diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.rego index 9d91dab..d367e52 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_disks_sku_name.rego @@ -1,19 +1,19 @@ -package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_should_use_premium_or_ultra_disks +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_disk_sku_name(resource) if { +valid_azapi_mission_critical_virtual_machine_should_use_premium_or_ultra_disks(resource) if { startswith(resource.values.body.sku.name, "Premium") } -valid_azapi_disk_sku_name(resource) if { +valid_azapi_mission_critical_virtual_machine_should_use_premium_or_ultra_disks(resource) if { startswith(resource.values.body.sku.name, "Ultra") } deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Compute/disks") - not valid_azapi_disk_sku_name(resource) + not valid_azapi_mission_critical_virtual_machine_should_use_premium_or_ultra_disks(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have configured `sku.name` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_properties_availabilitySet.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_properties_availabilitySet.rego index 1250270..e2a6b71 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_properties_availabilitySet.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_properties_availabilitySet.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.migrate_vm_using_availability_sets_to_vmss_flex +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_virtual_machine_properties_availabilitySet(resource) if { +valid_azapi_migrate_vm_using_availability_sets_to_vmss_flex(resource) if { not resource.values.body.properties.availabilitySet } deny_migrate_vm_using_availability_sets_to_vmss_flex contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Compute/virtualMachines") - not valid_azapi_virtual_machine_properties_availabilitySet(resource) + not valid_azapi_migrate_vm_using_availability_sets_to_vmss_flex(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must not define `properties.availabilitySet`: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#migrate-vms-using-availability-sets-to-vmss-flex", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_storageProfile_osDisk_managedDisk_storageAccountType.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_storageProfile_osDisk_managedDisk_storageAccountType.rego index ff272c7..a635bd6 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_storageProfile_osDisk_managedDisk_storageAccountType.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/compute/microsoft_compute_virtualMachines_storageProfile_osDisk_managedDisk_storageAccountType.rego @@ -1,19 +1,19 @@ -package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_should_use_premium_or_ultra_disks +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_virtual_machine_properties_storageProfile_osDisk_storageAccountType(resource) if { +valid_azapi_mission_critical_virtual_machine_should_use_premium_or_ultra_disks(resource) if { startswith(resource.values.body.properties.storageProfile.osDisk.managedDisk.storageAccountType, "Premium") } -valid_azapi_virtual_machine_properties_storageProfile_osDisk_storageAccountType(resource) if { +valid_azapi_mission_critical_virtual_machine_should_use_premium_or_ultra_disks(resource) if { startswith(resource.values.body.properties.storageProfile.osDisk.managedDisk.storageAccountType, "Ultra") } deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Compute/virtualMachines") - not valid_azapi_virtual_machine_properties_storageProfile_osDisk_storageAccountType(resource) + not valid_azapi_mission_critical_virtual_machine_should_use_premium_or_ultra_disks(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have configured `storageProfile.osDisk.managedDisk.storageAccountType` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/containerservice/aks/microsoft_container_service_managedClusters_agentPoolProfiles_availabilityZones.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/containerservice/aks/microsoft_container_service_managedClusters_agentPoolProfiles_availabilityZones.rego index 40a280a..5b721a5 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/containerservice/aks/microsoft_container_service_managedClusters_agentPoolProfiles_availabilityZones.