feat(queries): implemented queries to check if managed identity is not enabled (#7863)

Author: cx-ricardo-jesus

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "0f7964fa-96fd-4a72-9fb7-3cdef71479db",
+  "queryName": "Beta - App Service Slot Managed Identity Disabled",
+  "severity": "MEDIUM",
+  "category": "Insecure Configurations",
+  "descriptionText": "App Service Slot should have managed identity enabled",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_web_app_slot",
+  "platform": "Terraform",
+  "descriptionID": "0f7964fa",
+  "cloudProvider": "azure",
+  "cwe": "522",
+  "riskScore": "3.0",
+  "experimental": "true"
+}

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/query.rego

@@ -0,0 +1,25 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+resource_types := {"azurerm_app_service_slot", "azurerm_linux_web_app_slot", "azurerm_windows_web_app_slot"}
+
+CxPolicy[result] {
+    app_service_slot := input.document[i].resource[resource_types[idx_type]][name]
+
+    not common_lib.valid_key(app_service_slot, "identity")
+
+    result := {
+        "documentId": input.document[i].id,
+		"resourceType": resource_types[idx_type],
+		"resourceName": tf_lib.get_resource_name(app_service_slot, name),
+		"searchKey": sprintf("%s[%s]", [resource_types[idx_type], name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block",
+		"keyActualValue": "'identity' block is not defined",
+		"searchLine": common_lib.build_search_line(["resource", resource_types[idx_type], name], []),
+        "remediationType": "addition",
+        "remediation": "identity {\n\t\ttype = \"SystemAssigned, UserAssigned\"\n\t}",
+    }
+}

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/negative1.tf

@@ -0,0 +1,11 @@
+resource "azurerm_app_service_slot" "negative1" {
+  name                = random_id.server.hex
+  app_service_name    = azurerm_app_service.example.name
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  identity {
+    type = "SystemAssigned, UserAssigned"
+  }
+}

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/negative2.tf

@@ -0,0 +1,10 @@
+resource "azurerm_linux_web_app_slot" "negative2" {
+  name           = "example-slot"
+  app_service_id = azurerm_linux_web_app.example.id
+
+  site_config {}
+
+  identity {
+    type = "SystemAssigned, UserAssigned"
+  }
+}

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/negative3.tf

@@ -0,0 +1,10 @@
+resource "azurerm_windows_web_app_slot" "negative3" {
+  name           = "example-slot"
+  app_service_id = azurerm_windows_web_app.example.id
+
+  site_config {}
+
+  identity {
+    type = "SystemAssigned, UserAssigned"
+  }
+}

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive1.tf

@@ -0,0 +1,7 @@
+resource "azurerm_app_service_slot" "positive1" {
+  name                = random_id.server.hex
+  app_service_name    = azurerm_app_service.example.name
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+}

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive2.tf

@@ -0,0 +1,6 @@
+resource "azurerm_linux_web_app_slot" "positive2" {
+  name           = "example-slot"
+  app_service_id = azurerm_linux_web_app.example.id
+
+  site_config {}
+}

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive3.tf

@@ -0,0 +1,6 @@
+resource "azurerm_windows_web_app_slot" "positive3" {
+  name           = "example-slot"
+  app_service_id = azurerm_windows_web_app.example.id
+
+  site_config {}
+}

assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json

@@ -0,0 +1,20 @@
+[
+  {
+    "queryName": "Beta - App Service Slot Managed Identity Disabled",
+    "severity": "MEDIUM",
+    "line": 1,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "Beta - App Service Slot Managed Identity Disabled",
+    "severity": "MEDIUM",
+    "line": 1,
+    "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "Beta - App Service Slot Managed Identity Disabled",
+    "severity": "MEDIUM",
+    "line": 1,
+    "fileName": "positive3.tf"
+  }
+]

assets/queries/terraform/azure/container_app_managed_identity_disabled/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "829246df-02c5-490c-993b-10a07a7242e9",
+  "queryName": "Beta - Container App Managed Identity Disabled",
+  "severity": "MEDIUM",
+  "category": "Insecure Configurations",
+  "descriptionText": "Container Apps should have managed identity enabled",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_app",
+  "platform": "Terraform",
+  "descriptionID": "829246df",
+  "cloudProvider": "azure",
+  "cwe": "522",
+  "riskScore": "3.0",
+  "experimental": "true"
+}