From d569559d56d684ee4a2f2cae48904ba59d4dfac1 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 10 Nov 2025 11:11:43 +0000 Subject: [PATCH 1/3] initial implementation --- .../azure/query_template/metadata.json | 14 ++ .../terraform/azure/query_template/query.rego | 28 +++ .../azure/query_template/test/negative1.tf | 172 ++++++++++++++++++ .../azure/query_template/test/negative2.tf | 27 +++ .../azure/query_template/test/positive1.tf | 101 ++++++++++ .../azure/query_template/test/positive2.tf | 15 ++ .../test/positive_expected_result.json | 86 +++++++++ .../terraform_azure.yaml | 4 + 8 files changed, 447 insertions(+) create mode 100644 assets/queries/terraform/azure/query_template/metadata.json create mode 100644 assets/queries/terraform/azure/query_template/query.rego create mode 100644 assets/queries/terraform/azure/query_template/test/negative1.tf create mode 100644 assets/queries/terraform/azure/query_template/test/negative2.tf create mode 100644 assets/queries/terraform/azure/query_template/test/positive1.tf create mode 100644 assets/queries/terraform/azure/query_template/test/positive2.tf create mode 100644 assets/queries/terraform/azure/query_template/test/positive_expected_result.json diff --git a/assets/queries/terraform/azure/query_template/metadata.json b/assets/queries/terraform/azure/query_template/metadata.json new file mode 100644 index 00000000000..936e906b76e --- /dev/null +++ b/assets/queries/terraform/azure/query_template/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "8a0628ed-6256-4a24-a1ab-54696fb69197", + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting", + "platform": "Terraform", + "descriptionID": "8a0628ed", + "cloudProvider": "azure", + "cwe": "778", + "riskScore": "3.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/azure/query_template/query.rego b/assets/queries/terraform/azure/query_template/query.rego new file mode 100644 index 00000000000..05022de2319 --- /dev/null +++ b/assets/queries/terraform/azure/query_template/query.rego @@ -0,0 +1,28 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +resources := {"azurerm_app_service","azurerm_windows_web_app","azurerm_linux_web_app","azurerm_batch_account","azurerm_eventhub","azurerm_iothub","azurerm_storage_account" + ,"azurerm_logic_app_standard","azurerm_search_service","azurerm_servicebus_namespace","azurerm_stream_analytics_job","azurerm_application_gateway", + "azurerm_data_lake_store","azurerm_data_lake_analytics_account"} # legacy + +CxPolicy[result] { + resource := input.document[i].resource[resources[r]][name] + + count({x | + diagnosticResource := input.document[x].resource.azurerm_monitor_diagnostic_setting[_] + contains(diagnosticResource.target_resource_id, concat(".", [resources[r], name, "id"])) + }) == 0 + + result := { + "documentId": input.document[i].id, + "resourceType": resources[r], + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("%s[%s]", [resources[r], name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'%s' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", [resources[r]]), + "keyActualValue": sprintf("'%s' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", [resources[r]]), + "searchLine": common_lib.build_search_line(["resource", resources[r], name], []) + } +} diff --git a/assets/queries/terraform/azure/query_template/test/negative1.tf b/assets/queries/terraform/azure/query_template/test/negative1.tf new file mode 100644 index 00000000000..1f7475bbc85 --- /dev/null +++ b/assets/queries/terraform/azure/query_template/test/negative1.tf @@ -0,0 +1,172 @@ +resource "azurerm_app_service" "negative1_1" { + name = "negative1_1-app-service" + location = azurerm_resource_group.negative1_1.location + resource_group_name = azurerm_resource_group.negative1_1.name + app_service_plan_id = azurerm_app_service_plan.negative1_1.id +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_1" { + name = "negative1_1" + target_resource_id = azurerm_app_service.negative1_1.id + storage_account_id = azurerm_storage_account.negative1_1.id +} + +resource "azurerm_windows_web_app" "negative1_2" { + name = "negative1_2" + resource_group_name = azurerm_resource_group.negative1_2.name + location = azurerm_service_plan.negative1_2.location + service_plan_id = azurerm_service_plan.negative1_2.id + + site_config {} +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_2" { + name = "negative1_2" + target_resource_id = azurerm_windows_web_app.negative1_2.id + storage_account_id = azurerm_storage_account.negative1_2.id +} + +resource "azurerm_linux_web_app" "negative1_3" { + name = "negative1_3" + resource_group_name = azurerm_resource_group.negative1_3.name + location = azurerm_service_plan.negative1_3.location + service_plan_id = azurerm_service_plan.negative1_3.id + + site_config {} +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_3" { + name = "negative1_3" + target_resource_id = azurerm_linux_web_app.negative1_3.id + storage_account_id = azurerm_storage_account.negative1_3.id +} + +resource "azurerm_batch_account" "negative1_4" { + name = "testbatchaccount" + resource_group_name = azurerm_resource_group.negative1_4.name + location = azurerm_resource_group.negative1_4.location + pool_allocation_mode = "BatchService" + storage_account_id = azurerm_storage_account.negative1_4.id + storage_account_authentication_mode = "StorageKeys" +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_4" { + name = "negative1_4" + target_resource_id = azurerm_batch_account.negative1_4.id + storage_account_id = azurerm_storage_account.negative1_4.id +} + +resource "azurerm_eventhub" "negative1_5" { + name = "acceptanceTestEventHub" + namespace_id = azurerm_eventhub_namespace.negative1_5.id + partition_count = 2 + message_retention = 1 +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_5" { + name = "negative1_5" + target_resource_id = azurerm_eventhub.negative1_5.id + storage_account_id = azurerm_storage_account.negative1_5.id +} + +resource "azurerm_storage_account" "negative1_6" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.negative1_6.name + location = azurerm_resource_group.negative1_6.location + account_tier = "Standard" + account_replication_type = "GRS" +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_6" { + name = "negative1_6" + target_resource_id = azurerm_storage_account.negative1_6.id + storage_account_id = azurerm_storage_account.negative1_6.id +} + +resource "azurerm_iothub" "negative1_7" { + name = "negative1_7-IoTHub" + resource_group_name = azurerm_resource_group.negative1_7.name + location = azurerm_resource_group.negative1_7.location + local_authentication_enabled = false + sku { + name = "S1" + capacity = "1" + } +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_7" { + name = "negative1_7" + target_resource_id = azurerm_iothub.negative1_7.id + storage_account_id = azurerm_storage_account.negative1_7.id +} + +resource "azurerm_search_service" "negative1_8" { + name = "negative1_8-resource" + resource_group_name = azurerm_resource_group.negative1_8.name + location = azurerm_resource_group.negative1_8.location + sku = "standard" +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_8" { + name = "negative1_8" + target_resource_id = azurerm_search_service.negative1_8.id + storage_account_id = azurerm_storage_account.negative1_8.id +} + +resource "azurerm_servicebus_namespace" "negative1_9" { + name = "tfex-servicebus-namespace" + location = azurerm_resource_group.negative1_9.location + resource_group_name = azurerm_resource_group.negative1_9.name + sku = "Standard" +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_9" { + name = "negative1_9" + target_resource_id = azurerm_servicebus_namespace.negative1_9.id + storage_account_id = azurerm_storage_account.negative1_9.id +} + +resource "azurerm_stream_analytics_job" "negative1_10" { + name = "negative1_10-job" + resource_group_name = azurerm_resource_group.negative1_10.name + location = azurerm_resource_group.negative1_10.location +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_10" { + name = "negative1_10" + target_resource_id = azurerm_stream_analytics_job.negative1_10.id + storage_account_id = azurerm_storage_account.negative1_10.id +} + +resource "azurerm_application_gateway" "negative1_11" { + name = "negative1_11-appgateway" + resource_group_name = azurerm_resource_group.negative1_11.name + location = azurerm_resource_group.negative1_11.location + + sku { + name = "Standard_v2" + tier = "Standard_v2" + capacity = 2 + } +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_11" { + name = "negative1_11" + target_resource_id = azurerm_application_gateway.negative1_11.id + storage_account_id = azurerm_storage_account.negative1_11.id +} + +resource "azurerm_logic_app_standard" "negative1_12" { + name = "negative1_12-logic-app" + location = azurerm_resource_group.negative1_12.location + resource_group_name = azurerm_resource_group.negative1_12.name + app_service_plan_id = azurerm_app_service_plan.negative1_12.id + storage_account_name = azurerm_storage_account.negative1_12.name + storage_account_access_key = azurerm_storage_account.negative1_12.primary_access_key +} + +resource "azurerm_monitor_diagnostic_setting" "negative1_12" { + name = "negative1_12" + target_resource_id = azurerm_logic_app_standard.negative1_12.id + storage_account_id = azurerm_storage_account.negative1_12.id +} diff --git a/assets/queries/terraform/azure/query_template/test/negative2.tf b/assets/queries/terraform/azure/query_template/test/negative2.tf new file mode 100644 index 00000000000..9137c8ada72 --- /dev/null +++ b/assets/queries/terraform/azure/query_template/test/negative2.tf @@ -0,0 +1,27 @@ +resource "azurerm_data_lake_analytics_account" "negative2_1" { # legacy + default_store_account_name = var.default_store_account_name + location = var.location + name = var.name + resource_group_name = var.resource_group_name + tags = var.tags +} + +resource "azurerm_monitor_diagnostic_setting" "negative2_1" { + name = "negative2_1" + target_resource_id = azurerm_data_lake_analytics_account.negative2_1.id + storage_account_id = azurerm_storage_account.negative2_1.id +} + +resource "azurerm_data_lake_store" "negative2_2" { # legacy + name = "consumptiondatalake" + resource_group_name = azurerm_resource_group.negative2_2.name + location = azurerm_resource_group.negative2_2.location + encryption_state = "Enabled" + encryption_type = "ServiceManaged" +} + +resource "azurerm_monitor_diagnostic_setting" "negative2_2" { + name = "negative2_2" + target_resource_id = azurerm_data_lake_store.negative2_2.id + storage_account_id = azurerm_storage_account.negative2_2.id +} diff --git a/assets/queries/terraform/azure/query_template/test/positive1.tf b/assets/queries/terraform/azure/query_template/test/positive1.tf new file mode 100644 index 00000000000..273bf995b8a --- /dev/null +++ b/assets/queries/terraform/azure/query_template/test/positive1.tf @@ -0,0 +1,101 @@ +resource "azurerm_app_service" "positive1_1" { + name = "positive1_1-app-service" + location = azurerm_resource_group.positive1_1.location + resource_group_name = azurerm_resource_group.positive1_1.name + app_service_plan_id = azurerm_app_service_plan.positive1_1.id +} + +resource "azurerm_windows_web_app" "positive1_2" { + name = "positive1_2" + resource_group_name = azurerm_resource_group.positive1_2.name + location = azurerm_service_plan.positive1_2.location + service_plan_id = azurerm_service_plan.positive1_2.id + + site_config {} +} + +resource "azurerm_linux_web_app" "positive1_3" { + name = "positive1_3" + resource_group_name = azurerm_resource_group.positive1_3.name + location = azurerm_service_plan.positive1_3.location + service_plan_id = azurerm_service_plan.positive1_3.id + + site_config {} +} + +resource "azurerm_batch_account" "positive1_4" { + name = "testbatchaccount" + resource_group_name = azurerm_resource_group.positive1_4.name + location = azurerm_resource_group.positive1_4.location + pool_allocation_mode = "BatchService" + storage_account_id = azurerm_storage_account.positive1_4.id + storage_account_authentication_mode = "StorageKeys" +} + +resource "azurerm_eventhub" "positive1_5" { + name = "acceptanceTestEventHub" + namespace_id = azurerm_eventhub_namespace.positive1_5.id + partition_count = 2 + message_retention = 1 +} + +resource "azurerm_storage_account" "positive1_6" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.positive1_6.name + location = azurerm_resource_group.positive1_6.location + account_tier = "Standard" + account_replication_type = "GRS" +} + +resource "azurerm_iothub" "positive1_7" { + name = "positive1_7-IoTHub" + resource_group_name = azurerm_resource_group.positive1_7.name + location = azurerm_resource_group.positive1_7.location + local_authentication_enabled = false + sku { + name = "S1" + capacity = "1" + } +} + +resource "azurerm_search_service" "positive1_8" { + name = "positive1_8-resource" + resource_group_name = azurerm_resource_group.positive1_8.name + location = azurerm_resource_group.positive1_8.location + sku = "standard" +} + +resource "azurerm_servicebus_namespace" "positive1_9" { + name = "tfex-servicebus-namespace" + location = azurerm_resource_group.positive1_9.location + resource_group_name = azurerm_resource_group.positive1_9.name + sku = "Standard" +} + +resource "azurerm_stream_analytics_job" "positive1_10" { + name = "positive1_10-job" + resource_group_name = azurerm_resource_group.positive1_10.name + location = azurerm_resource_group.positive1_10.location + +} + +resource "azurerm_application_gateway" "positive1_11" { + name = "positive1_11-appgateway" + resource_group_name = azurerm_resource_group.positive1_11.name + location = azurerm_resource_group.positive1_11.location + + sku { + name = "Standard_v2" + tier = "Standard_v2" + capacity = 2 + } +} + +resource "azurerm_logic_app_standard" "positive1_12" { + name = "positive1_12-logic-app" + location = azurerm_resource_group.positive1_12.location + resource_group_name = azurerm_resource_group.positive1_12.name + app_service_plan_id = azurerm_app_service_plan.positive1_12.id + storage_account_name = azurerm_storage_account.positive1_12.name + storage_account_access_key = azurerm_storage_account.positive1_12.primary_access_key +} diff --git a/assets/queries/terraform/azure/query_template/test/positive2.tf b/assets/queries/terraform/azure/query_template/test/positive2.tf new file mode 100644 index 00000000000..9391cc6b605 --- /dev/null +++ b/assets/queries/terraform/azure/query_template/test/positive2.tf @@ -0,0 +1,15 @@ +resource "azurerm_data_lake_analytics_account" "positive2_1" { # legacy + default_store_account_name = var.default_store_account_name + location = var.location + name = var.name + resource_group_name = var.resource_group_name + tags = var.tags +} + +resource "azurerm_data_lake_store" "positive2_2" { # legacy + name = "consumptiondatalake" + resource_group_name = azurerm_resource_group.positive2_2.name + location = azurerm_resource_group.positive2_2.location + encryption_state = "Enabled" + encryption_type = "ServiceManaged" +} diff --git a/assets/queries/terraform/azure/query_template/test/positive_expected_result.json b/assets/queries/terraform/azure/query_template/test/positive_expected_result.json new file mode 100644 index 00000000000..036d3e70bb3 --- /dev/null +++ b/assets/queries/terraform/azure/query_template/test/positive_expected_result.json @@ -0,0 +1,86 @@ +[ + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 17, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 35, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 42, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 50, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 61, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 68, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 75, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 82, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 94, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Service Without Resource Logging", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2.tf" + } +] diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml index 407c810f4d1..b2586a8e64f 100644 --- a/assets/similarityID_transition/terraform_azure.yaml +++ b/assets/similarityID_transition/terraform_azure.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Sensitive Port Is Exposed To Wide Private Network observations: "" change: 5 + - queryId: 8a0628ed-6256-4a24-a1ab-54696fb69197 + queryName: Beta - Service Without Resource Logging + observations: "" + change: 2 From 411b65f93152ef81222f779febf986f178d86492 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 10 Nov 2025 11:54:15 +0000 Subject: [PATCH 2/3] fix metadata and rename query folder --- .../metadata.json | 2 +- .../query.rego | 6 +++--- .../test/negative1.tf | 0 .../test/negative2.tf | 0 .../test/positive1.tf | 0 .../test/positive2.tf | 0 .../test/positive_expected_result.json | 0 7 files changed, 4 insertions(+), 4 deletions(-) rename assets/queries/terraform/azure/{query_template => service_without_resource_logging}/metadata.json (74%) rename assets/queries/terraform/azure/{query_template => service_without_resource_logging}/query.rego (86%) rename assets/queries/terraform/azure/{query_template => service_without_resource_logging}/test/negative1.tf (100%) rename assets/queries/terraform/azure/{query_template => service_without_resource_logging}/test/negative2.tf (100%) rename assets/queries/terraform/azure/{query_template => service_without_resource_logging}/test/positive1.tf (100%) rename assets/queries/terraform/azure/{query_template => service_without_resource_logging}/test/positive2.tf (100%) rename assets/queries/terraform/azure/{query_template => service_without_resource_logging}/test/positive_expected_result.json (100%) diff --git a/assets/queries/terraform/azure/query_template/metadata.json b/assets/queries/terraform/azure/service_without_resource_logging/metadata.json