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/containerservice/aks/microsoft_container_service_managedClusters_agentPoolProfiles_availabilityZones.rego @@ -1,8 +1,8 @@ -package Azure_Proactive_Resiliency_Library_v2.configure_aks_default_node_pool_zones +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_zones(resource) if { +valid_azapi_configure_aks_default_node_pool_zones(resource) if { pool := resource.values.body.properties.agentPoolProfiles[_] count(pool.availabilityZones) >= 2 } @@ -10,7 +10,7 @@ valid_azapi_zones(resource) if { deny_configure_aks_default_node_pool_zones contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.ContainerService/managedClusters") - not valid_azapi_zones(resource) + not valid_azapi_configure_aks_default_node_pool_zones(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have configured `agentPoolProfiles.availabilityZones` to use at least 2 Availability Zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/ContainerService/managedClusters/#deploy-aks-cluster-across-availability-zones", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/cosmos-db/microsoft_documentdb_databaseAccounts_backupPolicy_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/cosmos-db/microsoft_documentdb_databaseAccounts_backupPolicy_type.rego index e89add9..22ce1aa 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/cosmos-db/microsoft_documentdb_databaseAccounts_backupPolicy_type.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/cosmos-db/microsoft_documentdb_databaseAccounts_backupPolicy_type.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.configure_cosmosdb_account_continuous_backup_mode +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_cosmosdb_account_backup_policy_type(resource) if { +valid_azapi_configure_cosmosdb_account_continuous_backup_mode(resource) if { resource.values.body.properties.backupPolicy.type == "Continuous" } deny_configure_cosmosdb_account_continuous_backup_mode contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.DocumentDB/databaseAccounts") - not valid_azapi_cosmosdb_account_backup_policy_type(resource) + not valid_azapi_configure_cosmosdb_account_continuous_backup_mode(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have backup type configured to 'Continuous': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DocumentDB/databaseAccounts/#configure-continuous-backup-mode", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_backup_geo_redundant_backup.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_backup_geo_redundant_backup.rego index 6077c6c..9766370 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_backup_geo_redundant_backup.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_backup_geo_redundant_backup.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.Microsoft_DBforMySQL_flexibleServers +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_geo_redundant_backup_enabled(resource) if { +valid_azapi_mysql_flexible_server_geo_redundant_backup_enabled(resource) if { resource.values.body.properties.backup.geoRedundantBackup == "Enabled" } deny_mysql_flexible_server_geo_redundant_backup_enabled contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.DBforMySQL/flexibleServers") - not valid_geo_redundant_backup_enabled(resource) + not valid_azapi_mysql_flexible_server_geo_redundant_backup_enabled(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have 'backup.geoRedundantBackup' set to '\"Enabled\"': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#configure-geo-redundant-backup-storage", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_high_availability_mode.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_high_availability_mode.rego index 6e30952..6c2e993 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_high_availability_mode.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_high_availability_mode.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.Microsoft_DBforMySQL_flexibleServers +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_high_availability_mode(resource) if { +valid_azapi_mysql_flexible_server_high_availability_zone_redundant(resource) if { resource.values.body.properties.highAvailability.mode == "ZoneRedundant" } deny_mysql_flexible_server_high_availability_zone_redundant contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.DBforMySQL/flexibleServers") - not valid_high_availability_mode(resource) + not valid_azapi_mysql_flexible_server_high_availability_zone_redundant(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have 'highAvailability.mode' set to 'ZoneRedundant': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#enable-ha-with-zone-redundancy", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego index 541d3fc..b10ef09 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego @@ -1,19 +1,19 @@ -package Azure_Proactive_Resiliency_Library_v2.migrate_to_application_gateway_v2 +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_sku(resource) if { +valid_azapi_migrate_to_application_gateway_v2(resource) if { resource.values.body.properties.sku.name == "Standard_v2" } -valid_azapi_sku(resource) if { +valid_azapi_migrate_to_application_gateway_v2(resource) if { resource.values.body.properties.sku.name == "WAF_v2" } deny_migrate_to_application_gateway_v2 contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Network/applicationGateways") - not valid_azapi_sku(resource) + not valid_azapi_migrate_to_application_gateway_v2(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have 'body.properties.sku.name' set to 'Standard_v2' or 'WAF_v2': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#migrate-to-application-gateway-v2", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_zones.