From 749c70ecbc0a703ab65936e04265830dd68deabe Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 15:19:09 +0100 Subject: [PATCH 1/2] initial commit --- .../sql_server_ingress_from_any_ip/query.rego | 2 +- .../test/negative1.tf | 18 ++++- .../test/negative2.tf | 16 ++++- .../test/negative3.tf | 20 ++++++ .../test/negative4.tf | 23 ++++++ .../test/negative5.tf | 20 ++++++ .../test/negative6.tf | 23 ++++++ .../test/positive3.tf | 6 ++ .../test/positive4.tf | 7 ++ .../test/positive5.tf | 6 ++ .../test/positive6.tf | 7 ++ .../test/positive_expected_result.json | 30 ++++++++ .../unrestricted_sql_server_access/query.rego | 2 +- .../test/negative2.tf | 2 +- .../test/negative3.tf | 27 +++++++ .../test/negative4.tf | 27 +++++++ .../test/negative5.tf | 22 ++++++ .../test/negative6.tf | 22 ++++++ .../test/positive3.tf | 43 +++++++++++ .../test/positive4.tf | 44 ++++++++++++ .../test/positive5.tf | 37 ++++++++++ .../test/positive6.tf | 37 ++++++++++ .../test/positive_expected_result.json | 72 +++++++++++++++++++ 23 files changed, 508 insertions(+), 5 deletions(-) create mode 100644 assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative3.tf create mode 100644 assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative4.tf create mode 100644 assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative5.tf create mode 100644 assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative6.tf create mode 100644 assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive3.tf create mode 100644 assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive4.tf create mode 100644 assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive5.tf create mode 100644 assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive6.tf create mode 100644 assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative3.tf create mode 100644 assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative4.tf create mode 100644 assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative5.tf create mode 100644 assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative6.tf create mode 100644 assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive3.tf create mode 100644 assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive4.tf create mode 100644 assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive5.tf create mode 100644 assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive6.tf diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/query.rego b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/query.rego index 22cce568827..77606e8389b 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/query.rego +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/query.rego @@ -4,7 +4,7 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - types := ["azurerm_mssql_firewall_rule","azurerm_sql_firewall_rule"] + types := ["azurerm_mssql_firewall_rule","azurerm_sql_firewall_rule", "azurerm_mariadb_firewall_rule", "azurerm_postgresql_firewall_rule", "azurerm_postgresql_flexible_server_firewall_rule", "azurerm_mysql_flexible_server_firewall_rule"] firewall := input.document[i].resource[types[i2]][name] firewall.start_ip_address = "0.0.0.0" checkEndIP(firewall.end_ip_address) diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative1.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative1.tf index 5da0b61b0c8..5f2148c66fc 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative1.tf +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative1.tf @@ -1,7 +1,23 @@ -resource "azurerm_sql_firewall_rule" "negative1" { +resource "azurerm_sql_firewall_rule" "negative1-1" { name = "FirewallRule1" resource_group_name = azurerm_resource_group.example.name server_name = azurerm_sql_server.example.name start_ip_address = "10.0.17.62" end_ip_address = "10.0.17.62" +} + +resource "azurerm_sql_firewall_rule" "negative1-2" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + start_ip_address = "10.0.17.62" + end_ip_address = "255.255.255.255" +} + +resource "azurerm_sql_firewall_rule" "negative1-3" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.17.62" } \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative2.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative2.tf index 8ece52110f5..b5e58738418 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative2.tf +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative2.tf @@ -1,6 +1,20 @@ -resource "azurerm_mssql_firewall_rule" "negative1" { +resource "azurerm_mssql_firewall_rule" "negative1-1" { name = "FirewallRule1" server_id = azurerm_mssql_server.example.id start_ip_address = "10.0.17.62" end_ip_address = "10.0.17.62" } + +resource "azurerm_mssql_firewall_rule" "negative1-2" { + name = "FirewallRule1" + server_id = azurerm_mssql_server.example.id + start_ip_address = "10.0.17.62" + end_ip_address = "255.255.255.255" +} + +resource "azurerm_mssql_firewall_rule" "negative1-3" { + name = "FirewallRule1" + server_id = azurerm_mssql_server.example.id + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.17.62" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative3.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative3.tf new file mode 100644 index 00000000000..f66ec172aa9 --- /dev/null +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative3.tf @@ -0,0 +1,20 @@ +resource "azurerm_mariadb_firewall_rule" "negative3-1" { + name = "test-rule" + server_name = "test-server" + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} + +resource "azurerm_mariadb_firewall_rule" "negative3-2" { + name = "test-rule" + server_name = "test-server" + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.17.62" +} + +resource "azurerm_mariadb_firewall_rule" "negative3-3" { + name = "test-rule" + server_name = "test-server" + start_ip_address = "10.0.17.62" + end_ip_address = "255.255.255" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative4.