similarity index 74% rename from assets/queries/terraform/azure/query_template/metadata.json rename to assets/queries/terraform/azure/service_without_resource_logging/metadata.json index 936e906b76e..c10d87ff81a 100644 --- a/assets/queries/terraform/azure/query_template/metadata.json +++ b/assets/queries/terraform/azure/service_without_resource_logging/metadata.json @@ -3,7 +3,7 @@ "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "", + "descriptionText": "Critical services that support logging through a 'azurerm_monitor_diagnostic_setting' resource should be associated with one", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting", "platform": "Terraform", "descriptionID": "8a0628ed", diff --git a/assets/queries/terraform/azure/query_template/query.rego b/assets/queries/terraform/azure/service_without_resource_logging/query.rego similarity index 86% rename from assets/queries/terraform/azure/query_template/query.rego rename to assets/queries/terraform/azure/service_without_resource_logging/query.rego index 05022de2319..0b547375b21 100644 --- a/assets/queries/terraform/azure/query_template/query.rego +++ b/assets/queries/terraform/azure/service_without_resource_logging/query.rego @@ -3,9 +3,9 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -resources := {"azurerm_app_service","azurerm_windows_web_app","azurerm_linux_web_app","azurerm_batch_account","azurerm_eventhub","azurerm_iothub","azurerm_storage_account" - ,"azurerm_logic_app_standard","azurerm_search_service","azurerm_servicebus_namespace","azurerm_stream_analytics_job","azurerm_application_gateway", - "azurerm_data_lake_store","azurerm_data_lake_analytics_account"} # legacy +resources := {"azurerm_app_service","azurerm_windows_web_app","azurerm_linux_web_app","azurerm_batch_account","azurerm_eventhub","azurerm_iothub","azurerm_storage_account", + "azurerm_logic_app_standard","azurerm_search_service","azurerm_servicebus_namespace","azurerm_stream_analytics_job","azurerm_application_gateway", + "azurerm_data_lake_store","azurerm_data_lake_analytics_account"} # legacy CxPolicy[result] { resource := input.document[i].resource[resources[r]][name] diff --git a/assets/queries/terraform/azure/query_template/test/negative1.tf b/assets/queries/terraform/azure/service_without_resource_logging/test/negative1.tf similarity index 100% rename from assets/queries/terraform/azure/query_template/test/negative1.tf rename to assets/queries/terraform/azure/service_without_resource_logging/test/negative1.tf diff --git a/assets/queries/terraform/azure/query_template/test/negative2.tf b/assets/queries/terraform/azure/service_without_resource_logging/test/negative2.tf similarity index 100% rename from assets/queries/terraform/azure/query_template/test/negative2.tf rename to assets/queries/terraform/azure/service_without_resource_logging/test/negative2.tf diff --git a/assets/queries/terraform/azure/query_template/test/positive1.tf b/assets/queries/terraform/azure/service_without_resource_logging/test/positive1.tf similarity index 100% rename from assets/queries/terraform/azure/query_template/test/positive1.tf rename to assets/queries/terraform/azure/service_without_resource_logging/test/positive1.tf diff --git a/assets/queries/terraform/azure/query_template/test/positive2.tf b/assets/queries/terraform/azure/service_without_resource_logging/test/positive2.tf similarity index 100% rename from assets/queries/terraform/azure/query_template/test/positive2.tf rename to assets/queries/terraform/azure/service_without_resource_logging/test/positive2.tf diff --git a/assets/queries/terraform/azure/query_template/test/positive_expected_result.json b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/azure/query_template/test/positive_expected_result.json rename to assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json From 4b3d6be91f81987bd294377a4160d3958676ae03 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 21 Nov 2025 15:21:51 +0000 Subject: [PATCH 3/3] fixed logic to account for data lake gen2 --- .../query.rego | 7 +++++ .../test/negative3.tf | 27 +++++++++++++++++++ .../test/negative4.tf | 7 +++++ .../test/positive1.tf | 5 ++++ .../test/positive_expected_result.json | 12 ++++----- 5 files changed, 52 insertions(+), 6 deletions(-) create mode 100644 assets/queries/terraform/azure/service_without_resource_logging/test/negative3.tf create mode 100644 assets/queries/terraform/azure/service_without_resource_logging/test/negative4.tf