search

prancer-io / prancer-compliance-test

This repository includes cloud security policies for IaC and live resources.
https://www.prancer.io
39 stars 11 forks source link

're_match' function is not matching as expected in azure\terraform\dbauditingdbsettings.rego #139

Closed rezoan closed 3 years ago

rezoan commented 3 years ago

I was trying to run masterTestId: "TEST_DB_AUDITING_DB_SETTINGS_1" from master-compliance-test.json. in related rego file at azure\terraform\dbauditingdbsettings.rego under azure_issue rule re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.database_id); is not matching the db name correctly between azurerm_mssql_database and azurerm_mssql_database_extended_auditing_policy

Regular expression is not correct and it is always returning false event if there is a matching input as well asresource.name should be resource.properties.name

For example : i have azurerm_mssql_database name in terraform as prancer-sql-db which should be the resource.properties.name and r.properties.database_id should have the sql db id with format "/subscriptions/{subscription_Id}/resourceGroups/{rg_name}/providers/Microsoft.Sql/servers/{sql_server_name}/databases/prancer-sql-db". we can see it has the db name at the end. if we need to do a successful match we need to parse the db name out of the r.properties.database_id and match with resource.properties.name , otherwise match will fail.

So, if we do the OPA run console to a do a test quickly and put re_match(concat("", ["^.*\\.", "prancer-sql-db", "\\..*$"]), "/subscriptions/subscription_Id/resourceGroups/rg_name/providers/Microsoft.Sql/servers/sql_server_name/databases/prancer-sql-db") it is returning false but it should return true. which clearly demonstrate the regex is not correct.

There is a true == false at the end of the rule which is actually returning the output and by forcing we are making the rule to send false output which is a pass case scenario here.

rezoan commented 3 years ago

SNAPSHOT NAME: TRF_TEMPLATE_SNAPSHOT25 under validation/secnario-terraform-azure in prancer-hello-world

