Terraform missing rules compared to ARM and vice versa

azure/iac/KeyVault.rego

@@ -13,6 +13,7 @@ azure_attribute_absence["KeyVault"] {
     not accessPolicy.permissions.keys
     not accessPolicy.permissions.secrets
     not accessPolicy.permissions.certificates
+    not accessPolicy.permissions.storage
 }
 
 
@@ -23,6 +24,7 @@ azure_issue["KeyVault"] {
     count(accessPolicy.permissions.keys) == 0
     count(accessPolicy.permissions.secrets) == 0
     count(accessPolicy.permissions.certificates) == 0
+    count(accessPolicy.permissions.storage) == 0
 }
 
 KeyVault {
@@ -39,15 +41,10 @@ KeyVault = false {
     azure_attribute_absence["KeyVault"]
 }
 
-KeyVault_err = "Ensure at least one principal has access to Keyvault" {
-    azure_issue["KeyVault"]
-}
-
-# Rezoan: This rule is not being used. We should merge this rule with KeyVault_err in a OR logic. Farshid to confirm. 
-# Consider this comment for each every rule that is similar to this one.
-# if we merge, the message should be same for both. Otherwise message should be different based on purpose.
-KeyVault_miss_err = "Ensure at least one principal has access to Keyvault" {
+KeyVault_err = "accessPolicy property 'permissions.keys' or 'permissions.secrets' or 'permissions.certificates' or 'permissions.storage' is missing from the microsoft.keyvault/vaults resource." {
     azure_attribute_absence["KeyVault"]
+} else = "Currently no principal has access to Keyvault" {
+    azure_issue["KeyVault"]
 }
 
 KeyVault_metadata := {
@@ -89,23 +86,15 @@ enableSoftDelete = false {
     azure_issue["enableSoftDelete"]
 }
 
-enableSoftDelete = false {
+enableSoftDelete {
     azure_attribute_absence["enableSoftDelete"]
+    not azure_issue["enableSoftDelete"]
 }
 
-
 enableSoftDelete_err = "'Soft Delete' setting is currently not enabled for Key Vault" {
     azure_issue["enableSoftDelete"]
 }
 
-# Rezoan: This rule is not being used. We should merge this rule with enableSoftDelete_err in a OR logic. Farshid to confirm. 
-# Consider this comment for each every rule that is similar to this one.
-# if we merge, the message should be same for both. Otherwise message should be different based on purpose.
-enableSoftDelete_miss_err = "'Soft Delete' setting is currently not enabled for Key Vault" {
-    azure_attribute_absence["enableSoftDelete"]
-}
-
-
 enableSoftDelete_metadata := {
     "Policy Code": "PR-AZR-0108-ARM",
     "Type": "IaC",
@@ -120,7 +109,6 @@ enableSoftDelete_metadata := {
 
 
 
-
 # PR-AZR-0109-ARM
 
 default enablePurgeProtection = null
@@ -131,14 +119,12 @@ azure_attribute_absence ["enablePurgeProtection"] {
     not resource.properties.enablePurgeProtection
 }
 
-
 azure_issue ["enablePurgeProtection"] {
     resource := input.resources[_]
     lower(resource.type) == "microsoft.keyvault/vaults"
     resource.properties.enablePurgeProtection != true
 }
 
-
 enablePurgeProtection {
     lower(input.resources[_].type) == "microsoft.keyvault/vaults"
     not azure_attribute_absence["enablePurgeProtection"]
@@ -153,19 +139,12 @@ enablePurgeProtection = false {
     azure_attribute_absence["enablePurgeProtection"]
 }
 
-
-enablePurgeProtection_err = "Purge protection is currently not enabled on Key vault" {
-    azure_issue["enableSoftDelete"]
-}
-
-# Rezoan: This rule is not being used. We should merge this rule with enablePurgeProtection_err in a OR logic. Farshid to confirm. 
-# Consider this comment for each every rules that is similar to this one.
-# if we merge, the message should be same for both. Otherwise message should be different based on purpose.
-enablePurgeProtection_miss_err = "Purge protection is currently not enabled on Key vault" {
+enablePurgeProtection_err = "microsoft.keyvault/vaults resoruce property enablePurgeProtection is missing" {
     azure_attribute_absence["enableSoftDelete"]
+} else = "Purge protection is currently not enabled on Key vault" {
+    azure_issue["enableSoftDelete"]
 }
 
-
 enablePurgeProtection_metadata := {
     "Policy Code": "PR-AZR-0109-ARM",
     "Type": "IaC",

azure/iac/Redis.rego

@@ -5,7 +5,7 @@ package rule
 # PR-AZR-0131-ARM
 
 default enableSslPort = null
-
+# default is false
 azure_attribute_absence ["enableSslPort"] {
     resource := input.resources[_]
     lower(resource.type) == "microsoft.cache/redis"
@@ -22,13 +22,11 @@ enableSslPort {
     azure_attribute_absence["enableSslPort"]
 }
 
