Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terraform missing rules compared to ARM and vice versa #194

Merged
merged 34 commits into from
Aug 21, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
129fdda
added new tf rules for activitylogalerts.rego
rezoan Aug 13, 2021
aa4e06c
added PR-AZR-0125-TRF in applicationgateways.rego
rezoan Aug 13, 2021
21f9c0b
Added side note for blobservices.rego
rezoan Aug 13, 2021
f7c5764
fixed typo
rezoan Aug 13, 2021
4ad43fb
Added PR-AZR-0105-TRF on databaseaccounts.rego
rezoan Aug 13, 2021
5e52f71
Merge branch 'master' of https://github.com/prancer-io/prancer-compli…
rezoan Aug 14, 2021
f487e7e
SQL MI is not available for Terraform yet
rezoan Aug 14, 2021
8bc1b25
Added PR-AZR-0084-TRF to dbdataencryption.rego
rezoan Aug 14, 2021
515e078
Added PR-AZR-0097-ARM to dbsecurityalertpolicy.rego
rezoan Aug 14, 2021
027c4c8
Added PR-AZR-0068-TRF to disks.rego
rezoan Aug 14, 2021
2228da7
Merge branch 'master' of https://github.com/prancer-io/prancer-compli…
rezoan Aug 14, 2021
61ff468
Added keyvault.rego for terraform
rezoan Aug 15, 2021
0ed9bd2
updated KeyValut.rego for ARM
rezoan Aug 15, 2021
384ef7f
Added keyvalutkeys.rego
rezoan Aug 15, 2021
ba31df1
Merge branch 'master' of https://github.com/prancer-io/prancer-compli…
rezoan Aug 17, 2021
b0927b7
added new rules for networkwatcherflowlogs.rego
rezoan Aug 17, 2021
1a86cf6
fixed typo
rezoan Aug 17, 2021
4dbc2b1
added tf rules to postgresSQL.rego
rezoan Aug 18, 2021
6741327
added new rules for redis.rego
rezoan Aug 18, 2021
7a7b724
Added new rules under registries.rego
rezoan Aug 18, 2021
cc065f0
Merge branch 'master' of https://github.com/prancer-io/prancer-compli…
rezoan Aug 19, 2021
091671e
added new rule under sql_alert_policy.rego
rezoan Aug 19, 2021
81b9e9d
Added new rules under dbserverdataencryption.rego
rezoan Aug 19, 2021
af9f11d
Added PR-AZR-0134-TRF and PR-AZR-0111-TRF in sql_servers_encryption.rego
rezoan Aug 19, 2021
2753461
added rules to sql_server.rego
rezoan Aug 20, 2021
5986f28
Added new rules under storageaccounts.rego
rezoan Aug 20, 2021
6adc2eb
changed the id
rezoan Aug 20, 2021
40de574
Added PR-AZR-0065-TRF under vm.rego
rezoan Aug 20, 2021
95036aa
Added new rule under vmextensions.rego
rezoan Aug 20, 2021
af0697b
Merge branch 'master' of https://github.com/prancer-io/prancer-compli…
rezoan Aug 21, 2021
2836f30
added rules to vnetpeering.rego
rezoan Aug 21, 2021
2ae585e
added new rules under vpngatewayes.rego
rezoan Aug 21, 2021
69651ea
Added new rules under locks.rego
rezoan Aug 21, 2021
a13e1ee
Fixed checking of redis_cache existance before working with redis lin…
rezoan Aug 21, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 10 additions & 31 deletions azure/iac/KeyVault.rego
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ azure_attribute_absence["KeyVault"] {
not accessPolicy.permissions.keys
not accessPolicy.permissions.secrets
not accessPolicy.permissions.certificates
not accessPolicy.permissions.storage
}


Expand All @@ -23,6 +24,7 @@ azure_issue["KeyVault"] {
count(accessPolicy.permissions.keys) == 0
count(accessPolicy.permissions.secrets) == 0
count(accessPolicy.permissions.certificates) == 0
count(accessPolicy.permissions.storage) == 0
}

