From bc38f821ca35e09243f74672e13016e71a4770b1 Mon Sep 17 00:00:00 2001
From: hezijie <lonegunmanb@hotmail.com>
Date: Thu, 20 Feb 2025 16:46:29 +0800
Subject: [PATCH] add rule for postgresql azapi

---
 ...vers_backup_geo_redundant_backup.mock.json | 83 +++++++++++++++++++
 ...leServers_backup_geo_redundant_backup.rego | 15 ++++
 ...eServers_high_availabillity_mode.mock.json | 79 ++++++++++++++++++
 ...exibleServers_high_availabillity_mode.rego | 15 ++++
 ...e_server_geo_redundant_backup_enabled.rego |  2 +-
 ...ver_geo_redundant_backup_enabled.mock.json | 59 +++++++++++++
 ...e_server_geo_redundant_backup_enabled.rego | 14 ++++
 readme.md                                     |  1 +
 8 files changed, 267 insertions(+), 1 deletion(-)
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_backup_geo_redundant_backup.mock.json
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_backup_geo_redundant_backup.rego
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_high_availabillity_mode.mock.json
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_high_availabillity_mode.rego
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_geo_redundant_backup_enabled.mock.json
 create mode 100644 policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_geo_redundant_backup_enabled.rego

diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_backup_geo_redundant_backup.mock.json b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_backup_geo_redundant_backup.mock.json
new file mode 100644
index 0000000..4793ff7
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_backup_geo_redundant_backup.mock.json
@@ -0,0 +1,83 @@
+{
+  "mock": {
+    "default": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.res",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "res",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "before": null,
+            "after": {
+              "body": {
+                "properties": {
+                  "backup": {
+                    "geoRedundantBackup": "Enabled"
+                  }
+                }
+              },
+              "type": "Microsoft.DBforPostgreSQL/flexibleServers@2024-11-01-preview"
+            }
+          }
+        }
+      ]
+    },
+    "invalid_geo_redundant_backup_disabled": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.res",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "res",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "before": null,
+            "after": {
+              "body": {
+                "properties": {
+                  "backup": {
+                    "geoRedundantBackup": "Disabled"
+                  }
+                }
+              },
+              "type": "Microsoft.DBforPostgreSQL/flexibleServers@2024-11-01-preview"
+            }
+          }
+        }
+      ]
+    },
+    "invalid_geo_redundant_backup_omitted": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.res",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "res",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "before": null,
+            "after": {
+              "body": {
+                "properties": {
+                  "backup": {}
+                }
+              },
+              "type": "Microsoft.DBforPostgreSQL/flexibleServers@2024-11-01-preview"
+            }
+          }
+        }
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_backup_geo_redundant_backup.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_backup_geo_redundant_backup.rego
new file mode 100644
index 0000000..60a586c
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_backup_geo_redundant_backup.rego
@@ -0,0 +1,15 @@
+package Azure_Proactive_Resiliency_Library_v2
+
+import rego.v1
+
+valid_azapi_postgres_flexible_server_geo_redundant_backup_enabled(resource) if {
+    resource.values.body.properties.backup.geoRedundantBackup == "Enabled"
+}
+
+deny_postgresql_flexible_server_geo_redundant_backup_enabled contains reason if {
+    resource := data.utils.resource(input, "azapi_resource")[_]
+    data.utils.is_azure_type(resource.values, "Microsoft.DBforPostgreSQL/flexibleServers")
+    not valid_azapi_postgres_flexible_server_geo_redundant_backup_enabled(resource)
+
+    reason := sprintf("Azure-Proactive-Resiliency-Library-v2/postgresql_flexible_server_geo_redundant_backup_enabled: '%s' `azapi_resource` must have 'backup.geoRedundantBackup' set to '\"Enabled\"': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#configure-geo-redundant-backup-storage", [resource.address])
+}
\ No newline at end of file
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_high_availabillity_mode.mock.json b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_high_availabillity_mode.mock.json
new file mode 100644
index 0000000..11a259b
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_high_availabillity_mode.mock.json
@@ -0,0 +1,79 @@
+{
+  "mock": {
+    "valid_zone_redundant": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.res",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "res",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "body": {
+                "properties": {
+                  "highAvailability": {
+                    "mode": "ZoneRedundant"
+                  }
+                }
+              },
+              "type": "Microsoft.DBforPostgreSQL/flexibleServers@2024-11-01-preview"
+            }
+          }
+        }
+      ]
+    },
+    "invalid_same_zone": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.res",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "res",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "body": {
+                "properties": {
+                  "highAvailability": {
+                    "mode": "SameZone"
+                  }
+                }
+              },
+              "type": "Microsoft.DBforPostgreSQL/flexibleServers@2024-11-01-preview"
+            }
+          }
+        }
+      ]
+    },
+    "invalid_no_high_availability": {
+      "resource_changes": [
+        {
+          "address": "azapi_resource.res",
+          "mode": "managed",
+          "type": "azapi_resource",
+          "name": "res",
+          "provider_name": "registry.terraform.io/azure/azapi",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "body": {
+                "properties": {
+                }
+              },
+              "type": "Microsoft.DBforPostgreSQL/flexibleServers@2024-11-01-preview"
+            }
+          }
+        }
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_high_availabillity_mode.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_high_availabillity_mode.rego
new file mode 100644
index 0000000..98f94d9
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/postgresql/microsoft_db_for_postgresql_flexibleServers_high_availabillity_mode.rego
@@ -0,0 +1,15 @@
+package Azure_Proactive_Resiliency_Library_v2
+
+import rego.v1
+
+valid_azapi_postgres_flexible_server_high_availability_zone_redundant(resource) if {
+    resource.values.body.properties.highAvailability.mode == "ZoneRedundant"
+}
+
+deny_postgresql_flexible_server_high_availability_zone_redundant contains reason if {
+    resource := data.utils.resource(input, "azapi_resource")[_]
+    data.utils.is_azure_type(resource.values, "Microsoft.DBforPostgreSQL/flexibleServers")
+    not valid_azapi_postgres_flexible_server_high_availability_zone_redundant(resource)
+
+    reason := sprintf("Azure-Proactive-Resiliency-Library-v2/postgresql_flexible_server_high_availability_zone_redundant: '%s' `azapi_resource` must have 'highAvailability.mode' set to 'ZoneRedundant': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforPostgreSQL/flexibleServers/#enable-ha-with-zone-redundancy", [resource.address])
+}
\ No newline at end of file
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego
index 61bf8a4..f05a466 100644
--- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego
@@ -10,5 +10,5 @@ deny_mysql_flexible_server_geo_redundant_backup_enabled contains reason if {
     resource := data.utils.resource(input, "azurerm_mysql_flexible_server")[_]
     not valid_mysql_flexible_server_geo_redundant_backup_enabled(resource)
 
