diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.AzureArcData_sqlServerInstances_databases.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.AzureArcData_sqlServerInstances_databases.compliant.adoc index 9cd0f0ba479..54b048afc32 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.AzureArcData_sqlServerInstances_databases.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.AzureArcData_sqlServerInstances_databases.compliant.adoc @@ -19,3 +19,14 @@ Enabled encryption on SQL service instance database: ] } ---- + +[source,bicep,diff-id=1211,diff-type=compliant] +---- +resource symbolicname 'Microsoft.AzureArcData/sqlServerInstances/databases@2023-03-15-preview' = { + properties: { + databaseOptions: { + isEncrypted: true + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.AzureArcData_sqlServerInstances_databases.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.AzureArcData_sqlServerInstances_databases.noncompliant.adoc index 42be99bcd48..adbd550bb64 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.AzureArcData_sqlServerInstances_databases.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.AzureArcData_sqlServerInstances_databases.noncompliant.adoc @@ -19,3 +19,14 @@ Disabled encryption on SQL service instance database: ] } ---- + +[source,bicep,diff-id=1211,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.AzureArcData/sqlServerInstances/databases@2023-03-15-preview' = { + properties: { + databaseOptions: { + isEncrypted: false + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_disks.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_disks.compliant.adoc index 2c749177102..b2ec3ae82ad 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_disks.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_disks.compliant.adoc @@ -21,6 +21,18 @@ Enabled encryption for managed disk: } ---- +[source,bicep,diff-id=311,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = { + properties: { + encryption: { + diskEncryptionSetId: 'string' + type: 'string' + } + } +} +---- + Enabled encryption through setting https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/disks?pivots=deployment-language-arm-template#encryptionsettingscollection-1[encryptionSettingsCollection]: [source,json] ---- @@ -51,6 +63,27 @@ Enabled encryption through setting https://learn.microsoft.com/en-us/azure/templ } ---- +[source,bicep,diff-id=312,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = { + properties: { + encryptionSettingsCollection: { + enabled: true + encryptionSettings: [ + { + diskEncryptionKey: { + secretUrl: 'string' + sourceVault: { + id: 'string' + } + } + } + ] + } + } +} +---- + Enabled encryption through a security profile for an OS disk: [source,json] ---- @@ -71,3 +104,15 @@ Enabled encryption through a security profile for an OS disk: ] } ---- + +[source,bicep,diff-id=313,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = { + properties: { + securityProfile: { + secureVMDiskEncryptionSetId: 'string' + securityType: '{ConfidentialVM_DiskEncryptedWithCustomerKey | ConfidentialVM_DiskEncryptedWithPlatformKey | ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey | TrustedLaunch}' + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_snapshots.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_snapshots.compliant.adoc index beeb26ae752..fc7c68e2a07 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_snapshots.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_snapshots.compliant.adoc @@ -21,6 +21,18 @@ Enabled disk encryption for snapshot: } ---- +[source,bicep,diff-id=411,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = { + properties: { + encryption: { + diskEncryptionSetId: 'string' + type: '{EncryptionAtRestWithCustomerKey | EncryptionAtRestWithPlatformAndCustomerKeys | EncryptionAtRestWithPlatformKey}' + } + } +} +---- + Enabled disk encryption with settings collection: [source,json,diff-id=402,diff-type=compliant] ---- @@ -52,6 +64,28 @@ Enabled disk encryption with settings collection: } ---- +[source,bicep,diff-id=412,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = { + properties: { + encryptionSettingsCollection: { + enabled: true + encryptionSettings: [ + { + diskEncryptionKey: { + secretUrl: '' + sourceVault: { + id: 'string' + } + } + } + ] + encryptionSettingsVersion: '{1.0 | 1.1}' + } + } +} +---- + Enabled disk encryption through security profile: [source,json] ---- @@ -72,3 +106,15 @@ Enabled disk encryption through security profile: ] } ---- + +[source,bicep,diff-id=413,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = { + properties: { + securityProfile: { + secureVMDiskEncryptionSetId: 'string' + securityType: '{ConfidentialVM_DiskEncryptedWithCustomerKey | ConfidentialVM_DiskEncryptedWithPlatformKey | ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey | TrustedLaunch}' + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_snapshots.