feat(query): implements "Beta - Blob Storage Without Soft Delete" (#7831)

* implements a query to ensure that resources of type "azurerm_storage_account" configure a value of 7 to 365 on their "blob_properties.delete_retention_policy.days" field.

Author: cx-andre-pereira

assets/queries/terraform/azure/blob_storage_without_soft_delete/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "056d28cc-7ee9-4b12-b2d1-16b7b66db72d",
+  "queryName": "Beta - Blob Storage Without Soft Delete",
+  "severity": "HIGH",
+  "category": "Backup",
+  "descriptionText": "All 'azurerm_storage_account' resources should define a 'delete_retention_policy' block for their 'blob_properties' to allow data recovery",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#delete_retention_policy-2",
+  "platform": "Terraform",
+  "descriptionID": "056d28cc",
+  "cloudProvider": "azure",
+  "cwe": "754",
+  "riskScore": "6.0",
+  "experimental": "true"
+}

assets/queries/terraform/azure/blob_storage_without_soft_delete/query.rego

@@ -0,0 +1,50 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_storage_account[name]
+
+	results := get_results(resource, name)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_storage_account",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": results.searchKey,
+		"issueType": results.issueType,
+		"keyExpectedValue": results.keyExpectedValue,
+		"keyActualValue": results.keyActualValue,
+		"searchLine": results.searchLine
+	}
+}
+
+get_results(resource, name) = results {
+	not common_lib.valid_key(resource, "blob_properties")
+	results := {
+		"searchKey" : sprintf("azurerm_storage_account[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'azurerm_storage_account[%s].blob_properties.delete_retention_policy' should be defined and not null", [name]),
+		"keyActualValue" : sprintf("'azurerm_storage_account[%s].blob_properties' is undefined or null", [name]),
+		"searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name], [])
+	}
+} else = results {
+	not common_lib.valid_key(resource.blob_properties, "delete_retention_policy")
+	results := {
+		"searchKey" : sprintf("azurerm_storage_account[%s].blob_properties", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'azurerm_storage_account[%s].blob_properties.delete_retention_policy' should be defined and not null", [name]),
+		"keyActualValue" : sprintf("'azurerm_storage_account[%s].blob_properties.delete_retention_policy' is undefined or null", [name]),
+		"searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "blob_properties"], [])
+	}
+} else = results {
+	resource.blob_properties.delete_retention_policy.days < 7
+	results := {
+		"searchKey" : sprintf("azurerm_storage_account[%s].blob_properties.delete_retention_policy.days", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'azurerm_storage_account[%s].blob_properties.delete_retention_policy.days' should be set to a value higher than '6'", [name]),
+		"keyActualValue" : sprintf("'azurerm_storage_account[%s].blob_properties.delete_retention_policy.days' is set to '%d'", [name, resource.blob_properties.delete_retention_policy.days]),
+		"searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "blob_properties", "delete_retention_policy", "days"], [])
+	}
+}

assets/queries/terraform/azure/blob_storage_without_soft_delete/test/negative.tf

@@ -0,0 +1,27 @@
+resource "azurerm_storage_account" "negative1" {
+  name                     = "negative1"
+  resource_group_name      = "testRG"
+  location                 = "northeurope"
+  account_tier             = "Premium"
+  account_replication_type = "LRS"
+  account_kind             = "FileStorage"
+
+  blob_properties {
+    delete_retention_policy {
+      days = 49
+    }
+  }
+}
+
+resource "azurerm_storage_account" "negative2" {
+  name                     = "negative2"
+  resource_group_name      = "testRG"
+  location                 = "northeurope"
+  account_tier             = "Premium"
+  account_replication_type = "LRS"
+  account_kind             = "FileStorage"
+
+  blob_properties {
+    delete_retention_policy {} # defaults to 7 days
+  }
+}

assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive.tf

@@ -0,0 +1,35 @@
+resource "azurerm_storage_account" "positive1" {
+  name                     = "positive1"
+  resource_group_name      = azurerm_resource_group.positive1.name
+  location                 = azurerm_resource_group.positive1.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  # missing "blob_properties"
+}
+
+resource "azurerm_storage_account" "positive2" {
+  name                     = "positive2"
+  resource_group_name      = azurerm_resource_group.positive2.name
+  location                 = azurerm_resource_group.positive2.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  blob_properties {
+    # missing "delete_retention_policy"
+  }
+}
+
+resource "azurerm_storage_account" "positive3" {
+  name                     = "positive3"
+  resource_group_name      = azurerm_resource_group.positive3.name
+  location                 = azurerm_resource_group.positive3.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  blob_properties {
+    delete_retention_policy {
+      days = 5                  # lower than minimum value (7)
+    }
+  }
+}

assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json

@@ -0,0 +1,17 @@
+[
+  {
+    "queryName": "Beta - Blob Storage Without Soft Delete",
+    "severity": "HIGH",
+    "line": 1
+  },
+  {
+    "queryName": "Beta - Blob Storage Without Soft Delete",
+    "severity": "HIGH",
+    "line": 18
+  },
+  {
+    "queryName": "Beta - Blob Storage Without Soft Delete",
+    "severity": "HIGH",
+    "line": 32
+  }
+]

assets/similarityID_transition/terraform_azure.yaml

@@ -3,6 +3,10 @@ similarityIDChangeList:
       queryName: Sensitive Port Is Exposed To Wide Private Network
       observations: ""
       change: 5
+    - queryId: 056d28cc-7ee9-4b12-b2d1-16b7b66db72d
+      queryName: Beta - Blob Storage Without Soft Delete
+      observations: ""
+      change: 2
     - queryId: 233ab26d-8f17-4dce-9616-41479da9ffe3
       queryName: Beta - Storage Account Using Unsafe SMB Channel Encryption
       observations: ""