-    reason := sprintf("Azure-Proactive-Resiliency-Library-v2/mysql_flexible_server_geo_redundant_backup_enabled: '%s' `azurerm_mysql_flexible_server` must have 'geo_redundant_backup_enabled.mode' set to 'true': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#configure-geo-redundant-backup-storage", [resource.address])
+    reason := sprintf("Azure-Proactive-Resiliency-Library-v2/mysql_flexible_server_geo_redundant_backup_enabled: '%s' `azurerm_mysql_flexible_server` must have 'geo_redundant_backup_enabled' set to 'true': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#configure-geo-redundant-backup-storage", [resource.address])
 }
\ No newline at end of file
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_geo_redundant_backup_enabled.mock.json b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_geo_redundant_backup_enabled.mock.json
new file mode 100644
index 0000000..9b4457d
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_geo_redundant_backup_enabled.mock.json
@@ -0,0 +1,59 @@
+{
+  "mock": {
+    "default": {
+      "resource_changes": [
+        {
+          "address": "azurerm_postgresql_flexible_server.example",
+          "mode": "managed",
+          "type": "azurerm_postgresql_flexible_server",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "geo_redundant_backup_enabled": true
+            }
+          }
+        }
+      ]
+    },
+    "invalid_geo_redundant_backup_disabled": {
+      "resource_changes": [
+        {
+          "address": "azurerm_postgresql_flexible_server.example",
+          "mode": "managed",
+          "type": "azurerm_postgresql_flexible_server",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "geo_redundant_backup_enabled": false
+            }
+          }
+        }
+      ]
+    },
+    "invalid_geo_redundant_backup_omitted": {
+      "resource_changes": [
+        {
+          "address": "azurerm_postgresql_flexible_server.example",
+          "mode": "managed",
+          "type": "azurerm_postgresql_flexible_server",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {}
+          }
+        }
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_geo_redundant_backup_enabled.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_geo_redundant_backup_enabled.rego
new file mode 100644
index 0000000..ed8d5bd
--- /dev/null
+++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_geo_redundant_backup_enabled.rego
@@ -0,0 +1,14 @@
+package Azure_Proactive_Resiliency_Library_v2
+
+import rego.v1
+
+valid_postgresql_flexible_server_geo_redundant_backup_enabled(resource) if {
+    resource.values.geo_redundant_backup_enabled == true
+}
+
+deny_postgresql_flexible_server_geo_redundant_backup_enabled contains reason if {
+    resource := data.utils.resource(input, "azurerm_postgresql_flexible_server")[_]
+    not valid_postgresql_flexible_server_geo_redundant_backup_enabled(resource)
+
+    reason := sprintf("Azure-Proactive-Resiliency-Library-v2/postgresql_flexible_server_geo_redundant_backup_enabled: '%s' `azurerm_postgresql_flexible_server` must have 'geo_redundant_backup_enabled' set to 'true': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforPostgreSQL/flexibleServers/#configure-geo-redundant-backup-storage", [resource.address])
+}
\ No newline at end of file
diff --git a/readme.md b/readme.md
index d9f6510..c14e4b7 100644
--- a/readme.md
+++ b/readme.md
@@ -67,6 +67,7 @@ conftest test --all-namespaces --update git::https://github.com/lonegunmanb/poli
 
 * `Microsoft.DBforPostgreSQL/flexibleServers`
 
+[`postgresql_flexible_server_geo_redundant_backup_enabled`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#configure-geo-redundant-backup-storage)
 [`postgresql_flexible_server_high_availability_mode_zone_redundant`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforPostgreSQL/flexibleServers/#enable-ha-with-zone-redundancy)
 
 * `Microsoft.Storage/storageAccounts`