KeyVault {
Expand All @@ -39,15 +41,10 @@ KeyVault = false {
azure_attribute_absence["KeyVault"]
}

KeyVault_err = "Ensure at least one principal has access to Keyvault" {
azure_issue["KeyVault"]
}

# Rezoan: This rule is not being used. We should merge this rule with KeyVault_err in a OR logic. Farshid to confirm.
# Consider this comment for each every rule that is similar to this one.
# if we merge, the message should be same for both. Otherwise message should be different based on purpose.
KeyVault_miss_err = "Ensure at least one principal has access to Keyvault" {
KeyVault_err = "accessPolicy property 'permissions.keys' or 'permissions.secrets' or 'permissions.certificates' or 'permissions.storage' is missing from the microsoft.keyvault/vaults resource." {
azure_attribute_absence["KeyVault"]
} else = "Currently no principal has access to Keyvault" {
azure_issue["KeyVault"]
}

KeyVault_metadata := {
Expand Down Expand Up @@ -89,23 +86,15 @@ enableSoftDelete = false {
azure_issue["enableSoftDelete"]
}

enableSoftDelete = false {
enableSoftDelete {
azure_attribute_absence["enableSoftDelete"]
not azure_issue["enableSoftDelete"]
}


enableSoftDelete_err = "'Soft Delete' setting is currently not enabled for Key Vault" {
azure_issue["enableSoftDelete"]
}

# Rezoan: This rule is not being used. We should merge this rule with enableSoftDelete_err in a OR logic. Farshid to confirm.
# Consider this comment for each every rule that is similar to this one.
# if we merge, the message should be same for both. Otherwise message should be different based on purpose.
enableSoftDelete_miss_err = "'Soft Delete' setting is currently not enabled for Key Vault" {
azure_attribute_absence["enableSoftDelete"]
}


enableSoftDelete_metadata := {
"Policy Code": "PR-AZR-0108-ARM",
"Type": "IaC",
Expand All @@ -120,7 +109,6 @@ enableSoftDelete_metadata := {




# PR-AZR-0109-ARM

default enablePurgeProtection = null
Expand All @@ -131,14 +119,12 @@ azure_attribute_absence ["enablePurgeProtection"] {
not resource.properties.enablePurgeProtection
}


azure_issue ["enablePurgeProtection"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.keyvault/vaults"
resource.properties.enablePurgeProtection != true
}


enablePurgeProtection {
lower(input.resources[_].type) == "microsoft.keyvault/vaults"
not azure_attribute_absence["enablePurgeProtection"]
Expand All @@ -153,19 +139,12 @@ enablePurgeProtection = false {
azure_attribute_absence["enablePurgeProtection"]
}


enablePurgeProtection_err = "Purge protection is currently not enabled on Key vault" {
azure_issue["enableSoftDelete"]
}

# Rezoan: This rule is not being used. We should merge this rule with enablePurgeProtection_err in a OR logic. Farshid to confirm.
# Consider this comment for each every rules that is similar to this one.
# if we merge, the message should be same for both. Otherwise message should be different based on purpose.
enablePurgeProtection_miss_err = "Purge protection is currently not enabled on Key vault" {
enablePurgeProtection_err = "microsoft.keyvault/vaults resoruce property enablePurgeProtection is missing" {
azure_attribute_absence["enableSoftDelete"]
} else = "Purge protection is currently not enabled on Key vault" {
azure_issue["enableSoftDelete"]
}


enablePurgeProtection_metadata := {
"Policy Code": "PR-AZR-0109-ARM",
"Type": "IaC",
Expand Down
34 changes: 15 additions & 19 deletions azure/iac/Redis.rego
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ package rule
# PR-AZR-0131-ARM

default enableSslPort = null

# default is false
azure_attribute_absence ["enableSslPort"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis"
Expand All @@ -22,13 +22,11 @@ enableSslPort {
azure_attribute_absence["enableSslPort"]
}


enableSslPort {
lower(input.resources[_].type) == "microsoft.cache/redis"
not azure_issue["servenableSslPorterRole"]
}


enableSslPort = false {
azure_issue["enableSslPort"]
}
Expand All @@ -37,7 +35,6 @@ enableSslPort_err = "Redis cache is currently allowing unsecure connection via a
azure_issue["enableSslPort"]
}


enableSslPort_metadata := {
"Policy Code": "PR-AZR-0131-ARM",
"Type": "IaC",
Expand All @@ -52,54 +49,53 @@ enableSslPort_metadata := {