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative4.tf new file mode 100644 index 00000000000..670f9583065 --- /dev/null +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative4.tf @@ -0,0 +1,23 @@ +resource "azurerm_postgresql_firewall_rule" "negative4-1" { + name = "office" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} + +resource "azurerm_postgresql_firewall_rule" "negative4-2" { + name = "office" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.17.62" +} + +resource "azurerm_postgresql_firewall_rule" "negative4-3" { + name = "office" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + start_ip_address = "10.0.17.62" + end_ip_address = "255.255.255" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative5.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative5.tf new file mode 100644 index 00000000000..0efb39bf8af --- /dev/null +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative5.tf @@ -0,0 +1,20 @@ +resource "azurerm_postgresql_flexible_server_firewall_rule" "negative5-1" { + name = "example-fw" + server_id = azurerm_postgresql_flexible_server.example.id + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} + +resource "azurerm_postgresql_flexible_server_firewall_rule" "negative5-2" { + name = "example-fw" + server_id = azurerm_postgresql_flexible_server.example.id + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.17.62" +} + +resource "azurerm_postgresql_flexible_server_firewall_rule" "negative5-3" { + name = "example-fw" + server_id = azurerm_postgresql_flexible_server.example.id + start_ip_address = "10.0.17.62" + end_ip_address = "255.255.255.255" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative6.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative6.tf new file mode 100644 index 00000000000..27823e60188 --- /dev/null +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/negative6.tf @@ -0,0 +1,23 @@ +resource "azurerm_mysql_flexible_server_firewall_rule" "negative6-1" { + name = "office" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mysql_flexible_server.example.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} + +resource "azurerm_mysql_flexible_server_firewall_rule" "negative6-2" { + name = "office" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mysql_flexible_server.example.name + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.17.62" +} + +resource "azurerm_mysql_flexible_server_firewall_rule" "negative6-3" { + name = "office" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mysql_flexible_server.example.name + start_ip_address = "10.0.17.62" + end_ip_address = "255.255.255.255" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive3.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive3.tf new file mode 100644 index 00000000000..3f6c6c48e01 --- /dev/null +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive3.tf @@ -0,0 +1,6 @@ +resource "azurerm_mariadb_firewall_rule" "example" { + name = "test-rule" + server_name = "test-server" + start_ip_address = "0.0.0.0" + end_ip_address = "255.255.255.255" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive4.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive4.tf new file mode 100644 index 00000000000..16c01a14140 --- /dev/null +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive4.tf @@ -0,0 +1,7 @@ +resource "azurerm_postgresql_firewall_rule" "example" { + name = "office" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + start_ip_address = "0.0.0.0" + end_ip_address = "255.255.255.255" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive5.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive5.tf new file mode 100644 index 00000000000..612231b6703 --- /dev/null +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive5.tf @@ -0,0 +1,6 @@ +resource "azurerm_postgresql_flexible_server_firewall_rule" "example" { + name = "example-fw" + server_id = azurerm_postgresql_flexible_server.example.id + start_ip_address = "0.0.0.0" + end_ip_address = "255.255.255.255" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive6.tf b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive6.tf new file mode 100644 index 00000000000..07f920bccee --- /dev/null +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive6.tf @@ -0,0 +1,7 @@ +resource "azurerm_mysql_flexible_server_firewall_rule" "example" { + name = "office" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mysql_flexible_server.example.name + start_ip_address = "0.0.0.0" + end_ip_address = "255.255.255.255" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 19c05f54eb7..2afac6f0674 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -10,5 +10,35 @@ "severity": "CRITICAL", "line": 1, "fileName": "positive2.tf" + }, + { + "queryName": "SQLServer Ingress From Any IP", + "severity": "CRITICAL", + "line": 1, + "fileName": "positive3.tf" + }, + { + "queryName": "SQLServer Ingress From Any IP", + "severity": "CRITICAL", + "line": 1, + "fileName": "positive4.tf" + }, + { + "queryName": "SQLServer Ingress From Any IP", + "severity": "CRITICAL", + "line": 1, + "fileName": "positive4.tf" + }, + { + "queryName": "SQLServer Ingress From Any IP", + "severity": "CRITICAL", + "line": 