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_zones.rego index a85dfc6..f407572 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_zones.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_zones.rego @@ -1,8 +1,8 @@ -package Azure_Proactive_Resiliency_Library_v2.deploy_application_gateway_in_a_zone_redundant_configuration +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_zones(resource) if { +valid_azapi_deploy_application_gateway_in_a_zone_redundant_configuration(resource) if { resource.values.body.zones == resource.values.body.zones count(resource.values.body.zones) >= 2 } @@ -10,7 +10,7 @@ valid_azapi_zones(resource) if { deny_deploy_application_gateway_in_a_zone_redundant_configuration contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Network/applicationGateways") - not valid_azapi_zones(resource) + not valid_azapi_deploy_application_gateway_in_a_zone_redundant_configuration(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have must have configured to use at least 2 Availability Zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#deploy-application-gateway-in-a-zone-redundant-configuration", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_outbound_rules.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_outbound_rules.rego index 9d12799..191fc2c 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_outbound_rules.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_outbound_rules.rego @@ -1,19 +1,19 @@ -package Azure_Proactive_Resiliency_Library_v2.use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_outbound_rules(resource) if { +valid_azapi_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer(resource) if { count(resource.values.body.properties.outboundRules) == 0 } -valid_azapi_outbound_rules(resource) if { +valid_azapi_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer(resource) if { not resource.values.body.properties.outboundRules == resource.values.body.properties.outboundRules } deny_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Network/loadBalancers") - not valid_azapi_outbound_rules(resource) + not valid_azapi_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must not config `outboundRules. Outbound rules for Standard Public Load Balancer involve manual port allocation for backend pools, limiting scalability and risk of SNAT port exhaustion. NAT Gateway is recommended for its dynamic scaling and secure internet connectivity.: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-nat-gateway-instead-of-outbound-rules-for-production-workloads", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_sku.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_sku.rego index 0259a31..7f7f042 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_sku.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_sku.rego @@ -1,8 +1,8 @@ -package Azure_Proactive_Resiliency_Library_v2.use_resilient_load_lalancer_sku +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_sku(resource) if { +valid_azapi_use_resilient_load_lalancer_sku(resource) if { resource.values.body.sku.name resource.values.body.sku.name != "Basic" } @@ -10,7 +10,7 @@ valid_azapi_sku(resource) if { deny_use_resilient_load_lalancer_sku contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Network/loadBalancers") - not valid_azapi_sku(resource) + not valid_azapi_use_resilient_load_lalancer_sku(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must not have 'sku.name' set to 'Basic': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-standard-load-balancer-sku", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_publicIPAddresses.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_publicIPAddresses.rego index 0304700..d0fbeb1 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_publicIPAddresses.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_publicIPAddresses.rego @@ -1,8 +1,8 @@ -package Azure_Proactive_Resiliency_Library_v2.use_standard_sku_and_zone_redundant_ip +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_sku_name(resource) if { +valid_azapi_use_standard_sku_and_zone_redundant_ip(resource) if { resource.values.body.sku.name == "Sandard" count(resource.values.body.zones) >= 2 } @@ -10,7 +10,7 @@ valid_azapi_sku_name(resource) if { deny_use_standard_sku_and_zone_redundant_ip contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Network/publicIPAddresses") - not valid_azapi_sku_name(resource) + not valid_azapi_use_standard_sku_and_zone_redundant_ip(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have configured `sku.name` to `\"Standard\"` and a `zones` that cotnains at least 2 zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/publicIPAddresses/#use-standard-sku-and-zone-redundant-ips-when-applicable", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_virtualNetworkGateways_properties_sku_name.