From f629f82cc682be8ea1ce9822568c81419dad32eb Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Fri, 14 Nov 2025 12:01:38 +0000
Subject: [PATCH 1/2] initial implementation

---
 .../metadata.json                             | 14 +++++++++++++
 .../query.rego                                | 21 +++++++++++++++++++
 .../test/negative.tf                          | 17 +++++++++++++++
 .../test/positive.tf                          |  8 +++++++
 .../test/positive_expected_result.json        |  7 +++++++
 .../terraform_azure.yaml                      |  4 ++++
 6 files changed, 71 insertions(+)
 create mode 100644 assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/metadata.json
 create mode 100644 assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/query.rego
 create mode 100644 assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/negative.tf
 create mode 100644 assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive.tf
 create mode 100644 assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json

diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/metadata.json b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/metadata.json
new file mode 100644
index 00000000000..1ab83241bb7
--- /dev/null
+++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/metadata.json
@@ -0,0 +1,14 @@
+{
+  "id": "b373043c-f3bf-40db-b67a-c982732c7781",
+  "queryName": "Beta - Recovery Services Vault Without Soft Delete",
+  "severity": "HIGH",
+  "category": "Backup",
+  "descriptionText": "No 'azurerm_recovery_services_vault' resource should set 'soft_delete_enabled' to false, this makes it impossible to recover backup data",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_protection_backup_vault#soft_delete-1",
+  "platform": "Terraform",
+  "descriptionID": "b373043c",
+  "cloudProvider": "azure",
+  "cwe": "754",
+  "riskScore": "6.0",
+  "experimental": "true"
+}
diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/query.rego b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/query.rego
new file mode 100644
index 00000000000..63d7464de4f
--- /dev/null
+++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/query.rego
@@ -0,0 +1,21 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_recovery_services_vault[name]
+
+	resource.soft_delete_enabled == false
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_recovery_services_vault",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("azurerm_recovery_services_vault[%s].soft_delete_enabled", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'azurerm_recovery_services_vault[%s].soft_delete_enabled' should not be set to false", [name]),
+		"keyActualValue": sprintf("'azurerm_recovery_services_vault[%s].soft_delete_enabled' is set to false", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_recovery_services_vault", name, "soft_delete_enabled"], [])
+	}
+}
diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/negative.tf b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/negative.tf
new file mode 100644
index 00000000000..80b6bbf4834
--- /dev/null
+++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/negative.tf
@@ -0,0 +1,17 @@
+resource "azurerm_recovery_services_vault" "negative1" {
+  name                = "negative1-recovery-vault"
+  location            = azurerm_resource_group.negative1.location
+  resource_group_name = azurerm_resource_group.negative1.name
+  sku                 = "Standard"
+
+  # "soft_delete_enabled" missing - defaults to true
+}
+
+resource "azurerm_recovery_services_vault" "negative2" {
+  name                = "negative2-recovery-vault"
+  location            = azurerm_resource_group.negative2.location
+  resource_group_name = azurerm_resource_group.negative2.name
+  sku                 = "Standard"
+
+  soft_delete_enabled = true
+}
diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive.tf b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive.tf
new file mode 100644
index 00000000000..eaa9b6cc16a
--- /dev/null
+++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive.tf
@@ -0,0 +1,8 @@
+resource "azurerm_recovery_services_vault" "positive" {
+  name                = "positive-recovery-vault"
+  location            = azurerm_resource_group.positive.location
+  resource_group_name = azurerm_resource_group.positive.name
+  sku                 = "Standard"
+
+  soft_delete_enabled = false
+}
diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json
new file mode 100644
index 00000000000..e5d1b57eeb7
--- /dev/null
+++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json
@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "Beta - Recovery Services Vault Without Soft Delete",
+    "severity": "HIGH",
+    "line": 7
+  }
+]
diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml
index 407c810f4d1..50772c46cc8 100644
--- a/assets/similarityID_transition/terraform_azure.yaml
+++ b/assets/similarityID_transition/terraform_azure.yaml
@@ -3,3 +3,7 @@ similarityIDChangeList:
       queryName: Sensitive Port Is Exposed To Wide Private Network
       observations: ""
       change: 5
+    - queryId: b373043c-f3bf-40db-b67a-c982732c7781
+      queryName: Beta - Recovery Services Vault Without Soft Delete
+      observations: ""
+      change: 2

From e6308309af63f89b19b8a0aa515c26d9f319bdc6 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Fri, 14 Nov 2025 14:05:04 +0000
Subject: [PATCH 2/2] fix metadata

---
 .../recovery_services_vaut_without_soft_delete/metadata.json    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/metadata.json b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/metadata.json
index 1ab83241bb7..fec1fa8207b 100644
--- a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/metadata.json
+++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/metadata.json
@@ -4,7 +4,7 @@
   "severity": "HIGH",
   "category": "Backup",
   "descriptionText": "No 'azurerm_recovery_services_vault' resource should set 'soft_delete_enabled' to false, this makes it impossible to recover backup data",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_protection_backup_vault#soft_delete-1",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/recovery_services_vault#soft_delete_enabled-1",
   "platform": "Terraform",
   "descriptionID": "b373043c",
   "cloudProvider": "azure",