/
cosmosdb.sp
160 lines (154 loc) · 6.01 KB
/
cosmosdb.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
query "cosmosdb_use_virtual_service_endpoint" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std ->> 'virtual_network_rule') is null then 'alarm'
when (attributes_std -> 'virtual_network_rule' ->> 'id') is not null then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std ->> 'virtual_network_rule') is null then ' ''virtual_network_rule'' not defined'
when (attributes_std -> 'virtual_network_rule' ->> 'id') is not null then ' configured with virtual network service endpointle'
else ' not configured with virtual network service endpoint'
end || '.' reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_cosmosdb_account';
EOQ
}
query "cosmosdb_account_with_firewall_rules" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std ->> 'public_network_access_enabled')::boolean
and (attributes_std ->> 'is_virtual_network_filter_enabled' )::boolean = 'false'
and (attributes_std ->> 'ip_range_filter') is null then 'alarm'
else 'ok'
end status,
split_part(address, '.', 2) || case
when (attributes_std ->> 'public_network_access_enabled')::boolean
and (attributes_std ->> 'is_virtual_network_filter_enabled' )::boolean = 'false'
and (attributes_std ->> 'ip_range_filter') is null then ' not have firewall rules'
else ' have firewall rules'
end || '.' reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_cosmosdb_account';
EOQ
}
query "cosmosdb_account_encryption_at_rest_using_cmk" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std ->> 'key_vault_key_id') is not null then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std ->> 'key_vault_key_id') is not null then ' encrypted at rest using CMK'
else ' not encrypted at rest using CMK'
end || '.' reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_cosmosdb_account';
EOQ
}
query "cosmodb_account_access_key_metadata_writes_disabled" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std ->> 'access_key_metadata_writes_enabled') is null then 'alarm'
when (attributes_std ->> 'access_key_metadata_writes_enabled')::boolean then 'alarm'
else 'ok'
end status,
split_part(address, '.', 2) || case
when (attributes_std ->> 'access_key_metadata_writes_enabled') is null then ' access key metadata writes enabled'
when (attributes_std ->> 'access_key_metadata_writes_enabled')::boolean then ' access key metadata writes enabled'
else ' access key metadata writes disabled'
end || '.' reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_cosmosdb_account';
EOQ
}
query "cosmodb_account_public_network_access_disabled" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'
when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'
else 'ok'
end status,
split_part(address, '.', 2) || case
when (attributes_std ->> 'public_network_access_enabled') is null then ' public network access enabled'
when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'
else ' public network access disabled'
end || '.' reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_cosmosdb_account';
EOQ
}
query "cosmodb_account_local_authentication_disabled" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std ->> 'kind') is not null and (attributes_std ->> 'kind') <> 'GlobalDocumentDB' then 'skip'
when (attributes_std ->> 'local_authentication_disabled')::boolean then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std ->> 'kind') is not null and (attributes_std ->> 'kind') <> 'GlobalDocumentDB' then ' not GlobalDocumentDB'
when (attributes_std ->> 'local_authentication_disabled')::boolean then ' local authentication disabled'
else ' local authentication enabled'
end || '.' reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_cosmosdb_account';
EOQ
}
query "cosmodb_account_restrict_public_access" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'
when (attributes_std ->> 'public_network_access_enabled')::boolean and (attributes_std ->> 'is_virtual_network_filter_enabled')::boolean and ((attributes_std ->> 'virtual_network_rule') is not null or (attributes_std ->> 'ip_range_filter') is not null) then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'
when (attributes_std ->> 'public_network_access_enabled')::boolean and (attributes_std ->> 'is_virtual_network_filter_enabled')::boolean and ((attributes_std ->> 'virtual_network_rule') is not null or (attributes_std ->> 'ip_range_filter') is not null) then ' with restricted access'
else ' without restricted access'
end || '.' reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_cosmosdb_account';
EOQ
}