From 6f73c017c5a78ee4aeb24c75662cca3af4dac233 Mon Sep 17 00:00:00 2001 From: hezijie Date: Thu, 13 Feb 2025 15:42:15 +0800 Subject: [PATCH] add rule for azurerm_managed_disk --- ...microsoft_compute_disks_sku_name.mock.json | 76 +++++++++++++++++++ .../microsoft_compute_disks_sku_name.rego | 19 +++++ ...osDisk_managedDisk_storageAccountType.rego | 6 +- ..._machine_os_disk_storage_account_type.rego | 6 +- ...anaged_disk_storage_account_type.mock.json | 61 +++++++++++++++ ...erm_managed_disk_storage_account_type.rego | 18 +++++ ..._machine_os_disk_storage_account_type.rego | 6 +- 7 files changed, 183 insertions(+), 9 deletions(-) create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.mock.json create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.rego create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.mock.json create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.rego diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.mock.json b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.mock.json new file mode 100644 index 0000000..19d03fa --- /dev/null +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.mock.json @@ -0,0 +1,76 @@ +{ + "mock": { + "invalid_Standard_LRS": { + "resource_changes": [ + { + "address": "azapi_resource.res", + "mode": "managed", + "type": "azapi_resource", + "name": "res", + "provider_name": "registry.terraform.io/azure/azapi", + "change": { + "actions": [ + "create" + ], + "after": { + "body": { + "sku": { + "name": "Standard_LRS" + } + }, + "type": "Microsoft.Compute/disks@2024-03-02" + } + } + } + ] + }, + "premium_lrs": { + "resource_changes": [ + { + "address": "azapi_resource.res", + "mode": "managed", + "type": "azapi_resource", + "name": "res", + "provider_name": "registry.terraform.io/azure/azapi", + "change": { + "actions": [ + "create" + ], + "after": { + "body": { + "sku": { + "name": "Premium_LRS" + } + }, + "type": "Microsoft.Compute/disks@2024-03-02" + } + } + } + ] + }, + "ultrassd_lrs": { + "resource_changes": [ + { + "address": "azapi_resource.res", + "mode": "managed", + "type": "azapi_resource", + "name": "res", + "provider_name": "registry.terraform.io/azure/azapi", + "change": { + "actions": [ + "create" + ], + "after": { + "body": { + "sku": { + "name": "UltraSSD_LRS" + } + }, + "type": "Microsoft.Compute/disks@2024-03-02" + } + } + } + ] + } + } +} \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.rego new file mode 100644 index 0000000..9d91dab --- /dev/null +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.rego @@ -0,0 +1,19 @@ +package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_should_use_premium_or_ultra_disks + +import rego.v1 + +valid_azapi_disk_sku_name(resource) if { + startswith(resource.values.body.sku.name, "Premium") +} + +valid_azapi_disk_sku_name(resource) if { + startswith(resource.values.body.sku.name, "Ultra") +} + +deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { + resource := data.utils.resource(input, "azapi_resource")[_] + data.utils.is_azure_type(resource.values, "Microsoft.Compute/disks") + not valid_azapi_disk_sku_name(resource) + + reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have configured `sku.name` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) +} \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_storageProfile_osDisk_managedDisk_storageAccountType.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_storageProfile_osDisk_managedDisk_storageAccountType.rego index ed6f944..ff272c7 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_storageProfile_osDisk_managedDisk_storageAccountType.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_storageProfile_osDisk_managedDisk_storageAccountType.rego @@ -2,18 +2,18 @@ package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_s import rego.v1 -valid_azapi_properties_storageProfile_osDisk_storageAccountType(resource) if { +valid_azapi_virtual_machine_properties_storageProfile_osDisk_storageAccountType(resource) if { startswith(resource.values.body.properties.storageProfile.osDisk.managedDisk.storageAccountType, "Premium") } -valid_azapi_properties_storageProfile_osDisk_storageAccountType(resource) if { +valid_azapi_virtual_machine_properties_storageProfile_osDisk_storageAccountType(resource) if { startswith(resource.values.body.properties.storageProfile.osDisk.managedDisk.storageAccountType, "Ultra") } deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Compute/virtualMachines") - not valid_azapi_properties_storageProfile_osDisk_storageAccountType(resource) + not valid_azapi_virtual_machine_properties_storageProfile_osDisk_storageAccountType(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have configured `storageProfile.osDisk.managedDisk.storageAccountType` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_os_disk_storage_account_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_os_disk_storage_account_type.rego index b5b5054..8e30299 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_os_disk_storage_account_type.