
+  resource_group_name      = azurerm_resource_group.positive1.name
+  location                 = azurerm_resource_group.positive1.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  # missing "share_properties" (allows all SMB protocols)
+}
+
+resource "azurerm_storage_account" "positive2" {
+  name                     = "positive2"
+  resource_group_name      = azurerm_resource_group.positive2.name
+  location                 = azurerm_resource_group.positive2.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  share_properties {
+    # missing "smb" (allows all SMB protocols)
+  }
+}
+
+
+resource "azurerm_storage_account" "positive3" {
+  name                     = "positive3"
+  resource_group_name      = azurerm_resource_group.positive3.name
+  location                 = azurerm_resource_group.positive3.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  share_properties {
+      smb {
+        # missing "versions" (allows all SMB protocols)
+      }
+  }
+}
+
+resource "azurerm_storage_account" "positive4" {
+  name                     = "positive4"
+  resource_group_name      = azurerm_resource_group.positive4.name
+  location                 = azurerm_resource_group.positive4.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  share_properties {
+      smb {
+        versions = []                         # no SMB protocols allowed
+      }
+  }
+}
+
+resource "azurerm_storage_account" "positive5" {
+  name                     = "positive5"
+  resource_group_name      = azurerm_resource_group.positive5.name
+  location                 = azurerm_resource_group.positive5.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  share_properties {
+      smb {
+        versions = ["SMB2.1", "SMB3.0"]        # missing "SMB3.1.1"
+      }
+  }
+}
+
+resource "azurerm_storage_account" "positive6" {
+  name                     = "positive6"
+  resource_group_name      = azurerm_resource_group.positive6.name
+  location                 = azurerm_resource_group.positive6.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  share_properties {
+      smb {
+        versions = ["SMB3.1.1", "SMB2.1"]       # allows outdated version
+      }
+  }
+}
diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json
new file mode 100644
index 00000000000..13b4ae0d843
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json
@@ -0,0 +1,32 @@
+[
+  {
+    "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version",
+    "severity": "HIGH",
+    "line": 1
+  },
+  {
+    "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version",
+    "severity": "HIGH",
+    "line": 18
+  },
+  {
+    "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version",
+    "severity": "HIGH",
+    "line": 32
+  },
+  {
+    "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version",
+    "severity": "HIGH",
+    "line": 47
+  },
+  {
+    "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version",
+    "severity": "HIGH",
+    "line": 61
+  },
+  {
+    "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version",
+    "severity": "HIGH",
+    "line": 75
+  }
+]
diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml
index 407c810f4d1..cda5f637875 100644
--- a/assets/similarityID_transition/terraform_azure.yaml
+++ b/assets/similarityID_transition/terraform_azure.yaml
@@ -3,3 +3,7 @@ similarityIDChangeList:
       queryName: Sensitive Port Is Exposed To Wide Private Network
       observations: ""
       change: 5
+    - queryId: 621fc7c5-c342-4223-b3dd-d1530acb43ae
+      queryName: Beta - Storage Account Not Using Latest SMB Protocol Version
+      observations: ""
+      change: 2