From 159e400176ebdde8dc3ee81ece5b4b5e387e2198 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Fri, 7 Nov 2025 15:58:37 +0000
Subject: [PATCH 1/2] initial implementation

---
 .../metadata.json                             | 14 +++++++++++++
 .../query.rego                                | 21 +++++++++++++++++++
 .../test/negative.tf                          | 21 +++++++++++++++++++
 .../test/positive.tf                          |  9 ++++++++
 .../test/positive_expected_result.json        |  7 +++++++
 .../terraform_azure.yaml                      |  4 ++++
 6 files changed, 76 insertions(+)
 create mode 100644 assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/metadata.json
 create mode 100644 assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/query.rego
 create mode 100644 assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/negative.tf
 create mode 100644 assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive.tf
 create mode 100644 assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json

diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/metadata.json b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/metadata.json
new file mode 100644
index 00000000000..24ba99a583b
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/metadata.json
@@ -0,0 +1,14 @@
+{
+  "id": "50e0a9e3-7360-483c-9873-ba1ea1a7faf8",
+  "queryName": "Beta - Storage Account With Cross Tenant Replication Enabled",
+  "severity": "MEDIUM",
+  "category": "Access Control",
+  "descriptionText": "",
+  "descriptionUrl": "",
+  "platform": "Terraform",
+  "descriptionID": "50e0a9e3",
+  "cloudProvider": "azure",
+  "cwe": "281",
+  "riskScore": "3.0",
+  "experimental": "true"
+}
diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/query.rego b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/query.rego
new file mode 100644
index 00000000000..e3a9071effd
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/query.rego
@@ -0,0 +1,21 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_storage_account[name]
+
+	resource.cross_tenant_replication_enabled == true
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_storage_account",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey" : sprintf("azurerm_storage_account[%s].cross_tenant_replication_enabled", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'azurerm_storage_account[%s].cross_tenant_replication_enabled' should be set to false", [name]),
+		"keyActualValue" : sprintf("'azurerm_storage_account[%s].cross_tenant_replication_enabled' is set to true", [name]),
+		"searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "cross_tenant_replication_enabled"], [])
+	}
+}
diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/negative.tf b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/negative.tf
new file mode 100644
index 00000000000..562ff3079a8
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/negative.tf
@@ -0,0 +1,21 @@
+resource "azurerm_storage_account" "negative1" {
+  name                     = "negative1"
+  resource_group_name      = "testRG"
+  location                 = "northeurope"
+  account_tier             = "Premium"
+  account_replication_type = "LRS"
+  account_kind             = "FileStorage"
+
+  # missing "cross_tenant_replication_enabled" - defaults to false
+}
+
+resource "azurerm_storage_account" "negative2" {
+  name                     = "negative2"
+  resource_group_name      = "testRG"
+  location                 = "northeurope"
+  account_tier             = "Premium"
+  account_replication_type = "LRS"
+  account_kind             = "FileStorage"
+
+  cross_tenant_replication_enabled = false
+}
diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive.tf b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive.tf
new file mode 100644
index 00000000000..38d5f380761
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive.tf
@@ -0,0 +1,9 @@
+resource "azurerm_storage_account" "positive1" {
+  name                     = "positive1"
+  resource_group_name      = azurerm_resource_group.positive1.name
+  location                 = azurerm_resource_group.positive1.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  cross_tenant_replication_enabled = true
+}
diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json
new file mode 100644
index 00000000000..232f7ba3365
--- /dev/null
+++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json
@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "Beta - Storage Account With Cross Tenant Replication Enabled",
+    "severity": "MEDIUM",
+    "line": 8
+  }
+]
diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml
index 407c810f4d1..26449371ad9 100644
--- a/assets/similarityID_transition/terraform_azure.yaml
+++ b/assets/similarityID_transition/terraform_azure.yaml
@@ -3,3 +3,7 @@ similarityIDChangeList:
       queryName: Sensitive Port Is Exposed To Wide Private Network
       observations: ""
       change: 5
+    - queryId: 50e0a9e3-7360-483c-9873-ba1ea1a7faf8
+      queryName: Beta - Storage Account With Cross Tenant Replication Enabled
+      observations: ""
+      change: 2

From 1f8376e9d624f5c5a56d16102baa60fc0c9f4149 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Fri, 7 Nov 2025 16:00:20 +0000
Subject: [PATCH 2/2] metadata

---
 .../metadata.json                                             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/metadata.json b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/metadata.json
index 24ba99a583b..35448918baa 100644
--- a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/metadata.json
+++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/metadata.json
@@ -3,8 +3,8 @@
   "queryName": "Beta - Storage Account With Cross Tenant Replication Enabled",
   "severity": "MEDIUM",
   "category": "Access Control",
-  "descriptionText": "",
-  "descriptionUrl": "",
+  "descriptionText": "No resource of type 'azurerm_storage_account' should set 'cross_tenant_replication_enabled' to true, this increases risk of unauthorized data access",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#cross_tenant_replication_enabled-1",
   "platform": "Terraform",
   "descriptionID": "50e0a9e3",
   "cloudProvider": "azure",