diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/metadata.json b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/metadata.json new file mode 100644 index 00000000000..26c758f9239 --- /dev/null +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "d3ba7d62-bd07-4102-88ca-9668e5f08e7d", + "queryName": "Beta - Recovery Services Vault With Public Network Access", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "All 'azurerm_recovery_services_vault' resources should set 'public_network_access_enabled' to false in order to prevent exposure to the internet and reduce the risk of unauthorized access", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/recovery_services_vault#public_network_access_enabled-1", + "platform": "Terraform", + "descriptionID": "d3ba7d62", + "cloudProvider": "azure", + "cwe": "732", + "riskScore": "6.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/query.rego b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/query.rego new file mode 100644 index 00000000000..1183449eba0 --- /dev/null +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/query.rego @@ -0,0 +1,40 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.azurerm_recovery_services_vault[name] + + results := get_results(resource, name) + + result := { + "documentId": input.document[i].id, + "resourceType": "azurerm_recovery_services_vault", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": sprintf("'azurerm_recovery_services_vault[%s].public_network_access_enabled' should be defined and set to false", [name]), + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine + } +} + +get_results(resource, name) = results { + not common_lib.valid_key(resource, "public_network_access_enabled") + results := { + "searchKey": sprintf("azurerm_recovery_services_vault[%s]", [name]), + "issueType": "MissingAttribute", + "keyActualValue": sprintf("'azurerm_recovery_services_vault[%s].public_network_access_enabled' is undefined or null", [name]), + "searchLine": common_lib.build_search_line(["resource", "azurerm_recovery_services_vault", name], []) + } + +} else = results { + resource.public_network_access_enabled == true + results := { + "searchKey": sprintf("azurerm_recovery_services_vault[%s].public_network_access_enabled", [name]), + "issueType": "IncorrectValue", + "keyActualValue": sprintf("'azurerm_recovery_services_vault[%s].public_network_access_enabled' is set to true", [name]), + "searchLine": common_lib.build_search_line(["resource", "azurerm_recovery_services_vault", name, "public_network_access_enabled"], []) + } +} diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/negative.tf b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/negative.tf new file mode 100644 index 00000000000..ae005e0f690 --- /dev/null +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/negative.tf @@ -0,0 +1,8 @@ +resource "azurerm_recovery_services_vault" "negative1" { + name = "negative1-recovery-vault" + location = azurerm_resource_group.negative1.location + resource_group_name = azurerm_resource_group.negative1.name + sku = "Standard" + + public_network_access_enabled = false +} diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive.tf b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive.tf new file mode 100644 index 00000000000..c9e4263670d --- /dev/null +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive.tf @@ -0,0 +1,17 @@ +resource "azurerm_recovery_services_vault" "positive1" { + name = "positive1-recovery-vault" + location = azurerm_resource_group.positive1.location + resource_group_name = azurerm_resource_group.positive1.name + sku = "Standard" + + # "public_network_access_enabled" missing - defaults to true +} + +resource "azurerm_recovery_services_vault" "positive2" { + name = "positive2-recovery-vault" + location = azurerm_resource_group.positive2.location + resource_group_name = azurerm_resource_group.positive2.name + sku = "Standard" + + public_network_access_enabled = true +} diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json new file mode 100644 index 00000000000..e36c55b3819 --- /dev/null +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Beta - Recovery Services Vault With Public Network Access", + "severity": "HIGH", + "line": 1 + }, + { + "queryName": "Beta - Recovery Services Vault With Public Network Access", + "severity": "HIGH", + "line": 16 + } +] diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml index 407c810f4d1..e9b931e4e10 100644 --- a/assets/similarityID_transition/terraform_azure.yaml +++ b/assets/similarityID_transition/terraform_azure.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Sensitive Port Is Exposed To Wide Private Network observations: "" change: 5 + - queryId: d3ba7d62-bd07-4102-88ca-9668e5f08e7d + queryName: Beta - Recovery Services Vault With Public Network Access + observations: "" + change: 2