feat(query): implements "Beta - Service Without Resource Logging"

assets/queries/terraform/azure/service_without_resource_logging/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "8a0628ed-6256-4a24-a1ab-54696fb69197",
+  "queryName": "Beta - Service Without Resource Logging",
+  "severity": "MEDIUM",
+  "category": "Observability",
+  "descriptionText": "Critical services that support logging through a 'azurerm_monitor_diagnostic_setting' resource should be associated with one",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting",
+  "platform": "Terraform",
+  "descriptionID": "8a0628ed",
+  "cloudProvider": "azure",
+  "cwe": "778",
+  "riskScore": "3.0",
+  "experimental": "true"
+}

assets/queries/terraform/azure/service_without_resource_logging/query.rego

@@ -0,0 +1,35 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+resources := {"azurerm_app_service","azurerm_windows_web_app","azurerm_linux_web_app","azurerm_batch_account","azurerm_eventhub","azurerm_iothub","azurerm_storage_account",
+			  "azurerm_logic_app_standard","azurerm_search_service","azurerm_servicebus_namespace","azurerm_stream_analytics_job","azurerm_application_gateway",
+			  "azurerm_data_lake_store","azurerm_data_lake_analytics_account"} # legacy
+
+CxPolicy[result] {
+	resource := input.document[i].resource[resources[r]][name]
+
+	count({x |
+		diagnosticResource := input.document[x].resource.azurerm_monitor_diagnostic_setting[_]
+		contains(diagnosticResource.target_resource_id, concat(".", [resources[r], name, "id"]))
+	}) == 0
+
+	not storage_account_without_data_lake(resources[r], resource, name)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resources[r],
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("%s[%s]", [resources[r], name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'%s' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", [resources[r]]),
+		"keyActualValue": sprintf("'%s' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", [resources[r]]),
+		"searchLine": common_lib.build_search_line(["resource", resources[r], name], [])
+	}
+}
+
+storage_account_without_data_lake("azurerm_storage_account", resource, name) = false {
+	storage_data_lake := input.document[_].resource["azurerm_storage_data_lake_gen2_filesystem"][_]
+	contains(storage_data_lake.storage_account_id, concat(".", ["azurerm_storage_account", name, "id"]))
+} else = true

assets/queries/terraform/azure/service_without_resource_logging/test/negative1.tf

