Merge branch 'master' into AST-120855_Fixes_for_azure_instance_using_basic_authentication-terraform/azure

Author: cx-andre-pereira

.github/workflows/kics-gh-action.yaml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run KICS Scan
-        uses: checkmarx/kics-github-action@71454548efb714daa457caae25c01d64cc0be9d2 # v2.1.13
+        uses: checkmarx/kics-github-action@e01759d524f8abd5bd650d3d5bd4b96d46ebbc1d # v2.1.17
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           path: "./Dockerfile"

Dockerfile

@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.25.4-r0-0f666a5fd03ad6@sha256:0f666a5fd03ad60c4cb5309df02ff11e4aa8f42908a876fde287a4f97abb2c8f AS build_env
+FROM checkmarx/go:1.25.4-r0-fbc7b9b7b7ba53@sha256:fbc7b9b7b7ba53794faa91d4dcaacb4d584209b8c08e74513d5cc14042b77e5b AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git:2.52.0-r0-8ea14bbb4ce02c@sha256:8ea14bbb4ce02c67ba4a3d941c88f592301e3f6e70a5dd3ae0d690d58dddd820
+FROM checkmarx/git:2.52.0-r0-4740f99b4432a5@sha256:4740f99b4432a55073272b69d3a4fdc9cee2085e9be58089effbb8354bce923d
 
 ENV TERM xterm-256color
 

assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "d0514e4b-9e95-4a7a-9bc5-0adb32514122",
+  "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured",
+  "severity": "MEDIUM",
+  "category": "Observability",
+  "descriptionText": "There should be a 'azurerm_monitor_activity_log_alert' resource configured to capture create policy assignment events",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_activity_log_alert",
+  "platform": "Terraform",
+  "descriptionID": "d0514e4b",
+  "cloudProvider": "azure",
+  "cwe": "778",
+  "riskScore": "3.0",
+  "experimental": "true"
+}

assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/query.rego

@@ -0,0 +1,95 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+filter_fields := ["caller", "level", "levels", "status", "statuses", "sub_status", "sub_statuses"]
+
+CxPolicy[result] {
+	resources := {input.document[index].id : log_alerts |
+            log_alerts := input.document[index].resource.azurerm_monitor_activity_log_alert
+            }
+
+	value := at_least_one_valid_log_alert(resources)
+	value.result != "has_valid_log"
+
+	results := get_results(value)[_]
+
+	result := {
+		"documentId": results.doc_id,
+		"resourceType": "azurerm_monitor_activity_log_alert",
+		"resourceName": tf_lib.get_resource_name(results.resource, results.name),
+		"searchKey": sprintf("azurerm_monitor_activity_log_alert[%s].criteria", [results.name]),
+		"issueType": results.issueType,
+		"keyExpectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined",
+		"keyActualValue": results.keyActualValue,
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_activity_log_alert", results.name, "criteria"], [])
+	}
+}
+
+at_least_one_valid_log_alert(resources) = {"result" : "has_valid_log"} {
+	resources[doc_index][x].criteria.category == "Administrative"
+	resources[doc_index][x].criteria.operation_name == "Microsoft.Authorization/policyAssignments/write"
+	not has_filter(resources[doc_index][x].criteria)
+	common_lib.valid_key(resources[doc_index][x].action, "action_group_id")
+
+} else = {"result" : "has_log_without_action", "logs": logs} {
+	logs := {doc_index: filtered |
+			resources[doc_index]
+			filtered := {key: resource |
+				resource := resources[doc_index][key]
+				resource.criteria.category == "Administrative"
+				resource.criteria.operation_name == "Microsoft.Authorization/policyAssignments/write"
+				not has_filter(resource.criteria)}
+		}
+	logs[_] != {}
+
+} else = {"result" : "has_log_with_filter", "logs": logs} {
+	logs := {doc_index: filtered |
+			resources[doc_index]
+			filtered := {key: resource |
+				resource := resources[doc_index][key]
+				resource.criteria.category == "Administrative"
+				resource.criteria.operation_name == "Microsoft.Authorization/policyAssignments/write"}
+		}
+	logs[_] != {}
+
+}
+
+get_results(value) = results {					# Case of one or more resources failing due to not setting an "action.action_group_id" field
+	value.result == "has_log_without_action"
+
+	results := [z |
+		log := value.logs[doc_id][name]
+		z := {
+			"doc_id" : doc_id,
+			"resource" : log,
+			"issueType": "MissingAttribute",
+			"name" : name,
+			"keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", [name])
+		}]
+
+} else = results {								# Case of one or more resources failing due to setting filter(s)
+	value.result == "has_log_with_filter"
+
+	results := [z |
+		filters = get_filters(value.logs[doc_id][name].criteria)
+		z := {
+			"doc_id" : doc_id,
+			"resource" : value.logs[doc_id][name],
+			"issueType": "IncorrectValue",
+			"name" : name,
+			"keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'create policy assignment' events but sets %d filter(s): %s", [name, count(filters),concat(", ",filters)])
+		}]
+
+}
+
+has_filter(criteria) {
+	common_lib.valid_key(criteria, filter_fields[_])
+}
+
+get_filters(criteria) = [x |
+  y := filter_fields[_]
+  common_lib.valid_key(criteria, y)
+  x := y
+]

assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/negative1.tf

@@ -0,0 +1,21 @@
+resource "azurerm_monitor_activity_log_alert" "negative1" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Negative sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Administrative"
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+
+    webhook_properties = {
+      from = "terraform"
+    }
+  }
+}

assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive1.tf

@@ -0,0 +1,54 @@
+# In the future this should flag the project (currently impossible) and request for a valid "log_alert" to be defined
+resource "azurerm_monitor_activity_log_alert" "positive1_1" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Storage/storageAccounts/write"          # wrong operation name
+    category       = "Administrative"
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+  }
+}
+
+resource "azurerm_monitor_activity_log_alert" "positive1_2" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Policy"                                           # wrong category
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+  }
+}
+
+resource "azurerm_monitor_activity_log_alert" "positive1_3" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Storage/storageAccounts/write"          # wrong operation name
+    category       = "Policy"                                           # wrong category
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+  }
+}

assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive2_1.tf

@@ -0,0 +1,76 @@
+# Case of correct "operation_name" and "category" but a type of filter is set
+resource "azurerm_monitor_activity_log_alert" "positive2_1" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Administrative"
+    caller         = "admin@contoso.com"                                          # filters by caller
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+    }
+}
+
+resource "azurerm_monitor_activity_log_alert" "positive2_2" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Administrative"
+    level          = "Informational"                                              # filters by level
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+    }
+}
+
+resource "azurerm_monitor_activity_log_alert" "positive2_3" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Administrative"
+    levels         = ["Informational", "Warning"]                                  # filters by levels
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+    }
+}
+
+resource "azurerm_monitor_activity_log_alert" "positive2_4" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Administrative"
+    status         = "Succeeded"                                                    # filters by status
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+    }
+}

assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive2_2.tf

@@ -0,0 +1,56 @@
+resource "azurerm_monitor_activity_log_alert" "positive2_5" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Administrative"
+    statuses       = ["Succeeded", "Failed"]                                        # filters by statuses
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+    }
+}
+
+resource "azurerm_monitor_activity_log_alert" "positive2_6" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Administrative"
+    sub_status     = "Accepted"                                                      # filters by sub_status
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+    }
+}
+
+resource "azurerm_monitor_activity_log_alert" "positive2_7" {
+  name                = "example-activitylogalert"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  scopes              = [azurerm_resource_group.example.id]
+  description         = "Positive sample"
+
+  criteria {
+    resource_id    = azurerm_storage_account.to_monitor.id
+    operation_name = "Microsoft.Authorization/policyAssignments/write"
+    category       = "Administrative"
+    sub_statuses   = ["Accepted", "Conflict"]                                         # filters by sub_statuses
+  }
+
+  action {
+    action_group_id = azurerm_monitor_action_group.main.id
+    }
+}

assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json

@@ -0,0 +1,44 @@
+[
+  {
+    "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured",
+    "severity": "MEDIUM",
+    "line": 9,
+    "fileName": "positive2_1.tf"
+  },
+  {
+    "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured",
+    "severity": "MEDIUM",
+    "line": 28,
+    "fileName": "positive2_1.tf"
+  },
+  {
+    "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured",
+    "severity": "MEDIUM",
+    "line": 47,
+    "fileName": "positive2_1.tf"
+  },
+  {
+    "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured",
+    "severity": "MEDIUM",
+    "line": 66,
+    "fileName": "positive2_1.tf"
+  },
+  {
+    "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured",
+    "severity": "MEDIUM",
+    "line": 8,
+    "fileName": "positive2_2.tf"
+  },
+  {
+    "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured",
+    "severity": "MEDIUM",
+    "line": 27,
+    "fileName": "positive2_2.tf"
+  },
+  {
+    "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured",
+    "severity": "MEDIUM",
+    "line": 46,
+    "fileName": "positive2_2.tf"
+  }
+]