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_snapshots.noncompliant.adoc index baf2906c6a4..27243b9880b 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_snapshots.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_snapshots.noncompliant.adoc @@ -19,3 +19,14 @@ Disabled disk encryption with settings collection: ] } ---- + +[source,bicep,diff-id=412,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = { + properties: { + encryptionSettingsCollection: { + enabled: false + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachineScaleSets.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachineScaleSets.compliant.adoc index 9191cc6dcf5..29b8ca3c53a 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachineScaleSets.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachineScaleSets.compliant.adoc @@ -22,6 +22,19 @@ Enabled encryption at host level: } ---- +[source,bicep,diff-id=211,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { + properties: { + virtualMachineProfile: { + securityProfile: { + encryptionAtHost: true + } + } + } +} +---- + Enabled encryption for data disk: [source,json,diff-id=202,diff-type=compliant] ---- @@ -53,6 +66,28 @@ Enabled encryption for data disk: } ---- +[source,bicep,diff-id=212,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { + properties: { + virtualMachineProfile: { + storageProfile: { + dataDisks: [ + { + name: 'myDataDisk' + managedDisk: { + diskEncryptionSet: { + id: 'string' + } + } + } + ] + } + } + } +} +---- + Enabled encryption for data disk through security profile: [source,json] ---- @@ -86,6 +121,30 @@ Enabled encryption for data disk through security profile: } ---- +[source,bicep,diff-id=213,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { + properties: { + virtualMachineProfile: { + storageProfile: { + dataDisks: [ + { + name: 'myDataDisk' + managedDisk: { + securityProfile: { + diskEncryptionSet: { + id: 'string' + } + } + } + } + ] + } + } + } +} +---- + Enabled encryption for OS disk: [source,json,diff-id=204,diff-type=compliant] ---- @@ -115,6 +174,26 @@ Enabled encryption for OS disk: } ---- +[source,bicep,diff-id=214,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { + properties: { + virtualMachineProfile: { + storageProfile: { + osDisk: { + name: 'myOsDisk' + managedDisk: { + diskEncryptionSet: { + id: 'string' + } + } + } + } + } + } +} +---- + Enabled encryption for OS disk through security profile: [source,json] ---- @@ -145,3 +224,25 @@ Enabled encryption for OS disk through security profile: ] } ---- + +[source,bicep,diff-id=215,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { + properties: { + virtualMachineProfile: { + storageProfile: { + osDisk: { + name: 'myOsDisk' + managedDisk: { + securityProfile: { + diskEncryptionSet: { + id: 'string' + } + } + } + } + } + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachineScaleSets.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachineScaleSets.noncompliant.adoc index 0f852ff8e9d..d6473bd2343 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachineScaleSets.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachineScaleSets.noncompliant.adoc @@ -22,6 +22,19 @@ Disabled encryption at host level: } ---- +[source,bicep,diff-id=211,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { + properties: { + virtualMachineProfile: { + securityProfile: { + encryptionAtHost: false + } + } + } +} +---- + Disabled encryption for data disk: [source,json,diff-id=202,diff-type=noncompliant] ---- @@ -48,6 +61,23 @@ Disabled encryption for data disk: } ---- +[source,bicep,diff-id=212,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { + properties: { + virtualMachineProfile: { + storageProfile: { + dataDisks: [ + { + name: 'myDataDisk' + } + ] + } + } + } +} +---- + Disabled encryption for OS disk: [source,json,diff-id=204,diff-type=noncompliant] ---- @@ -71,3 +101,18 @@ Disabled encryption for OS disk: ] } ---- + +[source,bicep,diff-id=214,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = { + properties: { + virtualMachineProfile: { + storageProfile: { + osDisk: { + name: 'myOsDisk' + } + } + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachines.