test: add functional tests

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/azure/compute/AVD-AZU-0037/docs.md

@@ -1,8 +1,9 @@
 
 When creating Azure Virtual Machines, custom_data is used to pass start up information into the EC2 instance. This custom_dat must not contain access key credentials.
 
+
 ### Impact
-Sensitive credentials in custom_data can be leaked
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/database/AVD-AZU-0029/docs.md

@@ -1,8 +1,9 @@
 
 Azure services can be allowed access through the firewall using a start and end IP address of 0.0.0.0. No other end ip address should be combined with a start of 0.0.0.0
 
+
 ### Impact
-Publicly accessible databases could lead to compromised data
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/azure/compute/no_secrets_in_custom_data.go

@@ -28,7 +28,8 @@ var CheckNoSecretsInCustomData = rules.Register(
 			Links:               terraformNoSecretsInCustomDataLinks,
 			RemediationMarkdown: terraformNoSecretsInCustomDataRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, vm := range s.Azure.Compute.LinuxVirtualMachines {

checks/cloud/azure/compute/no_secrets_in_custom_data.rego

@@ -0,0 +1,44 @@
+# METADATA
+# title: Ensure that no sensitive credentials are exposed in VM custom_data
+# description: |
+#   When creating Azure Virtual Machines, custom_data is used to pass start up information into the EC2 instance. This custom_dat must not contain access key credentials.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-AZU-0037
+#   avd_id: AVD-AZU-0037
+#   provider: azure
+#   service: compute
+#   severity: MEDIUM
+#   short_code: no-secrets-in-custom-data
+#   recommended_action: Don't use sensitive credentials in the VM custom_data
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: compute
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine#custom_data
+#     good_examples: checks/cloud/azure/compute/no_secrets_in_custom_data.tf.go
+#     bad_examples: checks/cloud/azure/compute/no_secrets_in_custom_data.tf.go
+package builtin.azure.compute.azure0037
+
+import rego.v1
+
+deny contains res if {
+	vms := array.concat(
+		object.get(input.azure.compute, "linuxvirtualmachines", []),
+		object.get(input.azure.compute, "windowsvirtualmachines", []),
+	)
+
+	some vm in vms
+	scan_result := squealer.scan_string(vm.virtualmachine.customdata.value)
+	scan_result.transgressionFound
+	res := result.new(
+		"Virtual machine includes secret(s) in custom data.",
+		vm.virtualmachine,
+	)
+}

checks/cloud/azure/compute/no_secrets_in_custom_data_test.rego

@@ -0,0 +1,20 @@
+package builtin.azure.compute.azure0037_test
+
+import rego.v1
+
+import data.builtin.azure.compute.azure0037 as check
+import data.lib.test
+
+test_deny_secrets_in_custom_data if {
+	inp := {"azure": {"compute": {"linuxvirtualmachines": [{"virtualmachine": {"customdata": {"value": `export DATABASE_PASSWORD=\"SomeSortOfPassword\"`}}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_no_secrets_in_custom_data if {
+	inp := {"azure": {"compute": {"linuxvirtualmachines": [{"virtualmachine": {"customdata": {"value": `export GREETING="Hello there"`}}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 0
+}

checks/cloud/azure/database/no_public_access.rego

@@ -37,8 +37,8 @@ deny contains res if {
 	is_public_access_enabled(server)
 	res := result.new(
 		"Database server does not have public access enabled.",
-		object.get(server, "publicnetworkaccessenabled", server),
+		object.get(server, "enablepublicnetworkaccess", server),
 	)
 }
 
-is_public_access_enabled(server) := server.publicnetworkaccessenabled.value == true
+is_public_access_enabled(server) := server.enablepublicnetworkaccess.value == true

checks/cloud/azure/database/no_public_access_test.rego

@@ -27,13 +27,13 @@ test_deny_postgresql_server_public_access_enabled if {
 
 test_allow_servers_public_access_disabled if {
 	inp := {"azure": {"database": {
-		"mysqlservers": [{"server": {"publicnetworkaccessenabled": {"value": false}}}],
-		"mssqlservers": [{"server": {"publicnetworkaccessenabled": {"value": false}}}],
-		"mariadbservers": [{"server": {"publicnetworkaccessenabled": {"value": false}}}],
-		"postgresqlservers": [{"server": {"publicnetworkaccessenabled": {"value": false}}}],
+		"mysqlservers": [{"server": {"enablepublicnetworkaccess": {"value": false}}}],
+		"mssqlservers": [{"server": {"enablepublicnetworkaccess": {"value": false}}}],
+		"mariadbservers": [{"server": {"enablepublicnetworkaccess": {"value": false}}}],
+		"postgresqlservers": [{"server": {"enablepublicnetworkaccess": {"value": false}}}],
 	}}}
 	res := check.deny with input as inp
 	count(res) == 0
 }
 
-build_input(db_type, public_access) := {"azure": {"database": {db_type: [{"server": {"publicnetworkaccessenabled": {"value": public_access}}}]}}}
+build_input(db_type, public_access) := {"azure": {"database": {db_type: [{"server": {"enablepublicnetworkaccess": {"value": public_access}}}]}}}

checks/cloud/azure/database/no_public_firewall_access.go

@@ -29,7 +29,8 @@ var CheckNoPublicFirewallAccess = rules.Register(
 			Links:               terraformNoPublicFirewallAccessLinks,
 			RemediationMarkdown: terraformNoPublicFirewallAccessRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, server := range s.Azure.Database.MariaDBServers {

checks/cloud/azure/database/no_public_firewall_access.rego

@@ -0,0 +1,54 @@
+# METADATA
+# title: Ensure database firewalls do not permit public access
+# description: |
+#   Azure services can be allowed access through the firewall using a start and end IP address of 0.0.0.0. No other end ip address should be combined with a start of 0.0.0.0
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.microsoft.com/en-us/rest/api/sql/2021-02-01-preview/firewall-rules/create-or-update
+# custom:
+#   id: AVD-AZU-0029
+#   avd_id: AVD-AZU-0029
+#   provider: azure
+#   service: database
+#   severity: HIGH
+#   short_code: no-public-firewall-access
+#   recommended_action: Don't use wide ip ranges for the sql firewall
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: database
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule#end_ip_address
+#     good_examples: checks/cloud/azure/database/no_public_firewall_access.tf.go
+#     bad_examples: checks/cloud/azure/database/no_public_firewall_access.tf.go
+package builtin.azure.database.azure0029
+
+import rego.v1
+
+import data.lib.azure.database
+
+deny contains res if {
+	some server in database.all_servers
+	some rule in server.firewallrules
+	not allowing_azure_services(rule)
+	rule.startip.value != rule.endip.value
+	is_public_rule(rule)
+	res := result.new(
+		"Firewall rule allows public internet access to a database server.",
+		rule,
+	)
+}
+
+is_public_rule(rule) if cidr.is_public(rule.startip.value)
+
+is_public_rule(rule) if cidr.is_public(rule.endip.value)
+
+allowing_azure_services(rule) if {
+	rule.startip.value == "0.0.0.0"
+	rule.endip.value == "0.0.0.0"
+}