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_virtualNetworkGateways_properties_sku_name.rego index debf04c..56d99d9 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_virtualNetworkGateways_properties_sku_name.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_virtualNetworkGateways_properties_sku_name.rego @@ -1,8 +1,8 @@ -package Azure_Proactive_Resiliency_Library_v2.virtual_network_gateway_use_zone_redundant_sku +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_sku_name(resource) if { +valid_azapi_virtual_network_gateway_use_zone_redundant_sku(resource) if { zone_redundant_skus := {"ErGw1AZ", "ErGw2AZ", "ErGw3AZ", "VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ", "VpnGw4AZ", "VpnGw5AZ"} zone_redundant_skus[resource.values.body.properties.sku.name] } @@ -11,7 +11,7 @@ valid_azapi_sku_name(resource) if { deny_virtual_network_gateway_use_zone_redundant_sku contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Network/virtualNetworkGateways") - not valid_azapi_sku_name(resource) + not valid_azapi_virtual_network_gateway_use_zone_redundant_sku(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have configured `sku.name` to one of {\"ErGw1AZ\", \"ErGw2AZ\", \"ErGw3AZ\", \"VpnGw1AZ\", \"VpnGw2AZ\", \"VpnGw3AZ\", \"VpnGw4AZ\", \"VpnGw5AZ\"}: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/virtualNetworkGateways/#use-zone-redundant-expressroute-gateway-skus", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/storage/microsoft_storage_storageAccounts_sku_name.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/storage/microsoft_storage_storageAccounts_sku_name.rego index 4dfcd17..7ad6ae6 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azapi/storage/microsoft_storage_storageAccounts_sku_name.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azapi/storage/microsoft_storage_storageAccounts_sku_name.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.storage_accounts_are_zone_or_region_redundant +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azapi_account_replication_type(resource) if { +valid_azapi_storage_accounts_are_zone_or_region_redundant(resource) if { not endswith(resource.values.body.sku.name, "LRS") } deny_storage_accounts_are_zone_or_region_redundant contains reason if { resource := data.utils.resource(input, "azapi_resource")[_] data.utils.is_azure_type(resource.values, "Microsoft.Storage/storageAccounts") - not valid_azapi_account_replication_type(resource) + not valid_azapi_storage_accounts_are_zone_or_region_redundant(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must not have configured `sku.name` to `\"Standard_LRS\"` nor `\"Premium_LRS\"`: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Storage/storageAccounts/#ensure-that-storage-accounts-are-zone-or-region-redundant", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_availability_set_id.mock.json b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_availability_set_id.mock.json index e5a73e7..3724606 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_availability_set_id.mock.json +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_availability_set_id.mock.json @@ -18,6 +18,25 @@ } ] }, + "null": { + "resource_changes": [ + { + "address": "azurerm_linux_virtual_machine.example", + "mode": "managed", + "type": "azurerm_linux_virtual_machine", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "change": { + "actions": [ + "create" + ], + "after": { + "availability_set_id": null + } + } + } + ] + }, "invalid_case": { "resource_changes": [ { diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_availability_set_id.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_availability_set_id.rego index 63be664..ddd9318 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_availability_set_id.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_availability_set_id.rego @@ -1,10 +1,18 @@ -package Azure_Proactive_Resiliency_Library_v2.migrate_vm_using_availability_sets_to_vmss_flex +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 +valid_azurerm_deny_migrate_vm_using_availability_sets_to_vmss_flex(_resource) if { + not _resource.values.availability_set_id +} + +valid_azurerm_deny_migrate_vm_using_availability_sets_to_vmss_flex(_resource) if { + _resource.values.availability_set_id == null +} + deny_migrate_vm_using_availability_sets_to_vmss_flex contains reason if { resource := data.utils.resource(input, "azurerm_linux_virtual_machine")[_] - resource.values.availability_set_id + not valid_azurerm_deny_migrate_vm_using_availability_sets_to_vmss_flex(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_linux_virtual_machine` must not define `availability_set_id`: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#migrate-vms-using-availability-sets-to-vmss-flex", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_os_disk_storage_account_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_os_disk_storage_account_type.rego index 8e30299..0408647 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_os_disk_storage_account_type.