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachines.compliant.adoc index 8559196990f..e639caf5652 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachines.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachines.compliant.adoc @@ -20,6 +20,17 @@ Enabled encryption at host level: } ---- +[source,bicep,diff-id=111,diff-type=compliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + securityProfile: { + encryptionAtHost: true + } + } +} +---- + Enabled encryption for managed disk: [source,json,diff-id=102,diff-type=compliant] ---- @@ -49,6 +60,26 @@ Enabled encryption for managed disk: } ---- +[source,bicep,diff-id=112,diff-type=compliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + storageProfile: { + dataDisks: [ + { + name: 'myDisk' + managedDisk: { + diskEncryptionSet: { + id: 'string' + } + } + } + ] + } + } +} +---- + Enabled encryption for managed disk through security profile: [source,json] ---- @@ -80,6 +111,28 @@ Enabled encryption for managed disk through security profile: } ---- +[source,bicep,diff-id=113,diff-type=compliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + storageProfile: { + dataDisks: [ + { + name: 'myDisk' + managedDisk: { + securityProfile: { + diskEncryptionSet: { + id: 'string' + } + } + } + } + ] + } + } +} +---- + Enabled encryption for OS disk: [source,json,diff-id=104,diff-type=compliant] ---- @@ -110,6 +163,28 @@ Enabled encryption for OS disk: } ---- +[source,bicep,diff-id=114,diff-type=compliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + storageProfile: { + osDisk: { + name: 'myDisk' + encryptionSettings: { + enabled: true + diskEncryptionKey: { + secretUrl: 'string' + sourceVault: { + id: 'string' + } + } + } + } + } + } +} +---- + Enabled encryption for OS managed disk: [source,json,diff-id=105,diff-type=compliant] ---- @@ -137,6 +212,25 @@ Enabled encryption for OS managed disk: } ---- +[source,bicep,diff-id=115,diff-type=compliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + storageProfile: { + osDisk: { + name: 'myDisk' + managedDisk: { + id: 'myDiskId' + diskEncryptionSet: { + id: 'string' + } + } + } + } + } +} +---- + Enabled encryption for OS managed disk through security profile: [source,json] ---- @@ -164,3 +258,24 @@ Enabled encryption for OS managed disk through security profile: ] } ---- + +[source,bicep,diff-id=116,diff-type=compliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + storageProfile: { + osDisk: { + name: 'myDisk' + managedDisk: { + id: 'myDiskId' + securityProfile: { + diskEncryptionSet: { + id: 'string' + } + } + } + } + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachines.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachines.noncompliant.adoc index b23dc0c0e9a..dfec7550d65 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachines.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Compute_virtualMachines.noncompliant.adoc @@ -20,6 +20,17 @@ Disabled encryption at host level: } ---- +[source,bicep,diff-id=111,diff-type=noncompliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + securityProfile: { + encryptionAtHost: false + } + } +} +---- + Disabled encryption for managed disk: [source,json,diff-id=102,diff-type=noncompliant] ---- @@ -44,6 +55,21 @@ Disabled encryption for managed disk: } ---- +[source,bicep,diff-id=112,diff-type=noncompliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + storageProfile: { + dataDisks: [ + { + name: 'myDisk' + } + ] + } + } +} +---- + Disabled encryption for OS disk: [source,json,diff-id=104,diff-type=noncompliant] ---- @@ -68,6 +94,22 @@ Disabled encryption for OS disk: } ---- +[source,bicep,diff-id=114,diff-type=noncompliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + storageProfile: { + osDisk: { + name: 'myDisk' + encryptionSettings: { + enabled: false + } + } + } + } +} +---- + Disabled encryption for OS managed disk: [source,json,diff-id=105,diff-type=noncompliant] ---- @@ -91,3 +133,19 @@ Disabled encryption for OS managed disk: ] } ---- + +[source,bicep,diff-id=115,diff-type=noncompliant] +---- +resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = { + properties: { + storageProfile: { + osDisk: { + name: 'myDisk' + managedDisk: { + id: 'myDiskId' + } + } + } + } +} +---- \ No newline at end of file diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.ContainerService_managedClusters.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.ContainerService_managedClusters.compliant.adoc index 73768a286bc..03887dd8de6 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.ContainerService_managedClusters.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.ContainerService_managedClusters.compliant.adoc @@ -22,3 +22,17 @@ Enabled encryption at host and set the disk encryption set ID: ] } ---- + +[source,bicep,diff-id=1111,diff-type=compliant] +---- +resource symbolicname 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = { + properties: { + agentPoolProfiles: [ + { + enableEncryptionAtHost: true + } + ] + diskEncryptionSetID: 'string' + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.ContainerService_managedClusters.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.ContainerService_managedClusters.noncompliant.adoc index 3b585415b80..583189bfd22 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.ContainerService_managedClusters.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.ContainerService_managedClusters.noncompliant.adoc @@ -21,3 +21,16 @@ Disabled encryption at host and set the disk encryption set ID: ] } ---- + +[source,bicep,diff-id=1111,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = { + properties: { + agentPoolProfiles: [ + { + enableEncryptionAtHost: false + } + ] + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.DBforMySQL_servers.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.DBforMySQL_servers.compliant.adoc index 633d63fd0c4..17200f085fa 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.DBforMySQL_servers.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.DBforMySQL_servers.compliant.adoc @@ -17,3 +17,12 @@ Enabled infrastructure double encryption for MySQL server: ] } ---- + +[source,bicep,diff-id=611,diff-type=compliant] +---- +resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = { + properties: { + infrastructureEncryption: 'Enabled' + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.DBforMySQL_servers.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.DBforMySQL_servers.noncompliant.adoc index 92eb5bf9f82..63981902e6b 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.DBforMySQL_servers.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.DBforMySQL_servers.noncompliant.adoc @@ -17,3 +17,13 @@ Disabled infrastructure double encryption for MySQL server: ] } ---- + +[source,bicep,diff-id=611,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = { + properties: { + infrastructureEncryption: 'Disabled' + } +} +---- + diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.DBforPostgreSQL_servers.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.DBforPostgreSQL_servers.compliant.adoc index 7ea6315bc98..7dd12ff1f59 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.DBforPostgreSQL_servers.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.DBforPostgreSQL_servers.compliant.adoc @@ -17,3 +17,12 @@ Enabled infrastructure double encryption for PostgreSQL server: ] } ---- + +[source,bicep,diff-id=711,diff-type=compliant] +---- +resource symbolicname 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = { + properties: { + infrastructureEncryption: 'Enabled' + } +} +---- \ No newline at end of file diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.DBforPostgreSQL_servers.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.DBforPostgreSQL_servers.noncompliant.adoc index 4b769a79628..1d7f5ab0d03 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.DBforPostgreSQL_servers.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.DBforPostgreSQL_servers.noncompliant.adoc @@ -17,3 +17,12 @@ Disabled infrastructure double encryption for PostgreSQL server: ] } ---- + +[source,bicep,diff-id=711,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = { + properties: { + infrastructureEncryption: 'Disabled' + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.DataLakeStore_accounts.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.DataLakeStore_accounts.compliant.adoc index 2d1acc828b5..38c882ba4c7 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.DataLakeStore_accounts.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.DataLakeStore_accounts.compliant.adoc @@ -17,3 +17,12 @@ Enabled encryption for Data Lake Store: ] } ---- + +[source,bicep,diff-id=511,diff-type=compliant] +---- +resource symbolicname 'Microsoft.DataLakeStore/accounts@2016-11-01' = { + properties: { + encryptionState: 'Enabled' + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.DataLakeStore_accounts.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.DataLakeStore_accounts.noncompliant.adoc index 92f35bd2eb8..e811da81e9b 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.DataLakeStore_accounts.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.DataLakeStore_accounts.noncompliant.adoc @@ -17,3 +17,13 @@ Disabled encryption for Data Lake Store: ] } ---- + +[source,bicep,diff-id=511,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.DataLakeStore/accounts@2016-11-01' = { + properties: { + encryptionState: 'Disabled' + } +} +---- + diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.DocumentDB_cassandraClusters_dataCenters.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.DocumentDB_cassandraClusters_dataCenters.compliant.adoc index 9c745dd1baa..70f91c571ae 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.DocumentDB_cassandraClusters_dataCenters.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.DocumentDB_cassandraClusters_dataCenters.compliant.adoc @@ -19,3 +19,16 @@ Enabled encryption for a Cassandra Cluster datacenter's managed disk and backup: ] } ---- + +[source,bicep,diff-id=911,diff-type=compliant] +---- +resource symbolicname 'Microsoft.DocumentDB/cassandraClusters/dataCenters@2023-04-15' = { + name: 'string' + parent: parent + properties: { + diskCapacity: 4 + backupStorageCustomerKeyUri: 'string' + managedDiskCustomerKeyUri: 'string' + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.DocumentDB_cassandraClusters_dataCenters.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.DocumentDB_cassandraClusters_dataCenters.noncompliant.adoc index 964d426fce6..4a26adb0d81 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.DocumentDB_cassandraClusters_dataCenters.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.DocumentDB_cassandraClusters_dataCenters.noncompliant.adoc @@ -17,3 +17,14 @@ Disabled encryption for a Cassandra Cluster datacenter's managed disk and backup ] } ---- + +[source,bicep,diff-id=911,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.DocumentDB/cassandraClusters/dataCenters@2023-04-15' = { + name: 'string' + parent: parent + properties: { + diskCapacity: 4 + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.HDInsight_clusters.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.HDInsight_clusters.compliant.adoc index 5e232b752b0..3c4b5bca4e6 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.HDInsight_clusters.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.HDInsight_clusters.compliant.adoc @@ -24,6 +24,21 @@ Enabled encryption for data disk: } ---- +[source,bicep,diff-id=1311,diff-type=compliant] +---- +resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = { + properties: { + computeProfile: { + roles: [ + { + encryptDataDisks: true + } + ] + } + } +} +---- + Enabled encryption for data disk at application level: [source,json,diff-id=1302,diff-type=compliant] ---- @@ -48,6 +63,21 @@ Enabled encryption for data disk at application level: } ---- +[source,bicep,diff-id=1312,diff-type=compliant] +---- +resource symbolicname 'Microsoft.HDInsight/clusters/applications@2021-06-01' = { + properties: { + computeProfile: { + roles: [ + { + encryptDataDisks: true + } + ] + } + } +} +---- + Enabled encryption for resource disk: [source,json,diff-id=1303,diff-type=compliant] ---- @@ -67,3 +97,14 @@ Enabled encryption for resource disk: ] } ---- + +[source,bicep,diff-id=1313,diff-type=compliant] +---- +resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = { + properties: { + diskEncryptionProperties: { + encryptionAtHost: true + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.HDInsight_clusters.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.HDInsight_clusters.noncompliant.adoc index 8b9c01bf04c..9e7d2515233 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.HDInsight_clusters.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.HDInsight_clusters.noncompliant.adoc @@ -24,6 +24,21 @@ Disabled encryption for data disk: } ---- +[source,bicep,diff-id=1311,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = { + properties: { + computeProfile: { + roles: [ + { + encryptDataDisks: false + } + ] + } + } +} +---- + Disabled encryption for data disk at application level: [source,json,diff-id=1302,diff-type=noncompliant] ---- @@ -48,6 +63,21 @@ Disabled encryption for data disk at application level: } ---- +[source,bicep,diff-id=1312,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.HDInsight/clusters/applications@2021-06-01' = { + properties: { + computeProfile: { + roles: [ + { + encryptDataDisks: false + } + ] + } + } +} +---- + Disabled encryption for resource disk: [source,json,diff-id=1303,diff-type=noncompliant] ---- @@ -67,3 +97,14 @@ Disabled encryption for resource disk: ] } ---- + +[source,bicep,diff-id=1313,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = { + properties: { + diskEncryptionProperties: { + encryptionAtHost: false + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Kusto_clusters.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Kusto_clusters.compliant.adoc index feb27b7251c..17bf8cd5916 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Kusto_clusters.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Kusto_clusters.compliant.adoc @@ -17,3 +17,12 @@ Enabled encryption for disk: ] } ---- + +[source,bicep,diff-id=1411,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Kusto/clusters@2022-12-29' = { + properties: { + enableDiskEncryption: true + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Kusto_clusters.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Kusto_clusters.noncompliant.adoc index a47ebd347d2..a46f0694297 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Kusto_clusters.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Kusto_clusters.noncompliant.adoc @@ -17,3 +17,13 @@ Disabled encryption for disk: ] } ---- + +[source,bicep,diff-id=1411,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.Kusto/clusters@2022-12-29' = { + properties: { + enableDiskEncryption: false + } +} +---- + diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.RecoveryServices.vaults.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.RecoveryServices.vaults.compliant.adoc index 360ab622099..fd1d2a229b1 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.RecoveryServices.vaults.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.RecoveryServices.vaults.compliant.adoc @@ -20,6 +20,17 @@ Enabled encryption on infrastructure: } ---- +[source,bicep,diff-id=1511,diff-type=compliant] +---- +resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = { + properties: { + encryption: { + infrastructureEncryption: 'Enabled' + } + } +} +---- + Enabled encryption on infastructure for backup: [source,json,diff-id=1502,diff-type=compliant] ---- @@ -38,3 +49,13 @@ Enabled encryption on infastructure for backup: ] } ---- + +[source,bicep,diff-id=1512,diff-type=compliant] +---- +resource symbolicname 'Microsoft.RecoveryServices/vaults/backupEncryptionConfigs@2023-01-01' = { + properties: { + encryptionAtRestType: '{CustomerManaged | MicrosoftManaged}' + infrastructureEncryptionState: 'Enabled' + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.RecoveryServices.vaults.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.RecoveryServices.vaults.noncompliant.adoc index d2e04965d9b..1ab91bb051d 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.RecoveryServices.vaults.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.RecoveryServices.vaults.noncompliant.adoc @@ -20,6 +20,17 @@ Disabled encryption for disk: } ---- +[source,bicep,diff-id=1511,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = { + properties: { + encryption: { + infrastructureEncryption: 'Disabled' + } + } +} +---- + Disabled encryption on infastructure for backup: [source,json,diff-id=1502,diff-type=noncompliant] ---- @@ -37,3 +48,13 @@ Disabled encryption on infastructure for backup: ] } ---- + +[source,bicep,diff-id=1512,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.RecoveryServices/vaults/backupEncryptionConfigs@2023-01-01' = { + properties: { + encryptionAtRestType: '{CustomerManaged | MicrosoftManaged}' + infrastructureEncryptionState: 'Disabled' + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.RedHatOpenShift_openShiftClusters.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.RedHatOpenShift_openShiftClusters.compliant.adoc index 204b0af5e64..7e546eca0b6 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.RedHatOpenShift_openShiftClusters.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.RedHatOpenShift_openShiftClusters.compliant.adoc @@ -25,4 +25,22 @@ Enabled disk encryption for master profile and worker profiles: } ] } ----- \ No newline at end of file +---- + +[source,bicep,diff-id=1611,diff-type=compliant] +---- +resource symbolicname 'Microsoft.RedHatOpenShift/openShiftClusters@2022-09-04' = { + properties: { + masterProfile: { + diskEncryptionSetId: 'string' + encryptionAtHost: 'Enabled' + } + workerProfiles: [ + { + diskEncryptionSetId: 'string' + encryptionAtHost: 'Enabled' + } + ] + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.RedHatOpenShift_openShiftClusters.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.RedHatOpenShift_openShiftClusters.noncompliant.adoc index b1ed2688c89..89db74e1417 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.RedHatOpenShift_openShiftClusters.