diff --git a/README.md b/README.md index ac2988f2..d3366ad7 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,7 @@ To learn more about the rules used by **Azure Quick Review (azqr)** for generati * Azure Key Vault * Azure Kubernetes Service * Azure Load Balancer +* Azure Logic Apps * Azure Service Bus * Azure SignalR Service * Azure SQL Database diff --git a/cmd/azqr/logic.go b/cmd/azqr/logic.go new file mode 100644 index 00000000..d1ae2981 --- /dev/null +++ b/cmd/azqr/logic.go @@ -0,0 +1,28 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package azqr + +import ( + "github.com/Azure/azqr/internal/scanners" + "github.com/Azure/azqr/internal/scanners/logic" + "github.com/spf13/cobra" +) + +func init() { + scanCmd.AddCommand(logicCmd) +} + +var logicCmd = &cobra.Command{ + Use: "logic", + Short: "Scan Azure Logic Apps", + Long: "Scan Azure Logic Apps", + Args: cobra.NoArgs, + Run: func(cmd *cobra.Command, args []string) { + serviceScanners := []scanners.IAzureScanner{ + &logic.LogicAppScanner{}, + } + + scan(cmd, serviceScanners) + }, +} diff --git a/cmd/azqr/rules.go b/cmd/azqr/rules.go index 6ae66d4b..c3ff39e0 100644 --- a/cmd/azqr/rules.go +++ b/cmd/azqr/rules.go @@ -27,6 +27,7 @@ import ( "github.com/Azure/azqr/internal/scanners/evh" "github.com/Azure/azqr/internal/scanners/kv" "github.com/Azure/azqr/internal/scanners/lb" + "github.com/Azure/azqr/internal/scanners/logic" "github.com/Azure/azqr/internal/scanners/maria" "github.com/Azure/azqr/internal/scanners/mysql" "github.com/Azure/azqr/internal/scanners/plan" @@ -72,6 +73,7 @@ var rulesCmd = &cobra.Command{ &evh.EventHubScanner{}, &kv.KeyVaultScanner{}, &lb.LoadBalancerScanner{}, + &logic.LogicAppScanner{}, &maria.MariaScanner{}, &mysql.MySQLFlexibleScanner{}, &mysql.MySQLScanner{}, diff --git a/cmd/azqr/scan.go b/cmd/azqr/scan.go index 4b16b0c0..4d98c3f3 100644 --- a/cmd/azqr/scan.go +++ b/cmd/azqr/scan.go @@ -31,6 +31,7 @@ import ( "github.com/Azure/azqr/internal/scanners/evh" "github.com/Azure/azqr/internal/scanners/kv" "github.com/Azure/azqr/internal/scanners/lb" + "github.com/Azure/azqr/internal/scanners/logic" "github.com/Azure/azqr/internal/scanners/maria" "github.com/Azure/azqr/internal/scanners/mysql" "github.com/Azure/azqr/internal/scanners/plan" @@ -96,6 +97,7 @@ var scanCmd = &cobra.Command{ &evh.EventHubScanner{}, &kv.KeyVaultScanner{}, &lb.LoadBalancerScanner{}, + &logic.LogicAppScanner{}, &maria.MariaScanner{}, &mysql.MySQLFlexibleScanner{}, &mysql.MySQLScanner{}, diff --git a/docs/content/en/docs/Overview/_index.md b/docs/content/en/docs/Overview/_index.md index 234a5afc..5816f726 100644 --- a/docs/content/en/docs/Overview/_index.md +++ b/docs/content/en/docs/Overview/_index.md @@ -63,6 +63,7 @@ To learn more about the rules used by **Azure Quick Review (azqr)** for generati * Azure Key Vault * Azure Kubernetes Service * Azure Load Balancer +* Azure Logic Apps * Azure Service Bus * Azure SignalR Service * Azure SQL Database diff --git a/docs/content/en/docs/Rules/_index.md b/docs/content/en/docs/Rules/_index.md index 6badc055..722d51be 100644 --- a/docs/content/en/docs/Rules/_index.md +++ b/docs/content/en/docs/Rules/_index.md @@ -145,118 +145,127 @@ Azure Quick Review uses the following rules to identify Azure resources that may 135 | lb-005 | Reliability | SKU | Load Balancer SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/skus) 136 | lb-006 | Operational Excellence | Naming Convention (CAF) | Load Balancer Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) 137 | lb-007 | Operational Excellence | Tags | Load Balancer should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -138 | maria-001 | Reliability | Diagnostic Logs | MariaDB should have diagnostic settings enabled | Medium | [Learn]() -139 | maria-002 | Security | Private Endpoint | MariaDB should have private endpoints enabled | High | [Learn]() -140 | maria-003 | Operational Excellence | Naming Convention (CAF) | MariaDB server Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -141 | maria-004 | Reliability | SLA | MariaDB server should have a SLA | High | [Learn]() -142 | maria-005 | Operational Excellence | Tags | MariaDB should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -143 | maria-006 | Security | TLS | MariaDB should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/mariadb/howto-tls-configurations) -144 | mysqlf-001 | Reliability | Diagnostic Logs | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-query-performance-insights#set-up-diagnostics) -145 | mysqlf-002 | Reliability | Availability Zones | Azure Database for MySQL - Flexible Server should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-configure-high-availability-cli) -146 | mysqlf-003 | Reliability | SLA | Azure Database for MySQL - Flexible Server should have a SLA | High | [Learn](hhttps://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) -147 | mysqlf-004 | Security | Private IP Address | Azure Database for MySQL - Flexible Server should have private access enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-manage-virtual-network-cli) -148 | mysqlf-005 | Reliability | SKU | Azure Database for MySQL - Flexible Server SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-service-tiers-storage) -149 | mysqlf-006 | Operational Excellence | Naming Convention (CAF) | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -150 | mysqlf-007 | Operational Excellence | Tags | Azure Database for MySQL - Flexible Server should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -151 | mysql-001 | Reliability | Diagnostic Logs | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-monitoring#server-logs) -152 | mysql-003 | Reliability | SLA | Azure Database for MySQL - Flexible Server should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/mysql/) -153 | mysql-004 | Security | Private Endpoint | Azure Database for MySQL - Flexible Server should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-data-access-security-private-link) -154 | mysql-005 | Reliability | SKU | Azure Database for MySQL - Flexible Server SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-pricing-tiers) -155 | mysql-006 | Operational Excellence | Naming Convention (CAF) | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -156 | mysql-007 | Reliability | SKU | Azure Database for MySQL - Single Server is on the retirement path | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/whats-happening-to-mysql-single-server) -157 | mysql-008 | Operational Excellence | Tags | Azure Database for MySQL - Single Server should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -158 | app-001 | Reliability | Diagnostic Logs | App Service should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#send-logs-to-azure-monitor) -159 | app-004 | Security | Private Endpoint | App Service should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint) -160 | app-006 | Operational Excellence | Naming Convention (CAF) | App Service Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -161 | app-007 | Security | HTTPS Only | App Service should use HTTPS only | High | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) -162 | app-008 | Operational Excellence | Tags | App Service should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -163 | func-001 | Reliability | Diagnostic Logs | Function should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-functions/functions-monitor-log-analytics?tabs=csharp) -164 | func-004 | Security | Private Endpoint | Function should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet) -165 | func-006 | Operational Excellence | Naming Convention (CAF) | Function Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -166 | func-007 | Security | HTTPS Only | Function should use HTTPS only | High | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) -167 | func-008 | Operational Excellence | Tags | Function should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -168 | plan-001 | Reliability | Diagnostic Logs | Plan should have diagnostic settings enabled | Medium | [Learn]() -169 | plan-002 | Reliability | Availability Zones | Plan should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service) -170 | plan-003 | Reliability | SLA | Plan should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/app-service/) -171 | plan-005 | Reliability | SKU | Plan SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans) -172 | plan-006 | Operational Excellence | Naming Convention (CAF) | Plan Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -173 | plan-007 | Operational Excellence | Tags | Plan should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -174 | psqlf-001 | Reliability | Diagnostic Logs | PostgreSQL should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-and-access-logs) -175 | psqlf-002 | Reliability | Availability Zones | PostgreSQL should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview#architecture-and-high-availability) -176 | psqlf-003 | Reliability | SLA | PostgreSQL should have a SLA | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-compare-single-server-flexible-server) -177 | psqlf-004 | Security | Private IP Address | PostgreSQL should have private access enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking#private-access-vnet-integration) -178 | psqlf-005 | Reliability | SKU | PostgreSQL SKU | High | [Learn](https://azure.microsoft.com/en-gb/pricing/details/postgresql/flexible-server/) -179 | psqlf-006 | Operational Excellence | Naming Convention (CAF) | PostgreSQL Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -180 | psqlf-007 | Operational Excellence | Tags | PostgreSQL should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -181 | psql-001 | Reliability | Diagnostic Logs | PostgreSQL should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#resource-logs) -182 | psql-003 | Reliability | SLA | PostgreSQL should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/postgresql/) -183 | psql-004 | Security | Private Endpoint | PostgreSQL should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-data-access-and-security-private-link) -184 | psql-005 | Reliability | SKU | PostgreSQL SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-pricing-tiers) -185 | psql-006 | Operational Excellence | Naming Convention (CAF) | PostgreSQL Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -186 | psql-007 | Operational Excellence | Tags | PostgreSQL should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -187 | psql-008 | Security | SSL | PostgreSQL should enforce SSL | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-ssl-connection-security#enforcing-tls-connections) -188 | psql-009 | Security | TLS | PostgreSQL should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations) -189 | redis-001 | Reliability | Diagnostic Logs | Redis should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings) -190 | redis-002 | Reliability | Availability Zones | Redis should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability) -191 | redis-003 | Reliability | SLA | Redis should have a SLA | High | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) -192 | redis-004 | Security | Private Endpoint | Redis should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-private-link) -193 | redis-005 | Reliability | SKU | Redis SKU | High | [Learn](https://azure.microsoft.com/en-gb/pricing/details/cache/) -194 | redis-006 | Operational Excellence | Naming Convention (CAF) | Redis Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -195 | redis-007 | Operational Excellence | Tags | Redis should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -196 | redis-008 | Security | SSL | Redis should not enable non SSL ports | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-configure#access-ports) -197 | redis-009 | Security | TLS | Redis should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-remove-tls-10-11) -198 | sb-001 | Reliability | Diagnostic Logs | Service Bus should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/monitor-service-bus#collection-and-routing) -199 | sb-002 | Reliability | Availability Zones | Service Bus should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones) -200 | sb-003 | Reliability | SLA | Service Bus should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/service-bus/) -201 | sb-004 | Security | Private Endpoint | Service Bus should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/network-security) -202 | sb-005 | Reliability | SKU | Service Bus SKU | High | [Learn](https://azure.microsoft.com/en-us/pricing/details/service-bus/) -203 | sb-006 | Operational Excellence | Naming Convention (CAF) | Service Bus Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -204 | sb-007 | Operational Excellence | Tags | Service Bus should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -205 | sb-008 | Security | Identity and Access Control | Service Bus should have local authentication disabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas) -206 | sigr-001 | Reliability | Diagnostic Logs | SignalR should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-howto-diagnostic-logs) -207 | sigr-002 | Reliability | Availability Zones | SignalR should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/availability-zones) -208 | sigr-003 | Reliability | SLA | SignalR should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/signalr-service/) -209 | sigr-004 | Security | Private Endpoint | SignalR should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/howto-private-endpoints) -210 | sigr-005 | Reliability | SKU | SignalR SKU | High | [Learn](https://azure.microsoft.com/en-us/pricing/details/signalr-service/) -211 | sigr-006 | Operational Excellence | Naming Convention (CAF) | SignalR Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -212 | sigr-007 | Operational Excellence | Tags | SignalR should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -213 | sql-001 | Reliability | Diagnostic Logs | SQL should have diagnostic settings enabled | Medium | [Learn]() -214 | sql-004 | Security | Private Endpoint | SQL should have private endpoints enabled | High | [Learn]() -215 | sql-006 | Operational Excellence | Naming Convention (CAF) | SQL Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -216 | sql-007 | Operational Excellence | Tags | SQL should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -217 | sql-008 | Security | TLS | SQL should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version) -218 | sqldb-001 | Reliability | Diagnostic Logs | SQL Database should have diagnostic settings enabled | Medium | [Learn]() -219 | sqldb-002 | Reliability | Availability Zones | SQL Database should have availability zones enabled | High | [Learn]() -220 | sqldb-003 | Reliability | SLA | SQL Database should have a SLA | High | [Learn]() -221 | sqldb-005 | Reliability | SKU | SQL Database SKU | High | [Learn](https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tiers-vcore?tabs=azure-portal) -222 | sqldb-006 | Operational Excellence | Naming Convention (CAF) | SQL Database Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -223 | sqldb-007 | Operational Excellence | Tags | SQL Database