Merge pull request #53 from turbot/release/v0.12

Release/v0.12
turbot · Jan 10, 2024 · ab8e944 · ab8e944
2 parents d8c7ed2 + 857635c
commit ab8e944
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## v0.12 [2024-01-10]
+
+_What's new?_
+
+- Added the following controls across the benchmarks: ([#51](https://github.com/turbot/steampipe-mod-terraform-azure-compliance/pull/51))
+  - `container_instance_container_group_secure_environment_variable`
+  - `container_registry_zone_redundant_enabled`
+
 ## v0.11 [2023-11-30]
 
 _What's new?_

diff --git a/controls/containerinstance.sp b/controls/containerinstance.sp
@@ -9,7 +9,8 @@ benchmark "containerinstance" {
   description = "This benchmark provides a set of controls that detect Terraform Azure Container Instance resources deviating from security best practices."
 
   children = [
-    control.container_instance_container_group_in_virtual_network
+    control.container_instance_container_group_in_virtual_network,
+    control.container_instance_container_group_secure_environment_variable
   ]
 
   tags = merge(local.containerinstance_compliance_common_tags, {
@@ -24,3 +25,11 @@ control "container_instance_container_group_in_virtual_network" {
 
   tags = local.containerinstance_compliance_common_tags
 }
+
+control "container_instance_container_group_secure_environment_variable" {
+  title       = "Container instance container groups should use secure environment variable"
+  description = "This control ensures that the container group uses secure environment variable."
+  query       = query.container_instance_container_group_secure_environment_variable
+
+  tags = local.containerinstance_compliance_common_tags
+}
diff --git a/controls/containerregistry.sp b/controls/containerregistry.sp
@@ -20,7 +20,8 @@ benchmark "containerregistry" {
     control.container_registry_restrict_public_access,
     control.container_registry_retention_policy_enabled,
     control.container_registry_trust_policy_enabled,
-    control.container_registry_use_virtual_service_endpoint
+    control.container_registry_use_virtual_service_endpoint,
+    control.container_registry_zone_redundant_enabled
   ]
 
   tags = merge(local.containerregistry_compliance_common_tags, {
@@ -143,3 +144,11 @@ control "container_registry_trust_policy_enabled" {
     other_checks = "true"
   })
 }
+
+control "container_registry_zone_redundant_enabled" {
+  title       = "Container registries should be zone redundant"
+  description = "This control ensures that Container registry is zone redundant."
+  query       = query.container_registry_zone_redundant_enabled
+
+  tags = local.containerregistry_compliance_common_tags
+}
diff --git a/query/containerinstance.sp b/query/containerinstance.sp
@@ -18,3 +18,35 @@ query "container_instance_container_group_in_virtual_network" {
       type = 'azurerm_container_group';
   EOQ
 }
+
+query "container_instance_container_group_secure_environment_variable" {
+  sql = <<-EOQ
+    with container_group_no_secure_environment as (
+      select
+        distinct name
+      from
+        terraform_resource,
+        jsonb_array_elements(attributes_std -> 'container') as c
+      where
+        type = 'azurerm_container_group'
+        and c -> 'environment_variables' is not null
+    )
+    select
+      address as resource,
+      case
+        when e.name is not null then 'alarm'
+        else 'ok'
+      end status,
+      split_part(address, '.', 2) || case
+        when e.name is not null then ' uses environment variables'
+        else ' does not use environment variables'
+      end || '.' reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      terraform_resource as r
+      left join container_group_no_secure_environment as e on e.name = r.name
+    where
+      type = 'azurerm_container_group';
+  EOQ
+}
diff --git a/query/containerregistry.sp b/query/containerregistry.sp
@@ -267,3 +267,40 @@ query "container_registry_trust_policy_enabled" {
       type = 'azurerm_container_registry';
   EOQ
 }
+
+query "container_registry_zone_redundant_enabled" {
+  sql = <<-EOQ
+    with geo_replication_zone_redundant as (
+      select
+        distinct name
+      from
+        terraform_resource
+      where
+        type = 'azurerm_container_registry'
+        and
+          (not (attributes_std -> 'georeplications' -> 'zone_redundancy_enabled')::bool
+          or attributes_std -> 'georeplications' -> 'zone_redundancy_enabled' is null)
+    )
+    select
+      address as resource,
+      case
+        when (r.attributes_std -> 'georeplications') is null then 'alarm'
+        when not (attributes_std -> 'zone_redundancy_enabled')::boolean then 'alarm'
+        when g.name is not null then 'alarm'
+        else 'ok'
+      end status,
+      split_part(address, '.', 2) || case
+        when (r.attributes_std -> 'georeplications') is null then ' geo replication not defined'
+        when not (attributes_std -> 'zone_redundancy_enabled')::boolean then ' not zone redundant'
+        when g.name is not null then ' not zone redundant'
+        else ' zone redundant'
+      end || '.' reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      terraform_resource as r
+      left join geo_replication_zone_redundant as g on g.name = r.name
+    where
+      type = 'azurerm_container_registry';
+  EOQ
+}