diff --git a/assets/queries/terraform/azure/service_without_resource_logging/query.rego b/assets/queries/terraform/azure/service_without_resource_logging/query.rego index 0b547375b21..4ad88cad104 100644 --- a/assets/queries/terraform/azure/service_without_resource_logging/query.rego +++ b/assets/queries/terraform/azure/service_without_resource_logging/query.rego @@ -15,6 +15,8 @@ CxPolicy[result] { contains(diagnosticResource.target_resource_id, concat(".", [resources[r], name, "id"])) }) == 0 + not storage_account_without_data_lake(resources[r], resource, name) + result := { "documentId": input.document[i].id, "resourceType": resources[r], @@ -26,3 +28,8 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", resources[r], name], []) } } + +storage_account_without_data_lake("azurerm_storage_account", resource, name) = false { + storage_data_lake := input.document[_].resource["azurerm_storage_data_lake_gen2_filesystem"][_] + contains(storage_data_lake.storage_account_id, concat(".", ["azurerm_storage_account", name, "id"])) +} else = true diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/negative3.tf b/assets/queries/terraform/azure/service_without_resource_logging/test/negative3.tf new file mode 100644 index 00000000000..9137c8ada72 --- /dev/null +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/negative3.tf @@ -0,0 +1,27 @@ +resource "azurerm_data_lake_analytics_account" "negative2_1" { # legacy + default_store_account_name = var.default_store_account_name + location = var.location + name = var.name + resource_group_name = var.resource_group_name + tags = var.tags +} + +resource "azurerm_monitor_diagnostic_setting" "negative2_1" { + name = "negative2_1" + target_resource_id = azurerm_data_lake_analytics_account.negative2_1.id + storage_account_id = azurerm_storage_account.negative2_1.id +} + +resource "azurerm_data_lake_store" "negative2_2" { # legacy + name = "consumptiondatalake" + resource_group_name = azurerm_resource_group.negative2_2.name + location = azurerm_resource_group.negative2_2.location + encryption_state = "Enabled" + encryption_type = "ServiceManaged" +} + +resource "azurerm_monitor_diagnostic_setting" "negative2_2" { + name = "negative2_2" + target_resource_id = azurerm_data_lake_store.negative2_2.id + storage_account_id = azurerm_storage_account.negative2_2.id +} diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/negative4.tf b/assets/queries/terraform/azure/service_without_resource_logging/test/negative4.tf new file mode 100644 index 00000000000..7d3865bc0a5 --- /dev/null +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/negative4.tf @@ -0,0 +1,7 @@ +resource "azurerm_storage_account" "negative4" { #storage account without gen2_filesystem + name = "storageaccountname" + resource_group_name = azurerm_resource_group.negative4.name + location = azurerm_resource_group.negative4.location + account_tier = "Standard" + account_replication_type = "GRS" +} diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/positive1.tf b/assets/queries/terraform/azure/service_without_resource_logging/test/positive1.tf index 273bf995b8a..866224df77f 100644 --- a/assets/queries/terraform/azure/service_without_resource_logging/test/positive1.tf +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/positive1.tf @@ -47,6 +47,11 @@ resource "azurerm_storage_account" "positive1_6" { account_replication_type = "GRS" } +resource "azurerm_storage_data_lake_gen2_filesystem" "positive1_6" { + name = "positive1_6" + storage_account_id = azurerm_storage_account.positive1_6.id +} + resource "azurerm_iothub" "positive1_7" { name = "positive1_7-IoTHub" resource_group_name = azurerm_resource_group.positive1_7.name diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json index 036d3e70bb3..2781952c731 100644 --- a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json @@ -38,37 +38,37 @@ { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 50, + "line": 55, "fileName": "positive1.tf" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 61, + "line": 66, "fileName": "positive1.tf" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 68, + "line": 73, "fileName": "positive1.tf" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 75, + "line": 80, "fileName": "positive1.tf" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 82, + "line": 87, "fileName": "positive1.tf" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", - "line": 94, + "line": 99, "fileName": "positive1.tf" }, {