@@ -0,0 +1,177 @@
+resource "azurerm_app_service" "negative1_1" {
+  name                = "negative1_1-app-service"
+  location            = azurerm_resource_group.negative1_1.location
+  resource_group_name = azurerm_resource_group.negative1_1.name
+  app_service_plan_id = azurerm_app_service_plan.negative1_1.id
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_1" {
+  name               = "negative1_1"
+  target_resource_id = azurerm_app_service.negative1_1.id
+  storage_account_id = azurerm_storage_account.negative1_1.id
+}
+
+resource "azurerm_windows_web_app" "negative1_2" {
+  name                = "negative1_2"
+  resource_group_name = azurerm_resource_group.negative1_2.name
+  location            = azurerm_service_plan.negative1_2.location
+  service_plan_id     = azurerm_service_plan.negative1_2.id
+
+  site_config {}
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_2" {
+  name               = "negative1_2"
+  target_resource_id = azurerm_windows_web_app.negative1_2.id
+  storage_account_id = azurerm_storage_account.negative1_2.id
+}
+
+resource "azurerm_linux_web_app" "negative1_3" {
+  name                = "negative1_3"
+  resource_group_name = azurerm_resource_group.negative1_3.name
+  location            = azurerm_service_plan.negative1_3.location
+  service_plan_id     = azurerm_service_plan.negative1_3.id
+
+  site_config {}
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_3" {
+  name               = "negative1_3"
+  target_resource_id = azurerm_linux_web_app.negative1_3.id
+  storage_account_id = azurerm_storage_account.negative1_3.id
+}
+
+resource "azurerm_batch_account" "negative1_4" {
+  name                                = "testbatchaccount"
+  resource_group_name                 = azurerm_resource_group.negative1_4.name
+  location                            = azurerm_resource_group.negative1_4.location
+  pool_allocation_mode                = "BatchService"
+  storage_account_id                  = azurerm_storage_account.negative1_4.id
+  storage_account_authentication_mode = "StorageKeys"
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_4" {
+  name               = "negative1_4"
+  target_resource_id = azurerm_batch_account.negative1_4.id
+  storage_account_id = azurerm_storage_account.negative1_4.id
+}
+
+resource "azurerm_eventhub" "negative1_5" {
+  name              = "acceptanceTestEventHub"
+  namespace_id      = azurerm_eventhub_namespace.negative1_5.id
+  partition_count   = 2
+  message_retention = 1
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_5" {
+  name               = "negative1_5"
+  target_resource_id = azurerm_eventhub.negative1_5.id
+  storage_account_id = azurerm_storage_account.negative1_5.id
+}
+
+resource "azurerm_storage_account" "negative1_6" {
+  name                     = "storageaccountname"
+  resource_group_name      = azurerm_resource_group.negative1_6.name
+  location                 = azurerm_resource_group.negative1_6.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+}
+
+resource "azurerm_storage_data_lake_gen2_filesystem" "negative1_6" {
+  name               = "negative1_6"
+  storage_account_id = azurerm_storage_account.negative1_6.id
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_6" {
+  name               = "negative1_6"
+  target_resource_id = azurerm_storage_account.negative1_6.id
+  storage_account_id = azurerm_storage_account.negative1_6.id
+}
+
+resource "azurerm_iothub" "negative1_7" {
+  name                         = "negative1_7-IoTHub"
+  resource_group_name          = azurerm_resource_group.negative1_7.name
+  location                     = azurerm_resource_group.negative1_7.location
+  local_authentication_enabled = false
+  sku {
+    name     = "S1"
+    capacity = "1"
+  }
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_7" {
+  name               = "negative1_7"
+  target_resource_id = azurerm_iothub.negative1_7.id
+  storage_account_id = azurerm_storage_account.negative1_7.id
+}
+
+resource "azurerm_search_service" "negative1_8" {
+  name                = "negative1_8-resource"
+  resource_group_name = azurerm_resource_group.negative1_8.name
+  location            = azurerm_resource_group.negative1_8.location
+  sku                 = "standard"
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_8" {
+  name               = "negative1_8"
+  target_resource_id = azurerm_search_service.negative1_8.id
+  storage_account_id = azurerm_storage_account.negative1_8.id
+}
+
+resource "azurerm_servicebus_namespace" "negative1_9" {
+  name                = "tfex-servicebus-namespace"
+  location            = azurerm_resource_group.negative1_9.location
+  resource_group_name = azurerm_resource_group.negative1_9.name
+  sku                 = "Standard"
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_9" {
+  name               = "negative1_9"
+  target_resource_id = azurerm_servicebus_namespace.negative1_9.id
+  storage_account_id = azurerm_storage_account.negative1_9.id
+}
+
+resource "azurerm_stream_analytics_job" "negative1_10" {
+  name                                     = "negative1_10-job"
+  resource_group_name                      = azurerm_resource_group.negative1_10.name
+  location                                 = azurerm_resource_group.negative1_10.location
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_10" {
+  name               = "negative1_10"
+  target_resource_id = azurerm_stream_analytics_job.negative1_10.id
+  storage_account_id = azurerm_storage_account.negative1_10.id
+}
+
+resource "azurerm_application_gateway" "negative1_11" {
+  name                = "negative1_11-appgateway"
+  resource_group_name = azurerm_resource_group.negative1_11.name
+  location            = azurerm_resource_group.negative1_11.location
+
+  sku {
+    name     = "Standard_v2"
+    tier     = "Standard_v2"
+    capacity = 2
+  }
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_11" {
+  name               = "negative1_11"
+  target_resource_id = azurerm_application_gateway.negative1_11.id
+  storage_account_id = azurerm_storage_account.negative1_11.id
+}
+
+resource "azurerm_logic_app_standard" "negative1_12" {
+  name                       = "negative1_12-logic-app"
+  location                   = azurerm_resource_group.negative1_12.location
+  resource_group_name        = azurerm_resource_group.negative1_12.name
+  app_service_plan_id        = azurerm_app_service_plan.negative1_12.id
+  storage_account_name       = azurerm_storage_account.negative1_12.name
+  storage_account_access_key = azurerm_storage_account.negative1_12.primary_access_key
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative1_12" {
+  name               = "negative1_12"
+  target_resource_id = azurerm_logic_app_standard.negative1_12.id
+  storage_account_id = azurerm_storage_account.negative1_12.id
+}

assets/queries/terraform/azure/service_without_resource_logging/test/negative2.tf

@@ -0,0 +1,27 @@
+resource "azurerm_data_lake_analytics_account" "negative2_1" {         # legacy
+  default_store_account_name = var.default_store_account_name
+  location                   = var.location
+  name                       = var.name
+  resource_group_name        = var.resource_group_name
+  tags                       = var.tags
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative2_1" {
+  name               = "negative2_1"
+  target_resource_id = azurerm_data_lake_analytics_account.negative2_1.id
+  storage_account_id = azurerm_storage_account.negative2_1.id
+}
+
+resource "azurerm_data_lake_store" "negative2_2" {                  # legacy
+  name                = "consumptiondatalake"
+  resource_group_name = azurerm_resource_group.negative2_2.name
+  location            = azurerm_resource_group.negative2_2.location
+  encryption_state    = "Enabled"
+  encryption_type     = "ServiceManaged"
+}
+
+resource "azurerm_monitor_diagnostic_setting" "negative2_2" {
+  name               = "negative2_2"
+  target_resource_id = azurerm_data_lake_store.negative2_2.id
+  storage_account_id = azurerm_storage_account.negative2_2.id
+}

assets/queries/terraform/azure/service_without_resource_logging/test/negative3.tf

@@ -0,0 +1,8 @@
+resource "azurerm_storage_account" "negative3" {
+  # storage account without "gen2_filesystem" does not flag even without "azurerm_monitor_diagnostic_setting"
+  name                     = "storageaccountname"
+  resource_group_name      = azurerm_resource_group.negative3.name
+  location                 = azurerm_resource_group.negative3.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+}

assets/queries/terraform/azure/service_without_resource_logging/test/positive1.tf