1, + "fileName": "positive5.tf" + }, + { + "queryName": "SQLServer Ingress From Any IP", + "severity": "CRITICAL", + "line": 1, + "fileName": "positive6.tf" } ] \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego b/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego index 3b79b847294..c27525d268b 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego @@ -4,7 +4,7 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - types := ["azurerm_mssql_firewall_rule","azurerm_sql_firewall_rule"] + types := ["azurerm_mssql_firewall_rule","azurerm_sql_firewall_rule", "azurerm_mariadb_firewall_rule", "azurerm_postgresql_firewall_rule", "azurerm_postgresql_flexible_server_firewall_rule", "azurerm_mysql_flexible_server_firewall_rule"] resource := input.document[i].resource[types[i2]][name] results := low_abs_difference_or_both_unspecified(resource.start_ip_address ,resource.end_ip_address) results != "" diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative2.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative2.tf index 71b7a18d8af..0a7118d08dc 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative2.tf +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative2.tf @@ -18,4 +18,4 @@ resource "azurerm_mssql_firewall_rule" "negative3" { server_id = azurerm_mssql_server.negative2.id start_ip_address = "10.0.17.62" end_ip_address = "10.0.17.62" -} +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative3.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative3.tf new file mode 100644 index 00000000000..7fcf8761d77 --- /dev/null +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative3.tf @@ -0,0 +1,27 @@ +resource "azurerm_resource_group" "mariadb_negative_rg" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_mariadb_server" "mariadb_negative_server" { + name = "negativemariadbserver" + location = azurerm_resource_group.mariadb_negative_rg.location + resource_group_name = azurerm_resource_group.mariadb_negative_rg.name + administrator_login = "mariadbadmin" + administrator_login_password = "MyS3cureP4ss!" + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "10.2" + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + ssl_enforcement_enabled = true +} + +resource "azurerm_mariadb_firewall_rule" "mariadb_negative_fw" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.mariadb_negative_rg.name + server_name = azurerm_mariadb_server.mariadb_negative_server.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative4.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative4.tf new file mode 100644 index 00000000000..32185afdf4e --- /dev/null +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative4.tf @@ -0,0 +1,27 @@ +resource "azurerm_resource_group" "psql_negative_rg" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_postgresql_server" "psql_negative_server" { + name = "negativepostgresqlserver" + location = azurerm_resource_group.psql_negative_rg.location + resource_group_name = azurerm_resource_group.psql_negative_rg.name + administrator_login = "psqladmin" + administrator_login_password = "MyS3cureP4ss!" + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "11" + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + ssl_enforcement_enabled = true +} + +resource "azurerm_postgresql_firewall_rule" "psql_negative_fw" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.psql_negative_rg.name + server_name = azurerm_postgresql_server.psql_negative_server.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative5.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative5.tf new file mode 100644 index 00000000000..921f640d4f9 --- /dev/null +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative5.tf @@ -0,0 +1,22 @@ +resource "azurerm_resource_group" "psqlflex_negative_rg" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_postgresql_flexible_server" "psqlflex_negative_server" { + name = "negativepsqlflexserver" + resource_group_name = azurerm_resource_group.psqlflex_negative_rg.name + location = azurerm_resource_group.psqlflex_negative_rg.location + version = "13" + administrator_login = "psqlflexadmin" + administrator_password = "MyS3cureP4ss!" + sku_name = "B_Standard_B1ms" + storage_mb = 32768 +} + +resource "azurerm_postgresql_flexible_server_firewall_rule" "psqlflex_negative_fw" { + name = "FirewallRule1" + server_id = azurerm_postgresql_flexible_server.psqlflex_negative_server.id + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative6.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative6.tf new file mode 100644 index 00000000000..3840071f9a2 --- /dev/null +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/negative6.tf @@ -0,0 +1,22 @@ +resource "azurerm_resource_group" "mysqlflex_negative_rg" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_mysql_flexible_server" "mysqlflex_negative_server" { + name = "negativemysqlflexserver" + resource_group_name = azurerm_resource_group.mysqlflex_negative_rg.name + location = azurerm_resource_group.mysqlflex_negative_rg.location + version = "8.0.21" + administrator_login = "mysqlflexadmin" + administrator_password = "MyS3cureP4ss!" + sku_name = "B_Standard_B1ms" + storage_mb = 32768 +} + +resource "azurerm_mysql_flexible_server_firewall_rule" "mysqlflex_negative_fw" { + name = "FirewallRule1" + server_id = azurerm_mysql_flexible_server.mysqlflex_negative_server.id + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive3.