feat(query): implements "Beta - SQL Database Without Data Encryption" (#7858)

Co-authored-by: Artur Ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>

Author: cx-andre-pereira

assets/queries/terraform/azure/sql_database_without_data_encryption/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "0745bb3f-60dc-43b6-90ae-67bb01fd1775",
+  "queryName": "Beta - SQL Database Without Data Encryption",
+  "severity": "HIGH",
+  "category": "Encryption",
+  "descriptionText": "All 'azurerm_mssql_database' resources should enable data encryption at rest through the 'transparent_data_encryption_enabled' field",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database#transparent_data_encryption_enabled-1",
+  "platform": "Terraform",
+  "descriptionID": "0745bb3f",
+  "cloudProvider": "azure",
+  "cwe": "312",
+  "riskScore": "6.0",
+  "experimental": "true"
+}

assets/queries/terraform/azure/sql_database_without_data_encryption/query.rego

@@ -0,0 +1,21 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.azurerm_mssql_database[name]
+
+	resource.transparent_data_encryption_enabled != true
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "azurerm_mssql_database",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("azurerm_mssql_database[%s].transparent_data_encryption_enabled", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'azurerm_mssql_database[%s].transparent_data_encryption_enabled' should be set to 'true'", [name]),
+		"keyActualValue": sprintf("'azurerm_mssql_database[%s].transparent_data_encryption_enabled' is set to '%s'", [name, resource.transparent_data_encryption_enabled]),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_mssql_database", name, "transparent_data_encryption_enabled"], [])
+	}
+}

assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf

@@ -0,0 +1,27 @@
+resource "azurerm_mssql_database" "example" {
+  name           = "example-db"
+  server_id      = azurerm_mssql_server.example.id
+  collation      = "SQL_Latin1_General_CP1_CI_AS"
+  license_type   = "LicenseIncluded"
+  max_size_gb    = 4
+  read_scale     = true
+  sku_name       = "S0"
+  zone_redundant = true
+  enclave_type   = "VBS"
+
+  # missing "transparent_data_encryption_enabled" - defaults to true
+}
+
+resource "azurerm_mssql_database" "example" {
+  name           = "example-db"
+  server_id      = azurerm_mssql_server.example.id
+  collation      = "SQL_Latin1_General_CP1_CI_AS"
+  license_type   = "LicenseIncluded"
+  max_size_gb    = 4
+  read_scale     = true
+  sku_name       = "S0"
+  zone_redundant = true
+  enclave_type   = "VBS"
+
+  transparent_data_encryption_enabled = true
+}

assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf

@@ -0,0 +1,13 @@
+resource "azurerm_mssql_database" "example" {
+  name           = "example-db"
+  server_id      = azurerm_mssql_server.example.id
+  collation      = "SQL_Latin1_General_CP1_CI_AS"
+  license_type   = "LicenseIncluded"
+  max_size_gb    = 4
+  read_scale     = true
+  sku_name       = "S0"
+  zone_redundant = true
+  enclave_type   = "VBS"
+
+  transparent_data_encryption_enabled = false
+}

assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json

@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "Beta - SQL Database Without Data Encryption",
+    "severity": "HIGH",
+    "line": 12
+  }
+]

assets/similarityID_transition/terraform_azure.yaml

@@ -3,6 +3,10 @@ similarityIDChangeList:
       queryName: Sensitive Port Is Exposed To Wide Private Network
       observations: ""
       change: 5
+    - queryId: 0745bb3f-60dc-43b6-90ae-67bb01fd1775
+      queryName: Beta - SQL Database Without Data Encryption
+      observations: ""
+      change: 2
     - queryId: 0536c90c-714e-4184-991e-3fed8d8b7b46
       queryName: Beta - VM Without Managed Disk
       observations: ""