From 60bfc61fcc2e338a304bb2500d7977c8159f9835 Mon Sep 17 00:00:00 2001
From: hezijie <lonegunmanb@hotmail.com>
Date: Fri, 7 Feb 2025 16:31:39 +0800
Subject: [PATCH] add rule for
 postgresql_flexible_server_high_availability_mode_zone_redundant

---
 ...lexible_server_high_availability_mode.rego |  2 +-
 ...le_server_high_availability_mode.mock.json | 87 +++++++++++++++++++
 ...lexible_server_high_availability_mode.rego | 16 ++++
 readme.md                                     |  4 +-
 4 files changed, 107 insertions(+), 2 deletions(-)
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.mock.json
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego

diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego
index ed65f1b..e8fa1df 100644
--- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego
@@ -4,7 +4,7 @@ valid_high_availability_mode(resource) {
     resource.change.after.high_availability[_].mode == "ZoneRedundant"
 }
 
-deny_mysql_flexible_server_high_availability_zone_redundant[reason] {
+deny_mysql_flexible_server_high_availability_mode_zone_redundant[reason] {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.mock.json b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.mock.json
new file mode 100644
index 0000000..0a950b5
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.mock.json
@@ -0,0 +1,87 @@
+{
+  "mock": {
+    "default": {
+      "resource_changes": [
+        {
+          "address": "azurerm_postgresql_flexible_server.example",
+          "mode": "managed",
+          "type": "azurerm_postgresql_flexible_server",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "high_availability": [
+                {
+                  "mode": "ZoneRedundant"
+                }
+              ]
+            }
+          }
+        }
+      ]
+    },
+    "invalid_same_zone": {
+      "resource_changes": [
+        {
+          "address": "azurerm_postgresql_flexible_server.example",
+          "mode": "managed",
+          "type": "azurerm_postgresql_flexible_server",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "high_availability": [
+                {
+                  "mode": "SameZone"
+                }
+              ]
+            }
+          }
+        }
+      ]
+    },
+    "invalid_empty_availability": {
+      "resource_changes": [
+        {
+          "address": "azurerm_postgresql_flexible_server.example",
+          "mode": "managed",
+          "type": "azurerm_postgresql_flexible_server",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "high_availability": [
+              ]
+            }
+          }
+        }
+      ]
+    },
+    "invalid_no_high_availability": {
+      "resource_changes": [
+        {
+          "address": "azurerm_postgresql_flexible_server.example",
+          "mode": "managed",
+          "type": "azurerm_postgresql_flexible_server",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {}
+          }
+        }
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego
new file mode 100644
index 0000000..717fdeb
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego
@@ -0,0 +1,16 @@
+package Azure_Proactive_Resiliency_Library_v2.azurerm_postgresql_flexible_server
+
+valid_high_availability_mode(resource) {
+    resource.change.after.high_availability[_].mode == "ZoneRedundant"
+}
+
+deny_postgresql_flexible_server_high_availability_mode_zone_redundant[reason] {
+    tfplan := data.utils.tfplan(input)
+    resource := tfplan.resource_changes[_]
+    resource.mode == "managed"
+    resource.type == "azurerm_postgresql_flexible_server"
+    data.utils.is_create_or_update(resource.change.actions)
+    not valid_high_availability_mode(resource)
+
+    reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_postgresql_flexible_server` must have 'high_availability.mode' set to 'ZoneRedundant': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforPostgreSQL/flexibleServers/#enable-ha-with-zone-redundancy", [resource.address])
+}
\ No newline at end of file
diff --git a/readme.md b/readme.md
index bf84472..dfe9c20 100644
--- a/readme.md
+++ b/readme.md
@@ -25,8 +25,10 @@ conftest test --all-namespaces -p <path-to-policies>/policy <path-to-tfplan>
 [`use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-nat-gateway-instead-of-outbound-rules-for-production-workloads)
 [`use_resilient_load_lalancer_sku`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-standard-load-balancer-sku)
 #### `Microsoft.DBforMySQL/flexibleServers`
-[`mysql_flexible_server_high_availability_zone_redundant`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#enable-ha-with-zone-redundancy)
+[`mysql_flexible_server_high_availability_mode_zone_redundant`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#enable-ha-with-zone-redundancy)
 [`mysql_flexible_server_geo_redundant_backup_enabled`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#configure-geo-redundant-backup-storage)
+#### `Microsoft.DBforPostgreSQL/flexibleServers`
+[`postgresql_flexible_server_high_availability_mode_zone_redundant`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforPostgreSQL/flexibleServers/#enable-ha-with-zone-redundancy)
 
 ## Apply(skip) policies