fix(queries): fixed fp for trusted_microsoft_services_not_enabled and default_azure_storage_account_network_access_is_too_permissive

assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego

@@ -11,7 +11,7 @@ CxPolicy[result] {
 	res1 := publicNetworkAccessEnabled(resource)
 	res2 := aclsDefaultActionAllow(networkRules.rules)
 
-	issue := prepare_issue(res1, res2, var0, networkRules.type, networkRules.key)
+	issue := prepare_issue(res1, res2, var0, networkRules.type, networkRules.key, resource)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -27,7 +27,7 @@ CxPolicy[result] {
 	}
 }
 
-prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue {
+prepare_issue(res1, res2, resource_id, rules_type, rules_key, resource) = issue {
     res1 == "not defined"
 	res2 == "not defined"
 	issue := {
@@ -41,6 +41,7 @@ prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue {
 	}
 } else = issue {
     res1 == "enabled"
+	not is_function_app(resource)
     issue := {
 		"kav": "azurerm_storage_account.public_network_access_enabled set to 'true'",
 		"kev": "azurerm_storage_account.public_network_access_enabled should be set to 'false'",
@@ -126,3 +127,14 @@ aclsDefaultActionAllow(network_rules) = reason {
 has_key(x, k) {
 	_ = x[k]
 }
+
+is_function_app(resource) {
+	common_lib.valid_key(resource, "tags")
+	is_object(resource.tags)
+	common_lib.valid_key(resource.tags, "bdo-attached-service")
+	resource.tags["bdo-attached-service"] == "function"
+} else {
+	common_lib.valid_key(resource, "tags")
+	not is_object(resource.tags)
+	regex.match("(?i)bdo-attached-service[\"']?\\s*=?\\s*[\"']?function[\"']?", resource.tags)
+} else = false

assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/negative3.tf

@@ -0,0 +1,18 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_storage_account" "example" {
+  name                     = "positive3storageaccount"
+  resource_group_name      = azurerm_resource_group.example.name
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  public_network_access_enabled = true
+
+  tags = {
+    environment = "staging"
+    bdo-attached-service = "function"
+  }
+}

assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/negative4.tf

@@ -0,0 +1,15 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_storage_account" "example" {
+  name                     = "positive3storageaccount"
+  resource_group_name      = azurerm_resource_group.example.name
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+  public_network_access_enabled = true
+
+  tags = merge(local.tags_resources, { "bdo-attached-service" = "function", bdo_name_service = "storage_account" })
+}

assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/query.rego

@@ -5,6 +5,7 @@ import data.generic.terraform as tf_lib
 
 CxPolicy[result] {
 	resource := input.document[i].resource.azurerm_storage_account[name]
+	not is_function_app(resource)
 	not common_lib.valid_key(resource, "network_rules")
 
 	result := {
@@ -15,6 +16,7 @@ CxPolicy[result] {
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'network_rules' should be defined and not null",
 		"keyActualValue": "'network_rules' is undefined or null",
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", name], []),
 	}
 }
 
@@ -30,6 +32,7 @@ CxPolicy[result] {
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'network_rules.bypass' should be defined and not null",
 		"keyActualValue": "'network_rules.bypass' is undefined or null",
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", name, "network_rules"], []),
 	}
 }
 
@@ -46,6 +49,7 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "'network_rules.bypass' should contain 'AzureServices'",
 		"keyActualValue": "'network_rules.bypass' does not contain 'AzureServices'",
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", name, "network_rules", "bypass"], []),
 	}
 }
 
@@ -61,6 +65,7 @@ CxPolicy[result] {
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'bypass' should be defined and not null",
 		"keyActualValue": "'bypass' is undefined or null",
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account_network_rules", name], []),
 	}
 }
 
