From 64b62f14d1b0e7aa7efc076cbb69b17e777d2a72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Reigota?= Date: Thu, 27 May 2021 18:21:06 +0100 Subject: [PATCH] Updated Unrestricted SQL Server Access query for Terraform and Ansible #3444 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: João Reigota --- .../unrestricted_sql_server_acess/query.rego | 17 ----------------- .../test/positive.yaml | 2 +- .../unrestricted_sql_server_acess/query.rego | 14 -------------- .../test/positive.tf | 2 +- 4 files changed, 2 insertions(+), 33 deletions(-) diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/query.rego b/assets/queries/ansible/azure/unrestricted_sql_server_acess/query.rego index 1d3144d14c7..253b4b32e59 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/query.rego +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/query.rego @@ -5,23 +5,6 @@ import data.generic.common as commonLib modules := {"azure.azcollection.azure_rm_sqlfirewallrule", "azure_rm_sqlfirewallrule"} -CxPolicy[result] { - task := ansLib.tasks[id][t] - rule := task[modules[m]] - ansLib.checkState(rule) - - rule.start_ip_address == "0.0.0.0" - rule.end_ip_address == "0.0.0.0" - - result := { - "documentId": id, - "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), - "issueType": "IncorrectValue", - "keyExpectedValue": "azure_rm_sqlfirewallrule.start_ip_address is different from '0.0.0.0' and azure_rm_sqlfirewallrule.end_ip_address is different from '0.0.0.0'", - "keyActualValue": "azure_rm_sqlfirewallrule.start_ip_address is '0.0.0.0' and azure_rm_sqlfirewallrule.end_ip_address is '0.0.0.0'", - } -} - CxPolicy[result] { task := ansLib.tasks[id][t] rule := task[modules[m]] diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive.yaml b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive.yaml index d079fe3342a..d2f0fd11029 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive.yaml +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive.yaml @@ -5,7 +5,7 @@ server_name: firewallrulecrudtest-6285 name: firewallrulecrudtest-5370 start_ip_address: 0.0.0.0 - end_ip_address: 0.0.0.0 + end_ip_address: 172.28.11.138 - name: Create (or update) Firewall Rule2 azure_rm_sqlfirewallrule: resource_group: myResourceGroup2 diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_acess/query.rego b/assets/queries/terraform/azure/unrestricted_sql_server_acess/query.rego index efeb321474a..e2fe5aaf069 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_acess/query.rego +++ b/assets/queries/terraform/azure/unrestricted_sql_server_acess/query.rego @@ -2,20 +2,6 @@ package Cx import data.generic.common as lib -CxPolicy[result] { - resource := input.document[i].resource.azurerm_sql_firewall_rule[name] - resource.start_ip_address == "0.0.0.0" - resource.end_ip_address == "0.0.0.0" - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("azurerm_sql_firewall_rule[%s].start_ip_address", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'azurerm_sql_firewall_rule[%s].start_ip_address' is different from '0.0.0.0'", [name]), - "keyActualValue": sprintf("'azurerm_sql_firewall_rule[%s].start_ip_address' is equal to '0.0.0.0'", [name]), - } -} - CxPolicy[result] { resource := input.document[i].resource.azurerm_sql_firewall_rule[name] startIP_value := lib.calc_IP_value(resource.start_ip_address) diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_acess/test/positive.tf b/assets/queries/terraform/azure/unrestricted_sql_server_acess/test/positive.tf index 0aafe9f4c74..46d12a48770 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_acess/test/positive.tf +++ b/assets/queries/terraform/azure/unrestricted_sql_server_acess/test/positive.tf @@ -17,7 +17,7 @@ resource "azurerm_sql_firewall_rule" "positive3" { resource_group_name = azurerm_resource_group.example.name server_name = azurerm_sql_server.example.name start_ip_address = "0.0.0.0" - end_ip_address = "0.0.0.0" + end_ip_address = "10.0.27.62" } resource "azurerm_sql_firewall_rule" "positive4" {