-
 enableSslPort {
     lower(input.resources[_].type) == "microsoft.cache/redis"
     not azure_issue["servenableSslPorterRole"]
 }
 
-
 enableSslPort = false {
     azure_issue["enableSslPort"]
 }
@@ -37,7 +35,6 @@ enableSslPort_err = "Redis cache is currently allowing unsecure connection via a
     azure_issue["enableSslPort"]
 }
 
-
 enableSslPort_metadata := {
     "Policy Code": "PR-AZR-0131-ARM",
     "Type": "IaC",
@@ -52,14 +49,12 @@ enableSslPort_metadata := {
 
 
 
-
 # https://docs.microsoft.com/en-us/azure/templates/microsoft.cache/redis/linkedservers
 
 # PR-AZR-0132-ARM
 
 default serverRole = null
 
-
 azure_attribute_absence ["serverRole"] {
     resource := input.resources[_]
     lower(resource.type) == "microsoft.cache/redis/linkedservers"
@@ -72,34 +67,28 @@ azure_issue ["serverRole"] {
     lower(resource.properties.serverRole) != "secondary"
 }
 
-
 serverRole {
     lower(input.resources[_].type) == "microsoft.cache/redis/linkedservers"
     not azure_attribute_absence["serverRole"]
     not azure_issue["serverRole"]
 }
 
-
 serverRole = false {
     azure_attribute_absence["serverRole"]
 }
 
-
 serverRole = false {
     azure_issue["serverRole"]
 }
 
-
 serverRole_miss_err = "Azure Redis Cache linked server property 'serverRole' is missing from the resource" {
     azure_attribute_absence["serverRole"]
 }
 
-
 serverRole_err = "Azure Redis Cache linked backup server currently does not have secondary role." {
     azure_issue["serverRole"]
 }
 
-
 serverRole_metadata := {
     "Policy Code": "PR-AZR-0132-ARM",
     "Type": "IaC",

azure/iac/activitylogalerts.rego

@@ -7,7 +7,8 @@ package rule
 #
 
 default alerts = null
-
+# https://docs.microsoft.com/en-us/powershell/module/az.monitor/set-azactivitylogalert?view=azps-6.3.0
+# by default alert get enabled if not exist.
 azure_attribute_absence["alerts"] {
     resource := input.resources[_]
     lower(resource.type) == "microsoft.insights/activitylogalerts"
@@ -21,27 +22,24 @@ azure_issue["alerts"] {
 }
 
 alerts {
-    lower(input.resources[_].type) == "microsoft.insights/activitylogalerts"
+    azure_attribute_absence["alerts"]
     not azure_issue["alerts"]
-    not azure_attribute_absence["alerts"]
 }
 
-alerts = false {
-    azure_issue["alerts"]
+alerts {
+    lower(input.resources[_].type) == "microsoft.insights/activitylogalerts"
+    not azure_attribute_absence["alerts"]
+    not azure_issue["alerts"]
 }
 
 alerts = false {
-    azure_attribute_absence["alerts"]
+    azure_issue["alerts"]
 }
 
 alerts_err = "Activity log alerts is not enabled" {
     azure_issue["alerts"]
 }
 
-alerts_miss_err = "enabled attribute of Activity log alerts is missing" {
-    azure_attribute_absence["alerts"]
-}
-
 alerts_metadata := {
     "Policy Code": "PR-AZR-0090-ARM",
     "Type": "IaC",

azure/iac/applicationgateways.rego

@@ -141,15 +141,12 @@ protocol = false {
     azure_attribute_absence["protocol"]
 }
 
-protocol_err = "Ensure Application Gateway is using Https protocol" {
-    azure_issue["protocol"]
-}
-
-protocol_miss_err = "Ensure Application Gateway is using Https protocol" {
+protocol_err = "'httpListeners' property 'protocol' is missing from 'microsoft.network/applicationgateways' resource" {
     azure_attribute_absence["protocol"]
+} else = "Application Gateway is currently not using Https protocol" {
+    azure_issue["protocol"]
 }
 
-
 protocol_metadata := {
     "Policy Code": "PR-AZR-0125-ARM",
     "Type": "IaC",

azure/iac/blobservices.rego

@@ -5,7 +5,9 @@ package rule
 #
 # PR-AZR-0126-ARM
 #
-
+# SideNote for Reference: This cannot be done via Terraform. terraform can only change retention days.
+# See the note section at https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#container_delete_retention_policy
+# Note is applicable for delete_retention_policy as well.
 default storage_blob_soft_delete = null
 
 azure_issue["storage_blob_soft_delete"] {
@@ -49,7 +51,8 @@ storage_blob_soft_delete_metadata := {
 #
 # PR-AZR-0127-ARM
 #
-
+# SideNote for Reference: This cannot be done via Terraform. terraform can only change retention days.
+# See the note section at https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#container_delete_retention_policy
 default storage_blob_container_soft_delete = null
 