# https://docs.microsoft.com/en-us/azure/templates/microsoft.cache/redis/linkedservers

# PR-AZR-0132-ARM

default serverRole = null


azure_attribute_absence ["serverRole"] {
# as linkedservers is child resource of microsoft.cache/redis, we need to make sure microsoft.cache/redis exist in the same template first.
azure_attribute_absence["serverRole"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis/linkedservers"
not resource.properties.serverRole
lower(resource.type) == "microsoft.cache/redis"
count([c | input.resources[_].type == "microsoft.cache/redis/linkedservers";
c := 1]) == 0
}

#azure_attribute_absence ["serverRole"] {
# resource := input.resources[_]
# lower(resource.type) == "microsoft.cache/redis/linkedservers"
# not resource.properties.serverRole
#}

azure_issue ["serverRole"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis/linkedservers"
lower(resource.properties.serverRole) != "secondary"
rezoan marked this conversation as resolved.
Show resolved Hide resolved
}

serverRole = false {
azure_attribute_absence["serverRole"]
}

serverRole {
lower(input.resources[_].type) == "microsoft.cache/redis/linkedservers"
not azure_attribute_absence["serverRole"]
not azure_issue["serverRole"]
}


serverRole = false {
azure_attribute_absence["serverRole"]
}


serverRole = false {
azure_issue["serverRole"]
}


serverRole_miss_err = "Azure Redis Cache linked server property 'serverRole' is missing from the resource" {
azure_attribute_absence["serverRole"]
}


serverRole_err = "Azure Redis Cache linked backup server currently does not have secondary role." {
azure_issue["serverRole"]
}


serverRole_metadata := {
"Policy Code": "PR-AZR-0132-ARM",
"Type": "IaC",
Expand Down
18 changes: 8 additions & 10 deletions azure/iac/activitylogalerts.rego
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ package rule
#

default alerts = null

# https://docs.microsoft.com/en-us/powershell/module/az.monitor/set-azactivitylogalert?view=azps-6.3.0
# by default alert get enabled if not exist.
azure_attribute_absence["alerts"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.insights/activitylogalerts"
Expand All @@ -21,27 +22,24 @@ azure_issue["alerts"] {
}

alerts {
lower(input.resources[_].type) == "microsoft.insights/activitylogalerts"
azure_attribute_absence["alerts"]
not azure_issue["alerts"]
not azure_attribute_absence["alerts"]
}

alerts = false {
azure_issue["alerts"]
alerts {
lower(input.resources[_].type) == "microsoft.insights/activitylogalerts"
not azure_attribute_absence["alerts"]
not azure_issue["alerts"]
}

alerts = false {
azure_attribute_absence["alerts"]
azure_issue["alerts"]
}

alerts_err = "Activity log alerts is not enabled" {
azure_issue["alerts"]
}

alerts_miss_err = "enabled attribute of Activity log alerts is missing" {
azure_attribute_absence["alerts"]
}

alerts_metadata := {
"Policy Code": "PR-AZR-0090-ARM",
"Type": "IaC",
Expand Down
9 changes: 3 additions & 6 deletions azure/iac/applicationgateways.rego
Original file line number Diff line number Diff line change
Expand Up @@ -141,15 +141,12 @@ protocol = false {
azure_attribute_absence["protocol"]
}

protocol_err = "Ensure Application Gateway is using Https protocol" {
azure_issue["protocol"]
}

protocol_miss_err = "Ensure Application Gateway is using Https protocol" {
protocol_err = "'httpListeners' property 'protocol' is missing from 'microsoft.network/applicationgateways' resource" {
azure_attribute_absence["protocol"]
} else = "Application Gateway is currently not using Https protocol" {
azure_issue["protocol"]
}


protocol_metadata := {
"Policy Code": "PR-AZR-0125-ARM",
"Type": "IaC",
Expand Down
7 changes: 5 additions & 2 deletions azure/iac/blobservices.rego
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ package rule
#
# PR-AZR-0126-ARM
#