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_linux_virtual_machine_os_disk_storage_account_type.rego @@ -1,18 +1,18 @@ -package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_should_use_premium_or_ultra_disks +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) if { +valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_os_disk_linux(resource) if { startswith(resource.values.os_disk[_].storage_account_type, "Premium") } -valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) if { +valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_os_disk_linux(resource) if { startswith(resource.values.os_disk[_].storage_account_type, "Ultra") } deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { resource := data.utils.resource(input, "azurerm_linux_virtual_machine")[_] - not valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) + not valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_os_disk_linux(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_linux_virtual_machine` must have configured `os_disk.storage_account_type` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.rego index b85d978..dbcc503 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_managed_disk_storage_account_type.rego @@ -1,18 +1,18 @@ -package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_should_use_premium_or_ultra_disks +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_managed_disk_storage_account_type(resource) if { +valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_managed_disk(resource) if { startswith(resource.values.storage_account_type, "Premium") } -valid_azurerm_managed_disk_storage_account_type(resource) if { +valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_managed_disk(resource) if { startswith(resource.values.storage_account_type, "Ultra") } deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { resource := data.utils.resource(input, "azurerm_managed_disk")[_] - not valid_azurerm_managed_disk_storage_account_type(resource) + not valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_managed_disk(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_managed_disk` must have configured `storage_account_type` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_availability_set_id.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_availability_set_id.rego index 09a885e..2efc7d2 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_availability_set_id.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_availability_set_id.rego @@ -1,4 +1,4 @@ -package Azure_Proactive_Resiliency_Library_v2.migrate_vm_using_availability_sets_to_vmss_flex +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_os_disk_storage_account_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_os_disk_storage_account_type.rego index 7c1ab16..e05abe4 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_os_disk_storage_account_type.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/compute/azurerm_windows_virtual_machine_os_disk_storage_account_type.rego @@ -1,18 +1,18 @@ -package Azure_Proactive_Resiliency_Library_v2.mission_critical_virtual_machine_should_use_premium_or_ultra_disks +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) if { +valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_os_disk_win(resource) if { startswith(resource.values.os_disk[_].storage_account_type, "Premium") } -valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) if { +valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_os_disk_win(resource) if { startswith(resource.values.os_disk[_].storage_account_type, "Ultra") } deny_mission_critical_virtual_machine_should_use_premium_or_ultra_disks contains reason if { resource := data.utils.resource(input, "azurerm_windows_virtual_machine")[_] - not valid_azurerm_virtual_machine_os_disk_storage_account_type(resource) + not valid_azurerm_mission_critical_virtual_machine_should_use_premium_or_ultra_disks_os_disk_win(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_windows_virtual_machine` must have configured `os_disk.storage_account_type` to use Premium or Ultra type: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#mission-critical-workloads-should-consider-using-premium-or-ultra-disks", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/containers/azurerm_kubernetes_cluster_default_node_pool_zones.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/containers/azurerm_kubernetes_cluster_default_node_pool_zones.rego index 969e058..52ae03d 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/containers/azurerm_kubernetes_cluster_default_node_pool_zones.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/containers/azurerm_kubernetes_cluster_default_node_pool_zones.