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_os_disk_storage_account_type.rego @@ -2,17 +2,17 @@ package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_s import rego.v1 -valid_azurerm_os_disk_storage_account_type(resource) if { +valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) if { startswith(resource.values.os_disk[_].storage_account_type, "Premium") } -valid_azurerm_os_disk_storage_account_type(resource) if { +valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) if { startswith(resource.values.os_disk[_].storage_account_type, "Ultra") } deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { resource := data.utils.resource(input, "azurerm_linux_virtual_machine")[_] - not valid_azurerm_os_disk_storage_account_type(resource) + not valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_linux_virtual_machine` must have configured `os_disk.storage_account_type` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.mock.json b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.mock.json new file mode 100644 index 0000000..5effdec --- /dev/null +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.mock.json @@ -0,0 +1,61 @@ +{ + "mock": { + "invalid_Standard_LRS": { + "resource_changes": [ + { + "address": "azurerm_managed_disk.example", + "mode": "managed", + "type": "azurerm_managed_disk", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "change": { + "actions": [ + "create" + ], + "after": { + "storage_account_type": "Standard_LRS" + } + } + } + ] + }, + "premium_lrs": { + "resource_changes": [ + { + "address": "azurerm_managed_disk.example", + "mode": "managed", + "type": "azurerm_managed_disk", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "change": { + "actions": [ + "create" + ], + "after": { + "storage_account_type": "Premium_LRS" + } + } + } + ] + }, + "ultrassd_lrs": { + "resource_changes": [ + { + "address": "azurerm_managed_disk.example", + "mode": "managed", + "type": "azurerm_managed_disk", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "change": { + "actions": [ + "create" + ], + "after": { + "storage_account_type": "UltraSSD_LRS" + } + } + } + ] + } + } +} \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.rego new file mode 100644 index 0000000..b85d978 --- /dev/null +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.rego @@ -0,0 +1,18 @@ +package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_should_use_premium_or_ultra_disks + +import rego.v1 + +valid_azurerm_managed_disk_storage_account_type(resource) if { + startswith(resource.values.storage_account_type, "Premium") +} + +valid_azurerm_managed_disk_storage_account_type(resource) if { + startswith(resource.values.storage_account_type, "Ultra") +} + +deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { + resource := data.utils.resource(input, "azurerm_managed_disk")[_] + not valid_azurerm_managed_disk_storage_account_type(resource) + + reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_managed_disk` must have configured `storage_account_type` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) +} \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_os_disk_storage_account_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_os_disk_storage_account_type.rego index 54b4f08..7c1ab16 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_os_disk_storage_account_type.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_os_disk_storage_account_type.rego @@ -2,17 +2,17 @@ package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_s import rego.v1 -valid_azurerm_os_disk_storage_account_type(resource) if { +valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) if { startswith(resource.values.os_disk[_].storage_account_type, "Premium") } -valid_azurerm_os_disk_storage_account_type(resource) if { +valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) if { startswith(resource.values.os_disk[_].storage_account_type, "Ultra") } deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { resource := data.utils.resource(input, "azurerm_windows_virtual_machine")[_] - not valid_azurerm_os_disk_storage_account_type(resource) + not valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_windows_virtual_machine` must have configured `os_disk.storage_account_type` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) } \ No newline at end of file