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive3.tf new file mode 100644 index 00000000000..e2a43a637cf --- /dev/null +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive3.tf @@ -0,0 +1,43 @@ +resource "azurerm_resource_group" "mariadb_rg" { + name = "example-mariadb-rg" + location = "West US" +} + +resource "azurerm_mariadb_server" "mariadb_server" { + name = "examplemariadbserver" + location = azurerm_resource_group.mariadb_rg.location + resource_group_name = azurerm_resource_group.mariadb_rg.name + administrator_login = "mariadbadmin" + administrator_login_password = "MyS3cureP4ss!" + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "10.2" + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + ssl_enforcement_enabled = true +} + +resource "azurerm_mariadb_firewall_rule" "mariadb_fw1" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.mariadb_rg.name + server_name = azurerm_mariadb_server.mariadb_server.name + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.27.62" +} + +resource "azurerm_mariadb_firewall_rule" "mariadb_fw2" { + name = "FirewallRule2" + resource_group_name = azurerm_resource_group.mariadb_rg.name + server_name = azurerm_mariadb_server.mariadb_server.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.27.62" +} + +resource "azurerm_mariadb_firewall_rule" "mariadb_fw3" { + name = "AllowAzure" + resource_group_name = azurerm_resource_group.mariadb_rg.name + server_name = azurerm_mariadb_server.mariadb_server.name + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive4.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive4.tf new file mode 100644 index 00000000000..4aa481c56ca --- /dev/null +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive4.tf @@ -0,0 +1,44 @@ +resource "azurerm_resource_group" "psql_rg" { + name = "example-postgres-rg" + location = "West US" +} + +resource "azurerm_postgresql_server" "psql_server" { + name = "examplepostgresqlserver" + location = azurerm_resource_group.psql_rg.location + resource_group_name = azurerm_resource_group.psql_rg.name + administrator_login = "psqladmin" + administrator_login_password = "MyS3cureP4ss!" + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "11" + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + ssl_enforcement_enabled = true +} + +resource "azurerm_postgresql_firewall_rule" "psql_fw1" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.psql_rg.name + server_name = azurerm_postgresql_server.psql_server.name + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.27.62" +} + +resource "azurerm_postgresql_firewall_rule" "psql_fw2" { + name = "FirewallRule2" + resource_group_name = azurerm_resource_group.psql_rg.name + server_name = azurerm_postgresql_server.psql_server.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.27.62" +} + +# Allow access to Azure services +resource "azurerm_postgresql_firewall_rule" "psql_fw3" { + name = "AllowAzure" + resource_group_name = azurerm_resource_group.psql_rg.name + server_name = azurerm_postgresql_server.psql_server.name + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive5.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive5.tf new file mode 100644 index 00000000000..11e111ab6ec --- /dev/null +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive5.tf @@ -0,0 +1,37 @@ +resource "azurerm_resource_group" "psqlflex_rg" { + name = "example-psqlflex-rg" + location = "West US" +} + +resource "azurerm_postgresql_flexible_server" "psqlflex_server" { + name = "examplepsqlflexserver" + resource_group_name = azurerm_resource_group.psqlflex_rg.name + location = azurerm_resource_group.psqlflex_rg.location + version = "13" + administrator_login = "psqlflexadmin" + administrator_password = "MyS3cureP4ss!" + sku_name = "B_Standard_B1ms" + storage_mb = 32768 +} + +resource "azurerm_postgresql_flexible_server_firewall_rule" "psqlflex_fw1" { + name = "FirewallRule1" + server_id = azurerm_postgresql_flexible_server.psqlflex_server.id + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.27.62" +} + +resource "azurerm_postgresql_flexible_server_firewall_rule" "psqlflex_fw2" { + name = "FirewallRule2" + server_id = azurerm_postgresql_flexible_server.psqlflex_server.id + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.27.62" +} + +# Allow access to Azure services (same rule as MSSQL: 0.0.0.0/0) +resource "azurerm_postgresql_flexible_server_firewall_rule" "psqlflex_fw3" { + name = "AllowAzure" + server_id = azurerm_postgresql_flexible_server.psqlflex_server.id + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive6.tf b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive6.tf new file mode 100644 index 00000000000..b8f30997e59 --- /dev/null +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive6.tf @@ -0,0 +1,37 @@ +resource "azurerm_resource_group" "mysqlflex_rg" { + name = "example-mysqlflex-rg" + location = "West US" +} + +resource "azurerm_mysql_flexible_server" "mysqlflex_server" { + name = "examplemysqlflexserver" + resource_group_name = azurerm_resource_group.mysqlflex_rg.name + location = azurerm_resource_group.mysqlflex_rg.location + version = "8.0.21" + administrator_login = "mysqlflexadmin" + administrator_password = "MyS3cureP4ss!" + sku_name = "B_Standard_B1ms" + storage_mb = 32768 +} + +resource "azurerm_mysql_flexible_server_firewall_rule" "mysqlflex_fw1" { + name = "FirewallRule1" + server_id = azurerm_mysql_flexible_server.mysqlflex_server.id + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.27.62" +} + +resource "azurerm_mysql_flexible_server_firewall_rule" "mysqlflex_fw2" { + name = "FirewallRule2" + server_id = azurerm_mysql_flexible_server.mysqlflex_server.id + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.27.62" +} + +# Allow access to Azure services +resource "azurerm_mysql_flexible_server_firewall_rule" "mysqlflex_fw3" { + name = "AllowAzure" + server_id = azurerm_mysql_flexible_server.mysqlflex_server.id + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json index 2cd569b6910..84d4d413e12 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json @@ -34,5 +34,77 @@ "severity": "CRITICAL", "line": 33, "fileName": "positive2.