Merge branch 'master' into AST-127003

Author: cx-ricardo-jesus

assets/queries/azureResourceManager/sql_server_database_without_auditing/query.rego

@@ -5,30 +5,65 @@ import data.generic.common as common_lib
 
 CxPolicy[result] {
 	types := ["auditingSettings", "Microsoft.Sql/servers/databases/auditingSettings", "Microsoft.Sql/servers/auditingSettings"]
-	dbTypes := ["Microsoft.Sql/servers/databases", "databases", "Microsoft.Sql/servers"]
-
+	dbTypes := ["databases", "Microsoft.Sql/servers/databases", "Microsoft.Sql/servers"]
 	doc := input.document[i]
 	[path, value] = walk(doc)
-
 	value.type == dbTypes[_]
-	childrenArr := arm_lib.get_children(doc, value, path)
+
+	# Case of database resource with auditingsettings as "child"
+	childrenArr_full := get_children(doc, value, path)
+	childrenArr := [x | x := childrenArr_full[ch_index]
+						childrenArr_full[ch_index].type == types[_]]
 
 	count([x |
-		child := childrenArr[_].value
-		child.type == types[_]
+		child := childrenArr[_]
 		[val, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, child.properties.state)
 		lower(val) == "enabled"
 		x := child
 	]) == 0
 
+	# Case of "child" database resource with auditingsettings as "brother" resource
+	depth_path := array.slice(path, 0, count(path)-1)
+	brothersArr_full := object.get(doc, depth_path, [])
+	brothersArr := [x | x := brothersArr_full[ch_index]
+						brothersArr_full[ch_index].type == types[_]
+						count(split(brothersArr_full[ch_index].name, "/")) < count(split(value.name, "/")) + 2]	# Prevents /servers from capturing ../databases/auditingSettings
+
+	count([x |
+		brother := brothersArr[_]
+		[val, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, brother.properties.state)
+		lower(val) == "enabled"
+		x := brother
+	]) == 0
+
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": value.type,
 		"resourceName": value.name,
 		"searchKey": sprintf("%s.name=%s", [common_lib.concat_path(path), value.name]),
-		"issueType": "MissingAttribute",
+		"issueType": get_issue_type(childrenArr, brothersArr),
 		"keyExpectedValue": sprintf("resource '%s' should have an enabled 'auditingsettings' resource", [value.name]),
 		"keyActualValue": sprintf("resource '%s' is missing an enabled 'auditingsettings' resource", [value.name]),
 		"searchLine": common_lib.build_search_line(path, ["name"]),
 	}
 }
+
+get_children(doc, parent, path) = childArr {
+	resourceArr := [x | x := parent.resources[_]]
+	outerArr := get_outer_children(doc, parent.name)
+	childArr := array.concat(resourceArr, outerArr)
+}
+
+get_outer_children(doc, nameParent) = outerArr {
+	outerArr := [x |
+		[path, value] := walk(doc)
+		startswith(value.name, nameParent)
+        count(split(value.name, "/")) == count(split(nameParent, "/")) + 1 # Prevents /servers from capturing ../databases/auditingSettings
+		x := value
+	]
+}
+
+get_issue_type(childrenArr,brothersArr) = "MissingAttribute"{
+	childrenArr == []
+	brothersArr == []
+} else = "IncorrectValue" # When associated with an auditing resource with "state" != enabled

assets/queries/azureResourceManager/sql_server_database_without_auditing/test/negative1.bicep

@@ -1,54 +1,13 @@
-resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
-  name: 'sqlServer1'
+resource sql_server 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'sql_server'
   location: resourceGroup().location
-  tags: {
-    displayName: 'sqlServer1'
-  }
-  properties: {
-    administratorLogin: 'adminUsername'
-    administratorLoginPassword: 'adminPassword'
-  }
-}
-
-resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = {
-  parent: sqlServer1
-  name: 'default'
-  properties: {
-    auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP']
-    isAzureMonitorTargetEnabled: true
-    isStorageSecondaryKeyInUse: true
-    queueDelayMs: 1000
-    retentionDays: 100
-    state: 'Enabled'
-  }
+  properties: {}
 }
 