# SideNote for Reference: This cannot be done via Terraform. terraform can only change retention days.
# See the note section at https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#container_delete_retention_policy
# Note is applicable for delete_retention_policy as well.
default storage_blob_soft_delete = null

azure_issue["storage_blob_soft_delete"] {
Expand Down Expand Up @@ -49,7 +51,8 @@ storage_blob_soft_delete_metadata := {
#
# PR-AZR-0127-ARM
#

# SideNote for Reference: This cannot be done via Terraform. terraform can only change retention days.
# See the note section at https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#container_delete_retention_policy
default storage_blob_container_soft_delete = null

azure_issue["storage_blob_container_soft_delete"] {
Expand Down
2 changes: 1 addition & 1 deletion azure/iac/dbadministrators.rego
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ sql_server_ad_admin_metadata := {
#
# PR-AZR-0086-ARM
#

# SQL Managed Instance is not available for Terraform yet. see: https://github.com/hashicorp/terraform-provider-azurerm/issues/1747
default sql_managedinstances_ad_admin = null

azure_attribute_absence["sql_managedinstances_ad_admin"] {
Expand Down
4 changes: 3 additions & 1 deletion azure/iac/dbdataencryption.rego
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ package rule
#
# PR-AZR-0084-ARM
#

# This encryption is by default enabled for sql database. Thats why its not available in Terraform.
# See https://github.com/hashicorp/terraform-provider-azurerm/issues/7187
# ToDo: We need to make sure its enabled for MSSQL Server
default db_encrypt = null

azure_attribute_absence["db_encrypt"] {
Expand Down
50 changes: 50 additions & 0 deletions azure/iac/dbsecurityalertpolicies.rego
Original file line number Diff line number Diff line change
Expand Up @@ -224,4 +224,54 @@ dbsec_threat_alert_metadata := {
"Resource Help URL": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2018-06-01-preview/servers/databases/securityalertpolicies"
}

#
# PR-AZR-0097-ARM
#

default sql_alert = null

azure_issue["sql_alert"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.sql/servers/databases/securityalertpolicies"
not resource.properties.emailAccountAdmins
}

azure_issue["sql_alert"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.sql/servers/databases/securityalertpolicies"
resource.properties.emailAccountAdmins != true
}

sql_alert = false {
azure_attribute_absence["sql_alert"]
}

sql_alert {
lower(input.resources[_].type) == "microsoft.sql/servers/databases/securityalertpolicies"
not azure_attribute_absence["sql_alert"]
not azure_issue["sql_alert"]
}

sql_alert = false {
azure_issue["sql_alert"]
}

sql_alert_err = "microsoft.sql/servers/databases/securityalertpolicies property 'emailAccountAdmins' need to be exist. Its missing from the resource." {
azure_attribute_absence["sql_alert"]
} else = "Threat Detection alert currently is not configured to sent notification to the sql server account administrators" {
azure_issue["sql_alert"]
}

sql_alert_metadata := {
"Policy Code": "PR-AZR-0097-ARM",
"Type": "IaC",
"Product": "AZR",
"Language": "ARM template",
"Policy Title": "Threat Detection alert should be configured to sent notification to the sql server account administrators",
"Policy Description": "Ensure that threat detection alert is configured to sent notification to the sql server account administrators",
"Resource Type": "microsoft.sql/servers/databases/securityalertpolicies",
"Policy Help URL": "",
"Resource Help URL": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2018-06-01-preview/servers/databases/securityalertpolicies"
}


Loading