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.configure_aks_default_node_pool_zones +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_zones(resource) if { +valid_azurerm_configure_aks_default_node_pool_zones(resource) if { pool := resource.values.default_node_pool[_] count(pool.zones) >= 2 } deny_configure_aks_default_node_pool_zones contains reason if { resource := data.utils.resource(input, "azurerm_kubernetes_cluster")[_] - not valid_azurerm_zones(resource) + not valid_azurerm_configure_aks_default_node_pool_zones(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_kubernetes_cluster` must have configured `default_node_pool` to use at least 2 Availability Zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/ContainerService/managedClusters/#deploy-aks-cluster-across-availability-zones", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/cosmos/azurerm_cosmosdb_account_backup_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/cosmos/azurerm_cosmosdb_account_backup_type.rego index d11931c..28a1879 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/cosmos/azurerm_cosmosdb_account_backup_type.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/cosmos/azurerm_cosmosdb_account_backup_type.rego @@ -1,14 +1,14 @@ -package Azure_Proactive_Resiliency_Library_v2.configure_cosmosdb_account_continuous_backup_mode +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_cosmosdb_account_backup_policy_type(resource) if { +valid_azurerm_configure_cosmosdb_account_continuous_backup_mode(resource) if { resource.values.backup[_].type == "Continuous" } deny_configure_cosmosdb_account_continuous_backup_mode contains reason if { resource := data.utils.resource(input, "azurerm_cosmosdb_account")[_] - not valid_azurerm_cosmosdb_account_backup_policy_type(resource) + not valid_azurerm_configure_cosmosdb_account_continuous_backup_mode(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_cosmosdb_account` must have backup type configured to 'Continuous': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DocumentDB/databaseAccounts/#configure-continuous-backup-mode", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/legacy/azurerm_virtual_machine.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/legacy/azurerm_virtual_machine.rego index e4456d6..4d5748d 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/legacy/azurerm_virtual_machine.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/legacy/azurerm_virtual_machine.rego @@ -1,4 +1,4 @@ -package Azure_Proactive_Resiliency_Library_v2.use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_outbound_rule.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_outbound_rule.rego index 89c168c..88ca0d0 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_outbound_rule.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_outbound_rule.rego @@ -1,4 +1,4 @@ -package Azure_Proactive_Resiliency_Library_v2.use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_sku.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_sku.rego index 965d954..00d6fe1 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_sku.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_sku.rego @@ -1,14 +1,14 @@ -package Azure_Proactive_Resiliency_Library_v2.use_resilient_load_lalancer_sku +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_sku(resource) if { +valid_azurerm_use_resilient_load_lalancer_sku(resource) if { resource.values.sku != "Basic" } deny_use_resilient_load_lalancer_sku contains reason if { resource := data.utils.resource(input, "azurerm_lb")[_] - not valid_azurerm_sku(resource) + not valid_azurerm_use_resilient_load_lalancer_sku(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_lb` must not have 'sku' set to 'Basic': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-standard-load-balancer-sku", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego index e1013f1..3002708 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego @@ -1,14 +1,14 @@ -package Azure_Proactive_Resiliency_Library_v2.azurerm_mysql_flexible_server +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_geo_redundant_backup_enabled(resource) if { +valid_mysql_flexible_server_geo_redundant_backup_enabled(resource) if { resource.values.geo_redundant_backup_enabled == true } deny_mysql_flexible_server_geo_redundant_backup_enabled contains reason if { resource := data.utils.resource(input, "azurerm_mysql_flexible_server")[_] - not valid_geo_redundant_backup_enabled(resource) + not valid_mysql_flexible_server_geo_redundant_backup_enabled(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_mysql_flexible_server` must have 'geo_redundant_backup_enabled.mode' set to 'true': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#configure-geo-redundant-backup-storage", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego index 201e25f..9a7bfaf 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego @@ -1,14 +1,14 @@ -package Azure_Proactive_Resiliency_Library_v2.azurerm_mysql_flexible_server +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_high_availability_mode(resource) if { +valid_azurerm_mysql_flexible_server_high_availability_mode_zone_redundant(resource) if { resource.values.high_availability[_].mode == "ZoneRedundant" } deny_mysql_flexible_server_high_availability_mode_zone_redundant contains reason if { resource := data.utils.resource(input, "azurerm_mysql_flexible_server")[_] - not valid_high_availability_mode(resource) + not valid_azurerm_mysql_flexible_server_high_availability_mode_zone_redundant(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_mysql_flexible_server` must have 'high_availability.mode' set to 'ZoneRedundant': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#enable-ha-with-zone-redundancy", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_sku_name.