@@ -77,5 +82,17 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "'bypass' should contain 'AzureServices'",
 		"keyActualValue": "'bypass' does not contain 'AzureServices'",
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account_network_rules", name, "bypass"], []),
 	}
 }
+
+is_function_app(resource) {
+	common_lib.valid_key(resource, "tags")
+	is_object(resource.tags)
+	common_lib.valid_key(resource.tags, "bdo-attached-service")
+	resource.tags["bdo-attached-service"] == "function"
+} else {
+	common_lib.valid_key(resource, "tags")
+	not is_object(resource.tags)
+	regex.match("(?i)bdo-attached-service[\"']?\\s*=?\\s*[\"']?function[\"']?", resource.tags)
+} else = false

assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/negative1.tf

@@ -0,0 +1,30 @@
+resource "azurerm_storage_account" "example" {
+  name                = "storageaccountname"
+  resource_group_name = azurerm_resource_group.example.name
+
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  network_rules {
+    default_action             = "Deny"
+	  bypass					   = ["AzureServices"]
+    ip_rules                   = ["100.0.0.1"]
+    virtual_network_subnet_ids = [azurerm_subnet.example.id]
+  }
+
+  tags = {
+    environment = "staging"
+  }
+}
+
+resource "azurerm_storage_account_network_rules" "example" {
+  resource_group_name  = azurerm_resource_group.test.name
+  storage_account_name = azurerm_storage_account.test.name
+  storage_account_id = azurerm_storage_account.example.id
+
+  default_action             = "Allow"
+  ip_rules                   = ["127.0.0.1"]
+  virtual_network_subnet_ids = [azurerm_subnet.test.id]
+  bypass                     = ["AzureServices"]
+}

assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/negative2.tf

@@ -0,0 +1,13 @@
+resource "azurerm_storage_account" "example" {
+  name                = "storageaccountname"
+  resource_group_name = azurerm_resource_group.example.name
+
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  tags = {
+    environment = "staging"
+    bdo-attached-service = "function"
+  }
+}

assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/negative3.tf

@@ -0,0 +1,10 @@
+resource "azurerm_storage_account" "example" {
+  name                = "storageaccountname"
+  resource_group_name = azurerm_resource_group.example.name
+
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  tags = merge(local.tags_resources, { "bdo-attached-service" = "function", bdo_name_service = "storage_account" })
+}

assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/negative4.tf

@@ -0,0 +1,30 @@
+resource "azurerm_storage_account" "example" {
+  name                = "storageaccountname"
+  resource_group_name = azurerm_resource_group.example.name
+
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  network_rules {
+    default_action             = "Deny"
+	  bypass					   = ["AzureServices", "Metrics"]
+    ip_rules                   = ["100.0.0.1"]
+    virtual_network_subnet_ids = [azurerm_subnet.example.id]
+  }
+
+  tags = {
+    environment = "staging"
+  }
+}
+
+resource "azurerm_storage_account_network_rules" "example" {
+  resource_group_name  = azurerm_resource_group.test.name
+  storage_account_name = azurerm_storage_account.test.name
+  storage_account_id = azurerm_storage_account.example.id
+
+  default_action             = "Allow"
+  ip_rules                   = ["127.0.0.1"]
+  virtual_network_subnet_ids = [azurerm_subnet.test.id]
+  bypass                     = ["AzureServices", "Metrics"]
+}

assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive.tf → assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive1.tf

@@ -1,4 +1,4 @@
-resource "azurerm_storage_account_network_rules" "positive1" {
+resource "azurerm_storage_account_network_rules" "example" {
   resource_group_name  = azurerm_resource_group.test.name
   storage_account_name = azurerm_storage_account.test.name
 
@@ -8,7 +8,7 @@ resource "azurerm_storage_account_network_rules" "positive1" {
   bypass                     = ["Metrics"]
 }
 
-resource "azurerm_storage_account" "positive2" {
+resource "azurerm_storage_account" "example" {
   name                = "storageaccountname"
   resource_group_name = azurerm_resource_group.example.name
 
@@ -18,7 +18,7 @@ resource "azurerm_storage_account" "positive2" {
 
   network_rules {
     default_action             = "Deny"
-	bypass					   = ["None"]
+	  bypass					   = ["None"]
     ip_rules                   = ["100.0.0.1"]
     virtual_network_subnet_ids = [azurerm_subnet.example.id]
   }

assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive2.tf

@@ -0,0 +1,12 @@
+resource "azurerm_storage_account" "example" {
+  name                = "storageaccountname"
+  resource_group_name = azurerm_resource_group.example.name
+
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  tags = {
+    environment = "staging"
+  }
+}