feat(query): implements "Beta - VM Without Managed Disk" (#7856)

Co-authored-by: Artur Ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>

Author: cx-andre-pereira

assets/queries/terraform/azure/vm_without_managed_disk/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "0536c90c-714e-4184-991e-3fed8d8b7b46",
+  "queryName": "Beta - VM Without Managed Disk",
+  "severity": "MEDIUM",
+  "category": "Resource Management",
+  "descriptionText": "Virtual machine resources should set a managed disk for encryption, resilience and reduction of costs",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine",
+  "platform": "Terraform",
+  "descriptionID": "0536c90c",
+  "cloudProvider": "azure",
+  "cwe": "922",
+  "riskScore": "3.0",
+  "experimental": "true"
+}

assets/queries/terraform/azure/vm_without_managed_disk/query.rego

@@ -0,0 +1,76 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+types := {"azurerm_virtual_machine", "azurerm_linux_virtual_machine", "azurerm_windows_virtual_machine", "azurerm_virtual_machine_scale_set"}
+
+CxPolicy[result] {
+	resource := input.document[i].resource[types[t]][name]
+
+	results := get_results(resource, name, types[t])
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": types[t],
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": results.searchKey,
+		"issueType": results.issueType,
+		"keyExpectedValue": results.keyExpectedValue,
+		"keyActualValue": results.keyActualValue,
+		"searchLine": results.searchLine
+	}
+}
+
+get_results(resource, name, type) = results {
+	type == "azurerm_virtual_machine"
+	not common_lib.valid_key(resource, "storage_os_disk")
+	results := {
+		"searchKey": sprintf("azurerm_virtual_machine[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk' should be defined and not null", [name]),
+		"keyActualValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk' is undefined or null", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_virtual_machine", name], [])
+	}
+} else = results {
+	type == "azurerm_virtual_machine"
+	common_lib.valid_key(resource.storage_os_disk, "vhd_uri")
+	results := {
+		"searchKey": sprintf("azurerm_virtual_machine[%s].storage_os_disk.vhd_uri", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk.vhd_uri' should not be set", [name]),
+		"keyActualValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk.vhd_uri' is set", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_virtual_machine", name, "storage_os_disk", "vhd_uri"], [])
+	}
+} else = results {
+	type == "azurerm_virtual_machine"
+	not common_lib.valid_key(resource.storage_os_disk, "managed_disk_id")
+	not common_lib.valid_key(resource.storage_os_disk, "managed_disk_type")
+	results := {
+		"searchKey": sprintf("azurerm_virtual_machine[%s].storage_os_disk", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", [name]),
+		"keyActualValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_virtual_machine", name, "storage_os_disk"], [])
+	}
+} else = results {
+	type == ["azurerm_linux_virtual_machine", "azurerm_windows_virtual_machine"][_]
+	not common_lib.valid_key(resource, "os_managed_disk_id")
+	results := {
+		"searchKey": sprintf("%s[%s]", [type, name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'%s[%s].os_managed_disk_id' should be defined and not null", [type, name]),
+		"keyActualValue": sprintf("'%s[%s].os_managed_disk_id' is undefined or null", [type, name]),
+		"searchLine": common_lib.build_search_line(["resource", type, name], [])
+	}
+} else = results {
+	type == "azurerm_virtual_machine_scale_set"
+	not common_lib.valid_key(resource.storage_profile_os_disk, "managed_disk_type")
+	results := {
+		"searchKey": sprintf("%s[%s]", [type, name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'%s[%s].storage_profile_os_disk.managed_disk_type' should be defined and not null", [type, name]),
+		"keyActualValue": sprintf("'%s[%s].storage_profile_os_disk.managed_disk_type' is undefined or null", [type, name]),
+		"searchLine": common_lib.build_search_line(["resource", type, name], [])
+	}
+}

assets/queries/terraform/azure/vm_without_managed_disk/test/negative1.tf

@@ -0,0 +1,29 @@
+resource "azurerm_virtual_machine" "negative1_1" {
+  name                  = "${var.prefix}-vm"
+  location              = azurerm_resource_group.negative1_1.location
+  resource_group_name   = azurerm_resource_group.negative1_1.name
+  network_interface_ids = [azurerm_network_interface.main.id]
+  vm_size               = "Standard_DS1_v2"
+
+  storage_os_disk {
+    name              = "myosdisk1"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+}
+
+resource "azurerm_virtual_machine" "negative1_2" {
+  name                  = "${var.prefix}-vm"
+  location              = azurerm_resource_group.negative1_2.location
+  resource_group_name   = azurerm_resource_group.negative1_2.name
+  network_interface_ids = [azurerm_network_interface.negative1_2.id]
+  vm_size               = "Standard_DS1_v2"
+
+  storage_os_disk {
+    name              = "myosdisk1"
+    caching           = "ReadWrite"
+    create_option   = "Attach"
+    managed_disk_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/disks/myManagedDisk"
+  }
+}

assets/queries/terraform/azure/vm_without_managed_disk/test/negative2.tf

@@ -0,0 +1,9 @@
+resource "azurerm_linux_virtual_machine" "negative2" {
+  name                = "negative2-machine"
+  resource_group_name = azurerm_resource_group.negative2.name
+  location            = azurerm_resource_group.negative2.location
+  size                = "Standard_F2"
+  admin_username      = "adminuser"
+
+  os_managed_disk_id  = azurerm_managed_disk.negative2.id
+}

