Merge pull request #198 from nikpivkin/go2rego-azure-1

      refactor(checks): migrate Azure appservice, authorization, container to Rego

avd_docs/azure/appservice/AVD-AZU-0001/docs.md

@@ -1,8 +1,9 @@
 
 The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.
 
+
 ### Impact
-Mutual TLS is not being used
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/appservice/AVD-AZU-0002/docs.md

@@ -1,8 +1,9 @@
 
 Registering the identity used by an App with AD allows it to interact with other services without using username and password
 
+
 ### Impact
-Interaction between services can't easily be achieved without username/password
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/appservice/AVD-AZU-0003/docs.md

@@ -1,8 +1,9 @@
 
 Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings
 
+
 ### Impact
-Anonymous HTTP requests will be accepted
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/appservice/AVD-AZU-0004/docs.md

@@ -1,8 +1,9 @@
 
 By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.
 
+
 ### Impact
-Anyone can access the Function App using HTTP.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/appservice/AVD-AZU-0005/docs.md

@@ -1,8 +1,9 @@
 
 Use the latest version of HTTP to ensure you are benefiting from security fixes
 
+
 ### Impact
-Outdated versions of HTTP has security vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/appservice/AVD-AZU-0006/docs.md

@@ -1,8 +1,9 @@
 
 Use a more recent TLS/SSL policy for the App Service
 
+
 ### Impact
-The minimum TLS version for apps should be TLS1_2
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/authorization/AVD-AZU-0030/docs.md

@@ -1,8 +1,9 @@
 
 The permissions granted to a role should be kept to the minimum required to be able to do the task. Wildcard permissions must not be used.
 
+
 ### Impact
-Open permissions for subscriptions could result in an easily compromisable account
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/container/AVD-AZU-0040/docs.md

@@ -1,8 +1,9 @@
 
 Ensure AKS logging to Azure Monitoring is configured for containers to monitor the performance of workloads.
 
+
 ### Impact
-Logging provides valuable information about access and usage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/container/AVD-AZU-0041/docs.md

@@ -1,8 +1,9 @@
 
 The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.
 
+
 ### Impact
-Any IP can interact with the API server
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/container/AVD-AZU-0042/docs.md

@@ -1,8 +1,9 @@
 
 Using Kubernetes role-based access control (RBAC), you can grant users, groups, and service accounts access to only the resources they need.
 
+
 ### Impact
-No role based access control is in place for the AKS cluster
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/container/AVD-AZU-0043/docs.md

@@ -1,8 +1,9 @@
 
 The Kubernetes object type NetworkPolicy should be defined to have opportunity allow or block traffic to pods, as in a Kubernetes cluster configured with default settings, all pods can discover and communicate with each other without any restrictions.
 
+
 ### Impact
-No network policy is protecting the AKS cluster
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/azure/appservice/account_identity_registered.go

@@ -25,7 +25,8 @@ var CheckAccountIdentityRegistered = rules.Register(
 			Links:               terraformAccountIdentityRegisteredLinks,
 			RemediationMarkdown: terraformAccountIdentityRegisteredRemediationMarkdown,
 		},
-		Severity: severity.Low,
+		Severity:   severity.Low,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, service := range s.Azure.AppService.Services {

checks/cloud/azure/appservice/account_identity_registered.rego

@@ -0,0 +1,41 @@
+# METADATA
+# title: Web App has registration with AD enabled
+# description: |
+#   Registering the identity used by an App with AD allows it to interact with other services without using username and password
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-AZU-0002
+#   avd_id: AVD-AZU-0002
+#   provider: azure
+#   service: appservice
+#   severity: LOW
+#   short_code: account-identity-registered
+#   recommended_action: Register the app identity with AD
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: appservice
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity
+#     good_examples: checks/cloud/azure/appservice/account_identity_registered.tf.go
+#     bad_examples: checks/cloud/azure/appservice/account_identity_registered.tf.go
+package builtin.azure.appservice.azure0002
+
+import rego.v1
+
+deny contains res if {
+	some service in input.azure.appservice.services
+	isManaged(service)
+	not has_identity_type(service)
+	res := result.new(
+		"App service does not have an identity type.",
+		object.get(service, ["identity", "type"], service),
+	)
+}
+
+has_identity_type(service) := service.identity.type.value != ""

checks/cloud/azure/appservice/account_identity_registered_test.rego

@@ -0,0 +1,24 @@
+package builtin.azure.appservice.azure0002_test
+
+import rego.v1
+
+import data.builtin.azure.appservice.azure0002 as check
+import data.lib.test
+
+test_deny_identity_not_registerd if {
+	inp := {"azure": {"appservice": {"services": [{"identity": {"type": {"value": ""}}}]}}}
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_identity_type_is_not_specified if {
+	inp := {"azure": {"appservice": {"services": [{"identity": {}}]}}}
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_identity_registerd if {
+	inp := {"azure": {"appservice": {"services": [{"identity": {"type": {"value": "UserAssigned"}}}]}}}
+	res := check.deny with input as inp
+	res == set()
+}

checks/cloud/azure/appservice/authentication_enabled.go

@@ -25,7 +25,8 @@ var CheckAuthenticationEnabled = rules.Register(
 			Links:               terraformAuthenticationEnabledLinks,
 			RemediationMarkdown: terraformAuthenticationEnabledRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, service := range s.Azure.AppService.Services {

checks/cloud/azure/appservice/authentication_enabled.rego

@@ -0,0 +1,39 @@
+# METADATA
+# title: App Service authentication is activated
+# description: |
+#   Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-AZU-0003
+#   avd_id: AVD-AZU-0003
+#   provider: azure
+#   service: appservice
+#   severity: MEDIUM
+#   short_code: authentication-enabled
+#   recommended_action: Enable authentication to prevent anonymous request being accepted
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: appservice
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#enabled
+#     good_examples: checks/cloud/azure/appservice/authentication_enabled.tf.go
+#     bad_examples: checks/cloud/azure/appservice/authentication_enabled.tf.go
+package builtin.azure.appservice.azure0003
+
+import rego.v1
+
+deny contains res if {
+	some service in input.azure.appservice.services
+	isManaged(service)
+	not service.authentication.enabled.value
+	res := result.new(
+		"App service does not have authentication enabled.",
+		object.get(service, ["authentication", "enabled"], service),
+	)
+}