-resource sqlServer1_ssqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = {
-  parent: sqlServer1
-  name: 'ssqlDatabase1'
-  location: resourceGroup().location
-  tags: {
-    displayName: 'sqlDatabase1'
-  }
-  properties: {
-    collation: 'SQL_Latin1_General_CP1_CI_AS'
-    edition: 'Basic'
-    maxSizeBytes: 107374182
-    requestedServiceObjectiveName: 'Basic'
-  }
-}
-
-resource sqlServer1_ssqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = {
-  parent: sqlServer1_ssqlDatabase1
-  name: 'default'
+resource sql_server_auditing_settings 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = {
+  parent: sql_server
+  name: 'default_1'
   properties: {
-    auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP']
-    isAzureMonitorTargetEnabled: true
-    isStorageSecondaryKeyInUse: true
-    queueDelayMs: 1000
-    retentionDays: 100
     state: 'Enabled'
   }
 }
-
-

assets/queries/azureResourceManager/sql_server_database_without_auditing/test/negative1.json

@@ -0,0 +1,34 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Sql/servers",
+      "apiVersion": "2023-02-01-preview",
+      "name": "sql_server",
+      "location": "[resourceGroup().location]",
+      "properties": {}
+    },
+    {
+      "type": "Microsoft.Sql/servers/databases",
+      "apiVersion": "2024-11-01-preview",
+      "name": "sql_server/sql_databases",
+      "location": "[resourceGroup().location]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Sql/servers', 'sql_server')]"
+      ],
+      "properties": {}
+    },
+    {
+      "type": "Microsoft.Sql/servers/auditingSettings",
+      "apiVersion": "2024-11-01-preview",
+      "name": "sql_server/default",
+      "dependsOn": [
+        "[resourceId('Microsoft.Sql/servers', 'sql_server')]"
+      ],
+      "properties": {
+        "state": "Enabled"
+      }
+    }
+  ]
+}

assets/queries/azureResourceManager/sql_server_database_without_auditing/test/negative10.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Sql/servers",
+      "apiVersion": "2023-02-01-preview",
+      "name": "sql_server",
+      "location": "[resourceGroup().location]",
+      "properties": {},
+      "resources": [
+        {
+          "type": "databases",
+          "apiVersion": "2024-11-01-preview",
+          "name": "sql_databases",
+          "location": "[resourceGroup().location]",
+          "properties": {}
+        },
+        {
+          "type": "auditingSettings",
+          "apiVersion": "2024-11-01-preview",
+          "name": "default",
+          "properties": {
+            "state": "Enabled"
+          }
+        }
+      ]
+    }
+  ]
+}

assets/queries/azureResourceManager/sql_server_database_without_auditing/test/negative11.json

@@ -0,0 +1,36 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Sql/servers",
+      "apiVersion": "2021-02-01-preview",
+      "name": "sqlServer1",
+      "location": "[resourceGroup().location]",
+      "properties": {}
+    },
+    {
+      "type": "Microsoft.Sql/servers/auditingSettings",
+      "apiVersion": "2021-02-01-preview",
+      "name": "sqlServer1/default_1",
+      "properties": {
+        "state": "Enabled"
+      }
+    },
+    {
+      "type": "Microsoft.Sql/servers/databases",
+      "apiVersion": "2021-02-01-preview",
+      "name": "sqlServer1/sqlDatabase1",
+      "location": "[resourceGroup().location]",
+      "properties": {}
+    },
+    {
+      "type": "Microsoft.Sql/servers/databases/auditingSettings",
+      "apiVersion": "2021-02-01-preview",
+      "name": "sqlServer1/sqlDatabase1/default_2",
+      "properties": {
+        "state": "Disabled"
+      }
+    }
+  ]
+}

assets/queries/azureResourceManager/sql_server_database_without_auditing/test/negative12.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Sql/servers",
+      "apiVersion": "2021-02-01-preview",
+      "name": "sqlServer1",
+      "location": "[resourceGroup().location]",
+      "properties": {},
+      "resources": [
+        {
+          "type": "auditingSettings",
+          "apiVersion": "2021-02-01-preview",
+          "name": "default_1",
+          "properties": {
+            "state": "Enabled"
+          }
+        },
+        {
+          "type": "databases",
+          "apiVersion": "2021-02-01-preview",
+          "name": "sqlDatabase1",
+          "location": "[resourceGroup().location]",
+          "properties": {},
+          "resources": [
+            {
+              "type": "auditingSettings",
+              "apiVersion": "2021-02-01-preview",
+              "name": "default_2",
+              "properties": {
+                "state": "Disabled"
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}