{
  "structure": "filesystem",
  "error": null,
  "reference": "master",
  "source": "gitConnectorTerraform",
  "paths": [
    "/azure/mssql_servers/terraform.tfvars",
    "/azure/mssql_servers/vars.tf",
    "/azure/mssql_servers/provider.tf",
    "/azure/mssql_servers/main.tf"
  ],
  "timestamp": 1626517217331,
  "queryuser": null,
  "checksum": "99914b932bd37a50b983c5e7c90ae93b",
  "node": {
    "masterSnapshotId": "TRF_TEMPLATE_SNAPSHOT",
    "type": "terraform",
    "collection": "terraformtemplate",
    "paths": [
      "/azure/mssql_servers/terraform.tfvars",
      "/azure/mssql_servers/vars.tf",
      "/azure/mssql_servers/provider.tf",
      "/azure/mssql_servers/main.tf"
    ],
    "snapshotId": "TRF_TEMPLATE_SNAPSHOT25",
    "status": "active",
    "validate": true
  },
  "snapshotId": "TRF_TEMPLATE_SNAPSHOT25",
  "collection": "terraformtemplate",
  "json": {
    "data": {
      "azurerm_client_config": {
        "current": {}
      }
    },
    "resources": [
      {
        "type": "azurerm_storage_account",
        "name": "storageAccount",
        "properties": {
          "name": "prancerstorageaccount007",
          "resource_group_name": "prancer-test-rg",
          "location": "eastus2",
          "account_tier": "Standard",
          "account_replication_type": "LRS",
          "enable_https_traffic_only": false,
          "allow_blob_public_access": "${var.allow_blob_public_access}",
          "tags": {},
          "storage_count": 1,
          "storage_name": "prancerstorageaccount007",
          "storage_rg_name": "prancer-test-rg",
          "accountTier": "Standard",
          "replicationType": "LRS",
          "enableSecureTransfer": false
        }
      },
      {
        "type": "azurerm_storage_container",
        "name": "storageContainer",
        "properties": {
          "name": "prancer-storage-container",
          "storage_account_name": "${module.storageAccount.name[0]}",
          "container_access_type": "private",
          "storage_container_name": "prancer-storage-container",
          "storage_container_access_type": "private"
        }
      },
      {
        "type": "azurerm_mssql_server",
        "name": "mssqlserver",
        "properties": {
          "name": "prancer-sql-server",
          "resource_group_name": "prancer-test-rg",
          "location": "eastus2",
          "version": 12.0,
          "administrator_login": "prancer_admin",
          "administrator_login_password": "vijcykDaHarj+Oz5",
          "azuread_administrator": {
            "login_username": "adadmin",
            "object_id": "${data.azurerm_client_config.current.object_id}"
          },
          "tags": {},
          "server_name": "prancer-sql-server",
          "server_rg": "prancer-test-rg",
          "server_version": 12.0,
          "admin_user": "prancer_admin",
          "admin_password": "vijcykDaHarj+Oz5",
          "sql_ad_username": "adadmin",
          "sql_ad_object_id": "${data.azurerm_client_config.current.object_id}"
        }
      },
      {
        "type": "azurerm_mssql_server_security_alert_policy",
        "name": "mssqlsecuritypolicy",
        "properties": {
          "resource_group_name": "prancer-test-rg",
          "server_name": "${module.sqlServer.sqlserver_name}",
          "state": "Enabled",
          "storage_endpoint": "${module.storageAccount.primaryblob_uri[0]}",
          "storage_account_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "disabled_alerts": [
            "Unsafe_Action"
          ],
          "retention_days": 30,
          "email_account_admins": false,
          "email_addresses": [],
          "count": 0,
          "sql_server_rg": "prancer-test-rg",
          "sql_server_name": "${module.sqlServer.sqlserver_name}",
          "sql_sec_policy_state": "Enabled",
          "sql_sec_policy_endpoint": "${module.storageAccount.primaryblob_uri[0]}",
          "sql_sec_policy_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "sql_sec_policy_disabled_alerts": [
            "Unsafe_Action"
          ],
          "sql_sec_policy_retention": 30,
          "sql_sec_email_account_admins": false,
          "sql_sec_email_addresses": []
        }
      },
      {
        "type": "azurerm_mssql_server_vulnerability_assessment",
        "name": "mssqlvulnassessment",
        "properties": {
          "server_security_alert_policy_id": "${module.sqlServerSecurityPolicy[0].pid}",
          "storage_container_path": "${module.storageAccount.primaryblob_uri[0]}${module.storageContainer.name}/",
          "storage_account_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "recurring_scans": {
            "enabled": false,
            "email_subscription_admins": false,
            "emails": []
          },
          "count": 0,
          "sql_vuln_alert_policy_id": "${module.sqlServerSecurityPolicy[0].pid}",
          "sql_vuln_container_path": "${module.storageAccount.primaryblob_uri[0]}${module.storageContainer.name}/",
          "sql_vuln_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "sql_vuln_scan_enabled": false,
          "sql_vuln_scan_admin_email": false,
          "sql_vuln_scan_emails": []
        }
      },
      {
        "type": "azurerm_sql_firewall_rule",
        "name": "sqlserverfw",
        "properties": {
          "name": "prancer-sql-fw-block-10-net",
          "resource_group_name": "prancer-test-rg",
          "server_name": "${module.sqlServer.sqlserver_name}",
          "start_ip_address": "0.0.0.0",
          "end_ip_address": "0.0.0.0",
          "count": 0,
          "sql_fw_name": "prancer-sql-fw-block-10-net",
          "sql_fw_rg": "prancer-test-rg",
          "sql_server_name": "${module.sqlServer.sqlserver_name}",
          "sql_fw_start_ip": "0.0.0.0",
          "sql_fw_end_ip": "0.0.0.0"
        }
      },
      {
        "type": "azurerm_mssql_server_extended_auditing_policy",
        "name": "mssqlaudit",
        "properties": {
          "server_id": "${module.sqlServer.sqlserver_id}",
          "storage_endpoint": "${module.storageAccount.primaryblob_uri[0]}",
          "storage_account_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "storage_account_access_key_is_secondary": true,
          "retention_in_days": 30,
          "sql_server_id": "${module.sqlServer.sqlserver_id}",
          "sql_audit_endpoint": "${module.storageAccount.primaryblob_uri[0]}",
          "sql_audit_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "sql_audit_access_key_is_2nd": true,
          "sql_audit_retention": 30
        }
      },
      {
        "type": "azurerm_mssql_database",
        "name": "mssqldb",
        "properties": {
          "name": "prancer-sql-db",
          "server_id": "${module.sqlServer.sqlserver_id}",
          "collation": "SQL_Latin1_General_CP1_CI_AS",
          "license_type": "LicenseIncluded",
          "max_size_gb": 2,
          "read_scale": false,
          "sku_name": "Basic",
          "zone_redundant": false,
          "tags": {},
          "threat_detection_policy": {
            "state": "Disabled",
            "email_account_admins": "Disabled",
            "retention_days": 0,
            "storage_account_access_key": null,
            "storage_endpoint": null,
            "use_server_default": "Disabled"
          },
          "sql_db_name": "prancer-sql-db",
          "sql_server_id": "${module.sqlServer.sqlserver_id}",
          "sql_db_collation": "SQL_Latin1_General_CP1_CI_AS",
          "sql_db_license_type": "LicenseIncluded",
          "sql_db_max_size_gb": 2,
          "sql_db_read_scale": false,
          "sql_db_sku_name": "Basic",
          "sql_db_zone_redundant": false
        }
      },
      {
        "type": "azurerm_mssql_database_extended_auditing_policy",
        "name": "mssqldbaudit",
        "properties": {
          "database_id": "${module.sqlDB.id}",
          "storage_endpoint": "${module.storageAccount.primaryblob_uri[0]}",
          "storage_account_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "storage_account_access_key_is_secondary": true,
          "retention_in_days": 30,
          "count": 0,
          "sqldb_database_id": "${module.sqlDB.id}",
          "sqldb_audit_endpoint": "${module.storageAccount.primaryblob_uri[0]}",
          "sqldb_audit_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "sqldb_audit_access_key_is_2nd": true,
          "sqldb_audit_retention": 30
        }
      }
    ]
  }
}
rezoan commented 3 years ago

Wondering how we are populating the database_idout of "${module.sqlDB.id}" variable in the snapshot. are we doing any post processing to terraform repo to get that?

{
        "type": "azurerm_mssql_database_extended_auditing_policy",
        "name": "mssqldbaudit",
        "properties": {
          "database_id": "${module.sqlDB.id}",
          "storage_endpoint": "${module.storageAccount.primaryblob_uri[0]}",
          "storage_account_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "storage_account_access_key_is_secondary": true,
          "retention_in_days": 30,
          "count": 0,
          "sqldb_database_id": "${module.sqlDB.id}",
          "sqldb_audit_endpoint": "${module.storageAccount.primaryblob_uri[0]}",
          "sqldb_audit_access_key": "${module.storageAccount.storage_primary_access_key[0]}",
          "sqldb_audit_access_key_is_2nd": true,
          "sqldb_audit_retention": 30
        }
      }
rezoan commented 3 years ago

@farchide @vatsalgit5118 same issue exist in https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/terraform/vnetsubnets.rego as well.