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_sku_name.rego index cd6a47f..9316098 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_sku_name.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_sku_name.rego @@ -1,18 +1,18 @@ -package Azure_Proactive_Resiliency_Library_v2.migrate_to_application_gateway_v2 +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_sku(resource) if { +valid_azurerm_migrate_to_application_gateway_v2(resource) if { resource.values.sku[_].name == "Standard_v2" } -valid_azurerm_sku(resource) if { +valid_azurerm_migrate_to_application_gateway_v2(resource) if { resource.values.sku[_].name == "WAF_v2" } deny_migrate_to_application_gateway_v2 contains reason if { resource := data.utils.resource(input, "azurerm_application_gateway")[_] - not valid_azurerm_sku(resource) + not valid_azurerm_migrate_to_application_gateway_v2(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_application_gateway` must have 'sku.name' set to 'Standard_v2' or 'WAF_v2': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#migrate-to-application-gateway-v2", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_zones.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_zones.rego index 4805973..d795736 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_zones.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_zones.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.deploy_application_gateway_in_a_zone_redundant_configuration +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_zones(resource) if { +valid_azurerm_deploy_application_gateway_in_a_zone_redundant_configuration(resource) if { resource.values.zones == resource.values.zones count(resource.values.zones) >= 2 } deny_deploy_application_gateway_in_a_zone_redundant_configuration contains reason if { resource := data.utils.resource(input, "azurerm_application_gateway")[_] - not valid_azurerm_zones(resource) + not valid_azurerm_deploy_application_gateway_in_a_zone_redundant_configuration(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_application_gateway` must have configured to use at least 2 Availability Zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#deploy-application-gateway-in-a-zone-redundant-configuration", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_public_ip_zone_redundant.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_public_ip_zone_redundant.rego index e77c57f..1ef76e1 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_public_ip_zone_redundant.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_public_ip_zone_redundant.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.public_ip_use_standard_sku_and_zone_redundant_ip +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_sku(resource) if { +valid_azurerm_public_ip_use_standard_sku_and_zone_redundant_ip(resource) if { resource.values.sku == "Standard" count(resource.values.zones) >= 2 } deny_public_ip_use_standard_sku_and_zone_redundant_ip contains reason if { resource := data.utils.resource(input, "azurerm_public_ip")[_] - not valid_azurerm_sku(resource) + not valid_azurerm_public_ip_use_standard_sku_and_zone_redundant_ip(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_public_ip` must have configured `sku` to `\"Standard\"` and a `zones` that cotnains at least 2 zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/publicIPAddresses/#use-standard-sku-and-zone-redundant-ips-when-applicable", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_virtual_network_gateway_sku.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_virtual_network_gateway_sku.rego index 4ae4f35..9f33cc5 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_virtual_network_gateway_sku.