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 25, + "fileName": "positive3.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 33, + "fileName": "positive3.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 41, + "fileName": "positive3.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 25, + "fileName": "positive4.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 33, + "fileName": "positive4.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 42, + "fileName": "positive4.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 20, + "fileName": "positive5.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 27, + "fileName": "positive5.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 35, + "fileName": "positive5.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 20, + "fileName": "positive6.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 27, + "fileName": "positive6.tf" + }, + { + "queryName": "Unrestricted SQL Server Access", + "severity": "CRITICAL", + "line": 35, + "fileName": "positive6.tf" } ] \ No newline at end of file From 34379f4a30acdbfd389117c71aed4dab42408a41 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 16:18:22 +0100 Subject: [PATCH 2/2] fix expected results --- .../query.rego | 65 ++++++++++++------- .../test/positive_expected_result.json | 6 -- 2 files changed, 41 insertions(+), 30 deletions(-) diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego index ca2dc5858e6..e6040b0cce1 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego @@ -3,43 +3,60 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"} + CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + function := input.document[i].resource[types[t]][name] - not common_lib.valid_key(function, "client_cert_mode") + results := client_certificate_not_required(function,name,types[t]) + results != "" result := { "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", - "resourceName": tf_lib.get_resource_name(function, name), - "searchKey": sprintf("azurerm_function_app[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].client_cert_mode' should be defined and not null", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].client_cert_mode' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), - "remediation": "client_cert_mode = \"Required\"", - "remediationType": "addition", + "resourceType": types[t], + "resourceName": tf_lib.get_resource_name(function, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": results.keyExpectedValue, + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine, + "remediation": results.remediation, + "remediationType": results.remediationType, } } -CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] +client_certificate_not_required(function,name,type) = results { + field_name = get_field(type) + not common_lib.valid_key(function, field_name) - function.client_cert_mode != "Required" + results := { + "searchKey": sprintf("%s[%s]", [type, name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'%s[%s].%s' should be defined and not null", [type, name, field_name]), + "keyActualValue": sprintf("'%s[%s].%s' is undefined or null", [type, name, field_name]), + "searchLine": common_lib.build_search_line(["resource", field_name, name], []), + "remediation": sprintf("%s = \"Required\"",[field_name]), + "remediationType": "addition", + } + +} else = results { + field_name = get_field(type) + function[field_name] != "Required" - result := { - "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", - "resourceName": tf_lib.get_resource_name(function, name), - "searchKey": sprintf("azurerm_function_app[%s].client_cert_mode", [name]), + results := { + "searchKey": sprintf("%s[%s].%s", [type, name, field_name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].client_cert_mode' should be set to 'Required'", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].client_cert_mode' is not set to 'Required'", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "client_cert_mode"], []), + "keyExpectedValue": sprintf("'%s[%s].%s' should be set to 'Required'", [type, name, field_name]), + "keyActualValue": sprintf("'%s[%s].%s' is not set to 'Required'", [type, name, field_name]), + "searchLine": common_lib.build_search_line(["resource", field_name, name, "client_cert_mode"], []), "remediation": json.marshal({ - "before": sprintf("%s", [function.client_cert_mode]), + "before": sprintf("%s", [function[field_name]]), "after": "Required" }), "remediationType": "replacement", } -} +} else = "" + +get_field("azurerm_function_app") = "client_cert_mode" +get_field("azurerm_linux_function_app") = "client_certificate_mode" +get_field("azurerm_windows_function_app") = "client_certificate_mode" \ No newline at end of file diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 2afac6f0674..7c1b06e5a73 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -23,12 +23,6 @@ "line": 1, "fileName": "positive4.tf" }, - { - "queryName": "SQLServer Ingress From Any IP", - "severity": "CRITICAL", - "line": 1, - "fileName": "positive4.tf" - }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL",