refactor(checks): migrate Azure storage to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/azure/storage/AVD-AZU-0007/docs.md

@@ -1,10 +1,10 @@
 
 Storage container public access should be off. It can be configured for blobs only, containers and blobs or off entirely. The default is off, with no public access.
-
 Explicitly overriding publicAccess to anything other than off should be avoided.
 
+
 ### Impact
-Data in the storage container could be exposed publicly
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/storage/AVD-AZU-0008/docs.md

@@ -1,12 +1,11 @@
 
-You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account. 
-
-When you require secure transfer, any requests originating from an insecure connection are rejected. 
-
+You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account.
+When you require secure transfer, any requests originating from an insecure connection are rejected.
 Microsoft recommends that you always require secure transfer for all of your storage accounts.
 
+
 ### Impact
-Insecure transfer of data into secure accounts could be read if intercepted
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/storage/AVD-AZU-0009/docs.md

@@ -1,12 +1,11 @@
 
-Storage Analytics logs detailed information about successful and failed requests to a storage service. 
-
-This information can be used to monitor individual requests and to diagnose issues with a storage service. 
-
+Storage Analytics logs detailed information about successful and failed requests to a storage service.
+This information can be used to monitor individual requests and to diagnose issues with a storage service.
 Requests are logged on a best-effort basis.
 
+
 ### Impact
-Logging provides valuable information about access and usage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/storage/AVD-AZU-0010/docs.md

@@ -1,10 +1,10 @@
 
-Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. 
-
+Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules.
 To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules
 
+
 ### Impact
-Trusted Microsoft Services won't be able to access storage account unless rules set to allow
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/storage/AVD-AZU-0011/docs.md

@@ -1,12 +1,11 @@
 
-Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. 
-
+Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2.
 Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
-
 This check will warn if the minimum TLS is not set to TLS1_2.
 
+
 ### Impact
-The TLS version being outdated and has known vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/storage/AVD-AZU-0012/docs.md

@@ -1,10 +1,10 @@
 
 The default_action for network rules should come into effect when no other rules are matched.
-
 The default action should be set to Deny.
 
+
 ### Impact
-Network rules that allow could cause data to be exposed publicly
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/azure/storage/allow_microsoft_service_bypass.go

@@ -29,7 +29,8 @@ To help this type of service work as intended, allow the set of trusted Microsof
 			Links:               terraformAllowMicrosoftServiceBypassLinks,
 			RemediationMarkdown: terraformAllowMicrosoftServiceBypassRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, account := range s.Azure.Storage.Accounts {

checks/cloud/azure/storage/allow_microsoft_service_bypass.rego

@@ -0,0 +1,47 @@
+# METADATA
+# title: Trusted Microsoft Services should have bypass access to Storage accounts
+# description: |
+#   Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules.
+#   To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services
+# custom:
+#   id: AVD-AZU-0010
+#   avd_id: AVD-AZU-0010
+#   provider: azure
+#   service: storage
+#   severity: HIGH
+#   short_code: allow-microsoft-service-bypass
+#   recommended_action: Allow Trusted Microsoft Services to bypass
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: storage
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass
+#     good_examples: checks/cloud/azure/storage/allow_microsoft_service_bypass.tf.go
+#     bad_examples: checks/cloud/azure/storage/allow_microsoft_service_bypass.tf.go
+package builtin.azure.storage.azure0010
+
+import rego.v1
+
+deny contains res if {
+	some rule in input.azure.storage.accounts[_].networkrules
+	not has_bypass(rule)
+	res := result.new(
+		"Network rules do not allow bypass for Microsoft Services.",
+		rule,
+	)
+}
+
+has_bypass(rule) if {
+	some bypass in rule.bypass
+	bypass.value == "AzureServices"
+}

checks/cloud/azure/storage/allow_microsoft_service_bypass_test.rego

@@ -0,0 +1,21 @@
+package builtin.azure.storage.azure0010_test
+
+import rego.v1
+
+import data.builtin.azure.storage.azure0010 as check
+import data.lib.test
+
+test_deny_rule_does_not_allow_bypass_access if {
+	inp := {"azure": {"storage": {"accounts": [{
+		"name": "test",
+		"networkrules": [{"bypass": []}],
+	}]}}}
+
+	test.assert_count(check.deny, 1) with input as inp
+}
+
+test_allow_rule_allow_bypass_access if {
+	inp := {"azure": {"storage": {"accounts": [{"networkrules": [{"bypass": [{"value": "AzureServices"}]}]}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}

checks/cloud/azure/storage/default_action_deny.go

@@ -29,7 +29,8 @@ The default action should be set to Deny.`,
 			Links:               terraformDefaultActionDenyLinks,
 			RemediationMarkdown: terraformDefaultActionDenyRemediationMarkdown,
 		},
-		Severity: severity.Critical,
+		Severity:   severity.Critical,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, account := range s.Azure.Storage.Accounts {

checks/cloud/azure/storage/default_action_deny.rego

@@ -0,0 +1,41 @@
+# METADATA
+# title: The default action on Storage account network rules should be set to deny
+# description: |
+#   The default_action for network rules should come into effect when no other rules are matched.
+#   The default action should be set to Deny.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.microsoft.com/en-us/azure/firewall/rule-processing
+# custom:
+#   id: AVD-AZU-0012
+#   avd_id: AVD-AZU-0012
+#   provider: azure
+#   service: storage
+#   severity: CRITICAL
+#   short_code: default-action-deny
+#   recommended_action: Set network rules to deny
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: storage
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action
+#     good_examples: checks/cloud/azure/storage/default_action_deny.tf.go
+#     bad_examples: checks/cloud/azure/storage/default_action_deny.tf.go
+package builtin.azure.storage.azure0012
+
+import rego.v1
+
+deny contains res if {
+	some rule in input.azure.storage.accounts[_].networkrules
+	rule.allowbydefault.value
+	res := result.new(
+		"Network rules allow access by default.",
+		rule.allowbydefault,
+	)
+}

checks/cloud/azure/storage/default_action_deny_test.rego

@@ -0,0 +1,18 @@
+package builtin.azure.storage.azure0012_test
+
+import rego.v1
+
+import data.builtin.azure.storage.azure0012 as check
+import data.lib.test
+
+test_deny_rule_allow_acces_by_default if {
+	inp := {"azure": {"storage": {"accounts": [{"networkrules": [{"allowbydefault": {"value": true}}]}]}}}
+
+	test.assert_count(check.deny, 1) with input as inp
+}
+
+test_allow_rule_deny_acces_by_default if {
+	inp := {"azure": {"storage": {"accounts": [{"networkrules": [{"allowbydefault": {"value": false}}]}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}