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_virtual_network_gateway_sku.rego @@ -1,15 +1,15 @@ -package Azure_Proactive_Resiliency_Library_v2.virtual_network_gateway_use_zone_redundant_sku +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_sku(resource) if { +valid_azurerm_virtual_network_gateway_use_zone_redundant_sku(resource) if { zone_redundant_skus := {"ErGw1AZ", "ErGw2AZ", "ErGw3AZ", "VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ", "VpnGw4AZ", "VpnGw5AZ"} zone_redundant_skus[resource.values.sku] } deny_virtual_network_gateway_use_zone_redundant_sku contains reason if { resource := data.utils.resource(input, "azurerm_virtual_network_gateway")[_] - not valid_azurerm_sku(resource) + not valid_azurerm_virtual_network_gateway_use_zone_redundant_sku(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_virtual_network_gateway` must have configured `sku` to one of {\"ErGw1AZ\", \"ErGw2AZ\", \"ErGw3AZ\", \"VpnGw1AZ\", \"VpnGw2AZ\", \"VpnGw3AZ\", \"VpnGw4AZ\", \"VpnGw5AZ\"}: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/virtualNetworkGateways/#use-zone-redundant-expressroute-gateway-skus", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego index 155eb58..8a54fd7 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego @@ -1,14 +1,14 @@ -package Azure_Proactive_Resiliency_Library_v2.postgresql_flexible_server_high_availability_mode_zone_redundant +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_high_availability_mode(resource) if { +valid_azurerm_postgresql_flexible_server_high_availability_mode_zone_redundant(resource) if { resource.values.high_availability[_].mode == "ZoneRedundant" } deny_postgresql_flexible_server_high_availability_mode_zone_redundant contains reason if { resource := data.utils.resource(input, "azurerm_postgresql_flexible_server")[_] - not valid_azurerm_high_availability_mode(resource) + not valid_azurerm_postgresql_flexible_server_high_availability_mode_zone_redundant(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_postgresql_flexible_server` must have 'high_availability.mode' set to 'ZoneRedundant': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforPostgreSQL/flexibleServers/#enable-ha-with-zone-redundancy", [resource.address]) } \ No newline at end of file diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/storage/azurerm_storage_account_account_replication_type.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/storage/azurerm_storage_account_account_replication_type.rego index 84e1437..af7bc66 100644 --- a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/storage/azurerm_storage_account_account_replication_type.rego +++ b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/storage/azurerm_storage_account_account_replication_type.rego @@ -1,14 +1,14 @@ -package Azure_Proactive_Resiliency_Library_v2.storage_accounts_are_zone_or_region_redundant +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 -valid_azurerm_account_replication_type(resource) if { +valid_azurerm_storage_accounts_are_zone_or_region_redundant(resource) if { resource.values.account_replication_type != "LRS" } deny_storage_accounts_are_zone_or_region_redundant contains reason if { resource := data.utils.resource(input, "azurerm_storage_account")[_] - not valid_azurerm_account_replication_type(resource) + not valid_azurerm_storage_accounts_are_zone_or_region_redundant(resource) reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_storage_account` must not have 'account_replication_type' set to 'LRS': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Storage/storageAccounts/#ensure-that-storage-accounts-are-zone-or-region-redundant", [resource.address]) } \ No newline at end of file diff --git a/policy/common/common.utils.rego b/policy/common/common.utils.rego index c5d1a2c..9925db8 100644 --- a/policy/common/common.utils.rego +++ b/policy/common/common.utils.rego @@ -61,4 +61,4 @@ is_create_or_update(change_actions) if { is_resource_create_or_update(resource) if { is_create_or_update(resource.change.actions) -} +} \ No newline at end of file diff --git a/readme.md b/readme.md index fcb63bf..296e934 100644 --- a/readme.md +++ b/readme.md @@ -77,20 +77,20 @@ conftest test --all-namespaces --update git::https://github.com/lonegunmanb/poli To apply a subset of policies, you can specify the policy folders you want to apply, e.g.: ```Bash -conftest test --all-namespaces -p /policy/Azure-Proactive-Resiliency-Library-v2 -p /policy/common +conftest test --all-namespaces --update git::https://github.com/lonegunmanb/policy-library-avmrego.git//policy/Azure-Proactive-Resiliency-Library-v2 ``` -This will only apply the policies under `Azure-Proactive-Resiliency-Library-v2` and `common` folders. Please note that `policy/common` is required. +This will only apply the policies under `Azure-Proactive-Resiliency-Library-v2`. To skip a subset of policies, you can create an exception rego file, e.g.: ```rego -package Azure_Proactive_Resiliency_Library_v2.use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer +package Azure_Proactive_Resiliency_Library_v2 import rego.v1 exception[rules] { - rules = ["use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer"] + rules = ["use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer", "storage_accounts_are_zone_or_region_redundant"] } ``` @@ -153,6 +153,8 @@ Any keys other than `valid` and `invalid` would be treated as a single case, any To contribute a new policy, you **MUST** provide at least one valid case. +All policies **MUST** support both `azurerm` and `azapi` providers. + ## Use unique rule name as `deny` rule name Please do: