-
Notifications
You must be signed in to change notification settings - Fork 2
/
ruleset-azure.tf
32 lines (29 loc) · 1.43 KB
/
ruleset-azure.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
##########################################
############ Add Ruleset ################
##########################################
resource "dome9_ruleset" "dome9_azure_ruleset" {
count = var.use_azure ? 1 : 0
name = "${var.organization} - ${var.contract_name} - Azure Ruleset"
description = "Built and maintained with Terraform"
cloud_vendor = "azure"
language = "en"
hide_in_compliance = false
is_template = false
rules {
# Storage Buckets with data classification 'secret' must always be encrypted
name = "Storage Buckets with data classification 'secret' must always be encrypted"
logic = "StorageAccount where tags contain [ key='data-classification' and value='secret' ] should have encryption.services with [ name='file' and enabled=true ]"
severity = "Low"
description = "Ensure that Storage Accounts with data classification 'secret' have server side encryption at rest enabled to protect sensitive data."
}
}
##########################################
######### Add Compliance Policy ##########
##########################################
resource "dome9_continuous_compliance_policy" "dome9_azure_compliance_policy" {
count = var.use_azure ? 1 : 0
target_id = var.azure_target_id
target_type = "Azure"
ruleset_id = dome9_ruleset.dome9_azure_ruleset.*.id[count.index]
notification_ids = [ dome9_continuous_compliance_notification.dome9_compliance_mail_notification.id ]
}