Review and fix all the existing Terraform rules, error message, policy title and description, remediation descriptions.

azure/iac/master-compliance-test.json

@@ -2364,7 +2364,7 @@
                         }
                     ],
                     "severity": "Medium",
-                    "title": "Azure Container Registry shoud not have deprecated classic SKU configured",
+                    "title": "Azure Container Registry should not use the deprecated classic registry",
                     "description": "This policy identifies an Azure Container Registry (ACR) that is using the classic SKU. The initial release of the Azure Container Registry (ACR) service that was offered as a classic SKU is being deprecated and will be unavailable after April 2019. As a best practice, upgrade your existing classic registry to a managed registry._x000D__x000D_For more information, visit https://docs.microsoft.com/en-us/azure/container-registry/container-registry-upgrade",
                     "tags": [
                         {
@@ -2393,7 +2393,7 @@
                         }
                     ],
                     "severity": "Medium",
-                    "title": "Azure ACR webhook should have HTTPS protocol enabled",
+                    "title": "Azure ACR should have HTTPS protocol enabled for webhook",
                     "description": "Ensure you send container registry webhooks only to a HTTPS endpoint. This policy checks your container registry webhooks and alerts if it finds a URI with HTTP.",
                     "tags": [
                         {
@@ -2868,14 +2868,14 @@
                     "evals": [
                         {
                             "id": "PR-AZR-0074-ARM",
-                            "eval": "data.rule.storage_public_access_disabled",
-                            "message": "data.rule.storage_public_access_disabled_err",
+                            "eval": "data.rule.storage_container_public_access_disabled",
+                            "message": "data.rule.storage_container_public_access_disabled_err",
                             "remediationDescription": "Make sure you are following the ARM template guidelines for storage accounts from this URL : https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/2019-06-01/storageaccounts/blobservices/containers",
                             "remediationFunction": "PR_AZR_0074_ARM.py"
                         }
                     ],
                     "severity": "Medium",
-                    "title": "Azure storage account should not allow public access to the blob container",
+                    "title": "Azure storage blob container should not have public access enabled",
                     "description": "'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature._x005F_x000D_ _x005F_x000D_ This policy identifies blob containers within an Azure storage account that allow anonymous/public access ('CONTAINER' or 'BLOB'). As a best practice, do not allow anonymous/public access to blob containers unless you have a very good reason. Instead, you should consider using a shared access signature token for providing controlled and time-limited access to blob containers.",
                     "tags": [
                         {

azure/iac/registrieslist.rego

@@ -47,7 +47,7 @@ acr_classic_metadata := {
     "Type": "IaC",
     "Product": "AZR",
     "Language": "ARM template",
-    "Policy Title": "Azure Container Registry shoud not have deprecated classic SKU configured",
+    "Policy Title": "Azure Container Registry should not use the deprecated classic registry",
     "Policy Description": "This policy identifies an Azure Container Registry (ACR) that is using the classic SKU. The initial release of the Azure Container Registry (ACR) service that was offered as a classic SKU is being deprecated and will be unavailable after April 2019. As a best practice, upgrade your existing classic registry to a managed registry._x005F_x000D_ _x005F_x000D_ For more information, visit https://docs.microsoft.com/en-us/azure/container-registry/container-registry-upgrade",
     "Resource Type": "microsoft.containerregistry/registries",
     "Policy Help URL": "",

azure/iac/registrieswebhooks.rego

@@ -47,7 +47,7 @@ acr_webhooks_metadata := {
     "Type": "IaC",
     "Product": "AZR",
     "Language": "ARM template",
-    "Policy Title": "Azure ACR webhook should have HTTPS protocol enabled",
+    "Policy Title": "Azure ACR should have HTTPS protocol enabled for webhook",
     "Policy Description": "Ensure you send container registry webhooks only to a HTTPS endpoint. This policy checks your container registry webhooks and alerts if it finds a URI with HTTP.",
     "Resource Type": "microsoft.containerregistry/registries/webhooks",
     "Policy Help URL": "",

azure/iac/securitycontacts.rego

@@ -34,11 +34,11 @@ securitycontacts = false {
     azure_attribute_absence["securitycontacts"]
 }
 