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.RedHatOpenShift_openShiftClusters.noncompliant.adoc @@ -23,4 +23,20 @@ Disabled disk encryption for master profile and worker profiles: } ] } ----- \ No newline at end of file +---- + +[source,bicep,diff-id=1611,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.RedHatOpenShift/openShiftClusters@2022-09-04' = { + properties: { + masterProfile: { + encryptionAtHost: 'Disabled' + } + workerProfiles: [ + { + encryptionAtHost: 'Disabled' + } + ] + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.SqlVirtualMachine_sqlVirtualMachines.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.SqlVirtualMachine_sqlVirtualMachines.compliant.adoc index 1727bf264a8..12041c8f884 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.SqlVirtualMachine_sqlVirtualMachines.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.SqlVirtualMachine_sqlVirtualMachines.compliant.adoc @@ -20,3 +20,15 @@ Enabled encryption for SQL Virtual Machine: ] } ---- + +[source,bicep,diff-id=811,diff-type=compliant] +---- +resource symbolicname 'Microsoft.SqlVirtualMachine/sqlVirtualMachines@2022-08-01-preview' = { + properties: { + autoBackupSettings: { + enableEncryption: true + password: 'string' + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.SqlVirtualMachine_sqlVirtualMachines.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.SqlVirtualMachine_sqlVirtualMachines.noncompliant.adoc index c1bed5c8026..7efc3dc2d94 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.SqlVirtualMachine_sqlVirtualMachines.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.SqlVirtualMachine_sqlVirtualMachines.noncompliant.adoc @@ -19,3 +19,14 @@ Disabled encryption for SQL Virtual Machine: ] } ---- + +[source,bicep,diff-id=811,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.SqlVirtualMachine/sqlVirtualMachines@2022-08-01-preview' = { + properties: { + autoBackupSettings: { + enableEncryption: false + } + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Storage_storageAccounts.compliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Storage_storageAccounts.compliant.adoc index a234a20befe..c2e5772d125 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Storage_storageAccounts.compliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Storage_storageAccounts.compliant.adoc @@ -20,6 +20,17 @@ Enabled enforcing of infrastructure encryption for double encryption of data: } ---- +[source,bicep,diff-id=1011,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Storage/storageAccounts@2022-09-01' = { + properties: { + encryption: { + requireInfrastructureEncryption: true + } + } +} +---- + For https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/encryptionscopes?pivots=deployment-language-bicep[Microsoft.Storage/storageAccounts/encryptionScopes]: Enabled enforcing of infrastructure encryption for double encryption of data at encryption scope level: @@ -39,3 +50,12 @@ Enabled enforcing of infrastructure encryption for double encryption of data at ] } ---- + +[source,bicep,diff-id=1012,diff-type=compliant] +---- +resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2022-09-01' = { + properties: { + requireInfrastructureEncryption: true + } +} +---- diff --git a/rules/S6388/azureresourcemanager/examples/Microsoft.Storage_storageAccounts.noncompliant.adoc b/rules/S6388/azureresourcemanager/examples/Microsoft.Storage_storageAccounts.noncompliant.adoc index 6584c07c443..77e3b568bd2 100644 --- a/rules/S6388/azureresourcemanager/examples/Microsoft.Storage_storageAccounts.noncompliant.adoc +++ b/rules/S6388/azureresourcemanager/examples/Microsoft.Storage_storageAccounts.noncompliant.adoc @@ -20,6 +20,17 @@ Disabled enforcing of infrastructure encryption for double encryption of data: } ---- +[source,bicep,diff-id=1011,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.Storage/storageAccounts@2022-09-01' = { + properties: { + encryption: { + requireInfrastructureEncryption: false + } + } +} +---- + For https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/encryptionscopes?pivots=deployment-language-bicep[Microsoft.Storage/storageAccounts/encryptionScopes]: Disabled enforcing of infrastructure encryption for double encryption of data at encryption scope level: @@ -39,3 +50,13 @@ Disabled enforcing of infrastructure encryption for double encryption of data at ] } ---- + +[source,bicep,diff-id=1012,diff-type=noncompliant] +---- +resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2022-09-01' = { + properties: { + requireInfrastructureEncryption: false + } +} +---- +