assets/queries/terraform/azure/vm_without_managed_disk/test/negative3.tf

@@ -0,0 +1,9 @@
+resource "azurerm_windows_virtual_machine" "negative3" {
+  name                = "negative3-machine"
+  resource_group_name = azurerm_resource_group.negative3.name
+  location            = azurerm_resource_group.negative3.location
+  size                = "Standard_F2"
+  admin_username      = "adminuser"
+
+  os_managed_disk_id  = azurerm_managed_disk.negative3.id
+}

assets/queries/terraform/azure/vm_without_managed_disk/test/negative4.tf

@@ -0,0 +1,12 @@
+resource "azurerm_virtual_machine_scale_set" "negative4" {
+  name                = "vmss-ssd-negative4"
+  location            = azurerm_resource_group.negative4.location
+  resource_group_name = azurerm_resource_group.negative4.name
+  upgrade_policy_mode = "Manual"
+
+  storage_profile_os_disk {
+    caching             = "ReadWrite"
+    create_option       = "FromImage"
+    managed_disk_type   = "StandardSSD_LRS"
+  }
+}

assets/queries/terraform/azure/vm_without_managed_disk/test/positive1.tf

@@ -0,0 +1,39 @@
+resource "azurerm_virtual_machine" "positive1" {
+  name                  = "${var.prefix}-vm"
+  location              = azurerm_resource_group.positive1.location
+  resource_group_name   = azurerm_resource_group.positive1.name
+  network_interface_ids = [azurerm_network_interface.main.id]
+  vm_size               = "Standard_DS1_v2"
+
+  # missing "storage_os_disk" (tecnically required)
+}
+
+resource "azurerm_virtual_machine" "positive1_2" {
+  name                  = "${var.prefix}-vm"
+  location              = azurerm_resource_group.positive1_2.location
+  resource_group_name   = azurerm_resource_group.positive1_2.name
+  network_interface_ids = [azurerm_network_interface.main.id]
+  vm_size               = "Standard_DS1_v2"
+
+  storage_os_disk {
+    name              = "myosdisk1"
+    create_option     = "FromImage"
+    vhd_uri           = "https://<storageaccount>.blob.core.windows.net/<container>/<diskname>.vhd"
+    # unmanaged disk
+  }
+}
+
+resource "azurerm_virtual_machine" "positive1_3" {
+  name                  = "${var.prefix}-vm"
+  location              = azurerm_resource_group.positive1_3.location
+  resource_group_name   = azurerm_resource_group.positive1_3.name
+  network_interface_ids = [azurerm_network_interface.main.id]
+  vm_size               = "Standard_DS1_v2"
+
+
+  storage_os_disk {
+    name              = "myosdisk1"
+    create_option     = "FromImage"
+    # missing managed_disk_type/managed_disk_id
+  }
+}

assets/queries/terraform/azure/vm_without_managed_disk/test/positive2.tf

@@ -0,0 +1,9 @@
+resource "azurerm_linux_virtual_machine" "positive2" {
+  name                = "positive2-machine"
+  resource_group_name = azurerm_resource_group.positive2.name
+  location            = azurerm_resource_group.positive2.location
+  size                = "Standard_F2"
+  admin_username      = "adminuser"
+
+  # missing os_managed_disk_id
+}

assets/queries/terraform/azure/vm_without_managed_disk/test/positive3.tf

@@ -0,0 +1,9 @@
+resource "azurerm_windows_virtual_machine" "positive3" {
+  name                = "positive3-machine"
+  resource_group_name = azurerm_resource_group.positive3.name
+  location            = azurerm_resource_group.positive3.location
+  size                = "Standard_F2"
+  admin_username      = "adminuser"
+
+  # missing os_managed_disk_id
+}

assets/queries/terraform/azure/vm_without_managed_disk/test/positive4.tf

@@ -0,0 +1,30 @@
+resource "azurerm_virtual_machine_scale_set" "positive4_1" {
+  name                = "vmss-premium-positive4_1"
+  location            = azurerm_resource_group.positive4_1.location
+  resource_group_name = azurerm_resource_group.positive4_1.name
+  upgrade_policy_mode = "Manual"
+
+  storage_profile_os_disk {
+    caching             = "ReadOnly"
+    create_option       = "FromImage"
+    vhd_containers = [
+      "https://mystorageaccount.blob.core.windows.net/vhds/"
+    ]
+    # vhd_containers instead of "managed_disk_type"
+  }
+}
+
+resource "azurerm_virtual_machine_scale_set" "positive4_2" {
+  name                = "vmss-premium-positive4_2"
+  location            = azurerm_resource_group.positive4_2.location
+  resource_group_name = azurerm_resource_group.positive4_2.name
+  upgrade_policy_mode = "Manual"
+
+  storage_profile_os_disk {
+    caching             = "ReadOnly"
+    create_option       = "FromImage"
+    os_type = "Linux"   # Required when using "image"
+    image   = "https://mystorageaccount.blob.core.windows.net/system/Microsoft.Compute/Images/custom-os-image/osDisk.vhd"
+    # image instead of "managed_disk_type"
+  }
+}