-securitycontacts_err = "Security Center currently dont have any security contact emails configured" {
+securitycontacts_err = "Security Center currently does not have any valid security contact email configured" {
     azure_issue["securitycontacts"]
 }
 
-securitycontacts_miss_err = "Security Center security contacts property 'mail' is missing from the resource" {
+securitycontacts_miss_err = "Security Center security contacts property 'emails' is missing from the resource" {
     azure_attribute_absence["securitycontacts"]
 }
 

azure/iac/sql_servers.rego

@@ -38,7 +38,7 @@ sql_public_access_disabled_miss_err = "publicNetworkAccess property is missing f
     azure_attribute_absence["sql_public_access_disabled"]
 }
 
-sql_public_access_disabled_err = "Public Network Access is currently not disabled on the resource" {
+sql_public_access_disabled_err = "Public Network Access is currently not disabled on MSSQL Server" {
     azure_issue["sql_public_access_disabled"]
 }
 

azure/iac/storageblobcontainers.rego

@@ -4,57 +4,54 @@ package rule
 
 #
 # PR-AZR-0074-ARM
-# PR-AZR-0013-ARM
 #
 
-default storage_public_access_disabled = null
+default storage_container_public_access_disabled = null
 #https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal
-azure_attribute_absence["storage_public_access_disabled"] {
+azure_attribute_absence["storage_container_public_access_disabled"] {
     resource := input.resources[_]
     lower(resource.type) == "microsoft.storage/storageaccounts/blobservices/containers"
     not resource.properties.publicAccess
 }
 
-azure_issue["storage_public_access_disabled"] {
+azure_issue["storage_container_public_access_disabled"] {
     resource := input.resources[_]
     lower(resource.type) == "microsoft.storage/storageaccounts/blobservices/containers"
     lower(resource.properties.publicAccess) == "container"
 }
 
-azure_issue["storage_public_access_disabled"] {
+azure_issue["storage_container_public_access_disabled"] {
     resource := input.resources[_]
     lower(resource.type) == "microsoft.storage/storageaccounts/blobservices/containers"
     lower(resource.properties.publicAccess) == "blob"
 }
 
-storage_public_access_disabled {
+storage_container_public_access_disabled {
     lower(input.resources[_].type) == "microsoft.storage/storageaccounts/blobservices/containers"
-    not azure_attribute_absence["storage_public_access_disabled"]
-    not azure_issue["storage_public_access_disabled"]
+    not azure_attribute_absence["storage_container_public_access_disabled"]
+    not azure_issue["storage_container_public_access_disabled"]
 }
 
-storage_public_access_disabled = false {
+storage_container_public_access_disabled = false {
     azure_issue["storage_public_access_disabled"]
 }
 
-storage_public_access_disabled {
+storage_container_public_access_disabled {
     azure_attribute_absence["storage_public_access_disabled"]
 }
 
-storage_public_access_disabled_err = "Azure storage account currently allowing public access to the blob container" {
+storage_container_public_access_disabled_err = "Azure storage account currently allowing public access to the blob container" {
     azure_issue["storage_public_access_disabled"]
-}
-
-storage_public_access_disabled_err = "Azure storage account blob service property 'publicAccess' is missing from the resource" {
+} else = "Azure storage account blob service property 'publicAccess' is missing from the resource"  {
     azure_attribute_absence["storage_public_access_disabled"]
 }
 
-storage_public_access_disabled_metadata := {
+storage_container_public_access_disabled_metadata := {
     "Policy Code": "PR-AZR-0074-ARM",
     "Type": "IaC",
     "Product": "AZR",
     "Language": "ARM template",
-    "Policy Title": "Azure storage account should not allow public access to the blob container",
+    "Policy Title": "Azure storage blob container should not have public access enabled",
     "Policy Description": "'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature._x005F_x000D_ _x005F_x000D_ This policy identifies blob containers within an Azure storage account that allow anonymous/public access ('CONTAINER' or 'BLOB'). As a best practice, do not allow anonymous/public access to blob containers unless you have a very good reason. Instead, you should consider using a shared access signature token for providing controlled and time-limited access to blob containers.",
     "Resource Type": "microsoft.storage/storageaccounts/blobservices/containers",
     "Policy Help URL": "",