@@ -0,0 +1,106 @@
+resource "azurerm_app_service" "positive1_1" {
+  name                = "positive1_1-app-service"
+  location            = azurerm_resource_group.positive1_1.location
+  resource_group_name = azurerm_resource_group.positive1_1.name
+  app_service_plan_id = azurerm_app_service_plan.positive1_1.id
+}
+
+resource "azurerm_windows_web_app" "positive1_2" {
+  name                = "positive1_2"
+  resource_group_name = azurerm_resource_group.positive1_2.name
+  location            = azurerm_service_plan.positive1_2.location
+  service_plan_id     = azurerm_service_plan.positive1_2.id
+
+  site_config {}
+}
+
+resource "azurerm_linux_web_app" "positive1_3" {
+  name                = "positive1_3"
+  resource_group_name = azurerm_resource_group.positive1_3.name
+  location            = azurerm_service_plan.positive1_3.location
+  service_plan_id     = azurerm_service_plan.positive1_3.id
+
+  site_config {}
+}
+
+resource "azurerm_batch_account" "positive1_4" {
+  name                                = "testbatchaccount"
+  resource_group_name                 = azurerm_resource_group.positive1_4.name
+  location                            = azurerm_resource_group.positive1_4.location
+  pool_allocation_mode                = "BatchService"
+  storage_account_id                  = azurerm_storage_account.positive1_4.id
+  storage_account_authentication_mode = "StorageKeys"
+}
+
+resource "azurerm_eventhub" "positive1_5" {
+  name              = "acceptanceTestEventHub"
+  namespace_id      = azurerm_eventhub_namespace.positive1_5.id
+  partition_count   = 2
+  message_retention = 1
+}
+
+resource "azurerm_storage_account" "positive1_6" {
+  name                     = "storageaccountname"
+  resource_group_name      = azurerm_resource_group.positive1_6.name
+  location                 = azurerm_resource_group.positive1_6.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+}
+
+resource "azurerm_storage_data_lake_gen2_filesystem" "positive1_6" {
+  name               = "positive1_6"
+  storage_account_id = azurerm_storage_account.positive1_6.id
+}
+
+resource "azurerm_iothub" "positive1_7" {
+  name                         = "positive1_7-IoTHub"
+  resource_group_name          = azurerm_resource_group.positive1_7.name
+  location                     = azurerm_resource_group.positive1_7.location
+  local_authentication_enabled = false
+  sku {
+    name     = "S1"
+    capacity = "1"
+  }
+}
+
+resource "azurerm_search_service" "positive1_8" {
+  name                = "positive1_8-resource"
+  resource_group_name = azurerm_resource_group.positive1_8.name
+  location            = azurerm_resource_group.positive1_8.location
+  sku                 = "standard"
+}
+
+resource "azurerm_servicebus_namespace" "positive1_9" {
+  name                = "tfex-servicebus-namespace"
+  location            = azurerm_resource_group.positive1_9.location
+  resource_group_name = azurerm_resource_group.positive1_9.name
+  sku                 = "Standard"
+}
+
+resource "azurerm_stream_analytics_job" "positive1_10" {
+  name                                     = "positive1_10-job"
+  resource_group_name                      = azurerm_resource_group.positive1_10.name
+  location                                 = azurerm_resource_group.positive1_10.location
+
+}
+
+resource "azurerm_application_gateway" "positive1_11" {
+  name                = "positive1_11-appgateway"
+  resource_group_name = azurerm_resource_group.positive1_11.name
+  location            = azurerm_resource_group.positive1_11.location
+
+  sku {
+    name     = "Standard_v2"
+    tier     = "Standard_v2"
+    capacity = 2
+  }
+}
+
+resource "azurerm_logic_app_standard" "positive1_12" {
+  name                       = "positive1_12-logic-app"
+  location                   = azurerm_resource_group.positive1_12.location
+  resource_group_name        = azurerm_resource_group.positive1_12.name
+  app_service_plan_id        = azurerm_app_service_plan.positive1_12.id
+  storage_account_name       = azurerm_storage_account.positive1_12.name
+  storage_account_access_key = azurerm_storage_account.positive1_12.primary_access_key
+}

assets/queries/terraform/azure/service_without_resource_logging/test/positive2.tf

@@ -0,0 +1,15 @@
+resource "azurerm_data_lake_analytics_account" "positive2_1" {         # legacy
+  default_store_account_name = var.default_store_account_name
+  location                   = var.location
+  name                       = var.name
+  resource_group_name        = var.resource_group_name
+  tags                       = var.tags
+}
+
+resource "azurerm_data_lake_store" "positive2_2" {                  # legacy
+  name                = "consumptiondatalake"
+  resource_group_name = azurerm_resource_group.positive2_2.name
+  location            = azurerm_resource_group.positive2_2.location
+  encryption_state    = "Enabled"
+  encryption_type     = "ServiceManaged"
+}