 azure_issue["storage_blob_container_soft_delete"] {

azure/iac/dbadministrators.rego

@@ -59,7 +59,7 @@ sql_server_ad_admin_metadata := {
 #
 # PR-AZR-0086-ARM
 #
-
+# SQL Managed Instance is not available for Terraform yet. see: https://github.com/hashicorp/terraform-provider-azurerm/issues/1747
 default sql_managedinstances_ad_admin = null
 
 azure_attribute_absence["sql_managedinstances_ad_admin"] {

azure/iac/dbdataencryption.rego

@@ -5,7 +5,9 @@ package rule
 #
 # PR-AZR-0084-ARM
 #
-
+# This encryption is by default enabled for sql database. Thats why its not available in Terraform.
+# See https://github.com/hashicorp/terraform-provider-azurerm/issues/7187
+# ToDo: We need to make sure its enabled for MSSQL Server
 default db_encrypt = null
 
 azure_attribute_absence["db_encrypt"] {

azure/iac/dbsecurityalertpolicies.rego

@@ -224,4 +224,54 @@ dbsec_threat_alert_metadata := {
     "Resource Help URL": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2018-06-01-preview/servers/databases/securityalertpolicies"
 }
 
+#
+# PR-AZR-0097-ARM
+#
+
+default sql_alert = null
+
+azure_issue["sql_alert"] {
+    resource := input.resources[_]
+    lower(resource.type) == "microsoft.sql/servers/databases/securityalertpolicies"
+    not resource.properties.emailAccountAdmins
+}
+
+azure_issue["sql_alert"] {
+    resource := input.resources[_]
+    lower(resource.type) == "microsoft.sql/servers/databases/securityalertpolicies"
+    resource.properties.emailAccountAdmins != true
+}
+
+sql_alert = false {
+    azure_attribute_absence["sql_alert"]
+}
+
+sql_alert {
+    lower(input.resources[_].type) == "microsoft.sql/servers/databases/securityalertpolicies"
+    not azure_attribute_absence["sql_alert"]
+    not azure_issue["sql_alert"]
+}
+
+sql_alert = false {
+    azure_issue["sql_alert"]
+}
+
+sql_alert_err = "microsoft.sql/servers/databases/securityalertpolicies property 'emailAccountAdmins' need to be exist. Its missing from the resource." {
+    azure_attribute_absence["sql_alert"]
+} else = "Threat Detection alert currently is not configured to sent notification to the sql server account administrators" {
+    azure_issue["sql_alert"]
+}
+
+sql_alert_metadata := {
+    "Policy Code": "PR-AZR-0097-ARM",
+    "Type": "IaC",
+    "Product": "AZR",
+    "Language": "ARM template",
+    "Policy Title": "Threat Detection alert should be configured to sent notification to the sql server account administrators",
+    "Policy Description": "Ensure that threat detection alert is configured to sent notification to the sql server account administrators",
+    "Resource Type": "microsoft.sql/servers/databases/securityalertpolicies",
+    "Policy Help URL": "",
+    "Resource Help URL": "https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2018-06-01-preview/servers/databases/securityalertpolicies"
+}
+
 

azure/iac/disks.rego

@@ -16,7 +16,7 @@ default disk_encrypt = null
 #    resource.properties.encryptionSettingsCollection.enabled == true
 #}
 
-azure_issue["disk_encrypt"] {
+azure_attribute_absence["disk_encrypt"] {
     resource := input.resources[_]
     lower(resource.type) == "microsoft.compute/disks"
     #resource.properties.osType
@@ -30,28 +30,26 @@ azure_issue["disk_encrypt"] {
     resource.properties.encryptionSettingsCollection.enabled != true
 }
 
+disk_encrypt = false {
+    azure_attribute_absence["disk_encrypt"]
+}
+
 disk_encrypt {
     lower(input.resources[_].type) == "microsoft.compute/disks"
-    #not azure_attribute_absence["disk_encrypt"]
+    not azure_attribute_absence["disk_encrypt"]
     not azure_issue["disk_encrypt"]
 }
 
 disk_encrypt = false {
     azure_issue["disk_encrypt"]
 }
 
-#disk_encrypt = false {
-#    azure_attribute_absence["disk_encrypt"]
-#}
-
-disk_encrypt_err = "Azure disk currently does not have Azure Disk Encryption (ADE) enabled" {
+disk_encrypt_err = "microsoft.compute/disks resoruce property encryptionSettingsCollection.enabled is missing" {
+    azure_attribute_absence["disk_encrypt"]
+} else = "Azure disk currently does not have Azure Disk Encryption (ADE) enabled" {
     azure_issue["disk_encrypt"]
 }
 
-#disk_encrypt_miss_err = "Disk encryption attribute encryptionSettingsCollection is missing from the resource" {
-#    azure_attribute_absence["disk_encrypt"]
-#}
-
 disk_encrypt_metadata := {
     "Policy Code": "PR-AZR-0068-ARM",
     "Type": "IaC",