/
monitor.sp
87 lines (84 loc) · 4.68 KB
/
monitor.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
query "monitor_log_profile_enabled_for_all_regions" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std -> 'locations') @> '["global", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth","germanynorth", "germanywestcentral", "japaneast", "japanwest", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope",
"norwayeast", "norwaywest", "southafricanorth", "southafricawest", "southcentralus", "southeastasia", "southindia", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3"]' then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std -> 'locations') @> '["global", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth","germanynorth", "germanywestcentral", "japaneast", "japanwest", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope",
"norwayeast", "norwaywest", "southafricanorth", "southafricawest", "southcentralus", "southeastasia", "southindia", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3"]' then ' collect activity logs from all regions'
else ' not collect activity logs from all regions'
end || '.' reason
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_monitor_log_profile';
EOQ
}
query "monitor_logs_storage_container_not_public_accessible" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std -> 'container_access_type') is null then 'ok'
when (attributes_std ->> 'container_access_type') ilike 'Private' then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std -> 'container_access_type') is null then ' container insights-operational-logs storing activity logs not publicly accessible'
when (attributes_std ->> 'container_access_type') ilike 'Private' then ' container insights-operational-logs storing activity logs not publicly accessible'
else ' container insights-operational-logs storing activity logs publicly accessible'
end || '.' reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_storage_container'
and (attributes_std ->> 'name') ilike 'insights-operational-logs';
EOQ
}
query "monitor_log_profile_enabled_for_all_categories" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std -> 'categories') @> '["Write", "Action", "Delete"]' then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std -> 'categories') @> '["Write", "Action", "Delete"]' then ' collects logs for categories write, delete and action'
else ' does not collects logs for all categories.'
end || '.' reason
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_monitor_log_profile';
EOQ
}
query "monitor_log_profile_retention_365_days" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std -> 'retention_policy' ->> 'enabled')::boolean and (attributes_std -> 'retention_policy' ->> 'days')::int < 365 then 'alarm'
when (attributes_std -> 'retention_policy' ->> 'enabled')::boolean and (attributes_std -> 'retention_policy' ->> 'days')::int >= 365 then 'ok'
else 'alarm'
end as status,
case
when (attributes_std -> 'retention_policy' ->> 'enabled')::boolean and (attributes_std -> 'retention_policy' ->> 'days')::int < 365 then ' retention policy enabled but set to ' || (attributes_std -> 'retention_policy' ->> 'days') || ' days'
when (attributes_std -> 'retention_policy' ->> 'enabled')::boolean and (attributes_std -> 'retention_policy' ->> 'days')::int >= 365 then ' retention policy enabled and set to ' || (attributes_std -> 'retention_policy' ->> 'days') || ' days.'
else ' retention policy disabled'
end || '.' reason
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'azurerm_monitor_log_profile';
EOQ
}