should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -224 | st-001 | Reliability | Diagnostic Logs | Storage should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage) -225 | st-002 | Reliability | Availability Zones | Storage should have availability zones enabled | High | [Learn](https://learn.microsoft.com/EN-US/azure/reliability/migrate-storage) -226 | st-003 | Reliability | SLA | Storage should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/storage/) -227 | st-004 | Security | Private Endpoint | Storage should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints) -228 | st-005 | Reliability | SKU | Storage SKU | High | [Learn](https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types) -229 | st-006 | Operational Excellence | Naming Convention (CAF) | Storage Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -230 | st-007 | Security | HTTPS Only | Storage Account should use HTTPS only | High | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer) -231 | st-008 | Operational Excellence | Tags | Storage Account should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -232 | st-009 | Security | TLS | Storage Account should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal) -233 | vm-001 | Reliability | Diagnostic Logs | Virtual Machine should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-windows-install) -234 | vm-002 | Reliability | Availability Zones | Virtual Machine should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-machines/availability#availability-zones) -235 | vm-003 | Reliability | SLA | Virtual Machine should have a SLA | High | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) -236 | vm-006 | Operational Excellence | Naming Convention (CAF) | Virtual Machine Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -237 | vm-007 | Operational Excellence | Tags | Virtual Machine should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -238 | vm-008 | Reliability | Reliability | Virtual Machine should use managed disks | High | [Learn](https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#virtual-machines) -239 | vm-009 | Reliability | Reliability | Virtual Machine should host application or database data on a data disk | Low | [Learn](https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#data-disk) -240 | vnet-001 | Reliability | Diagnostic Logs | Virtual Network should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/monitor-virtual-network#collection-and-routing) -241 | vnet-002 | Reliability | Availability Zones | Virtual Network should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zones) -242 | vnet-006 | Operational Excellence | Naming Convention (CAF) | Virtual Network Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -243 | vnet-007 | Operational Excellence | Tags | Virtual Network should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -244 | vnet-008 | Security | Networking | Virtual Network: All Subnets should have a Network Security Group associated | High | [Learn](https://learn.microsoft.com/azure/virtual-network/concepts-and-best-practices) -245 | vnet-009 | Reliability | Reliability | Virtual NetworK should have at least two DNS servers assigned | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat#specify-dns-servers) -246 | wps-001 | Reliability | Diagnostic Logs | Web Pub Sub should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-troubleshoot-resource-logs) -247 | wps-002 | Reliability | Availability Zones | Web Pub Sub should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/concept-availability-zones) -248 | wps-003 | Reliability | SLA | Web Pub Sub should have a SLA | High | [Learn](https://azure.microsoft.com/en-gb/support/legal/sla/web-pubsub/) -249 | wps-004 | Security | Private Endpoint | Web Pub Sub should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-secure-private-endpoints) -250 | wps-005 | Reliability | SKU | Web Pub Sub SKU | High | [Learn](https://azure.microsoft.com/en-us/pricing/details/web-pubsub/) -251 | wps-006 | Operational Excellence | Naming Convention (CAF) | Web Pub Sub Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -252 | wps-007 | Operational Excellence | Tags | Web Pub Sub should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +138 | logic-001 | Reliability | Diagnostic Logs | Logic App should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data) +139 | logic-004 | Security | Private Endpoint | Logic App should limit access to Http Triggers | High | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal#restrict-access-by-ip-address-range) +140 | logic-006 | Operational Excellence | Naming Convention (CAF) | Logic App Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +141 | logic-007 | Operational Excellence | Tags | Logic App should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +142 | maria-001 | Reliability | Diagnostic Logs | MariaDB should have diagnostic settings enabled | Medium | [Learn]() +143 | maria-002 | Security | Private Endpoint | MariaDB should have private endpoints enabled | High | [Learn]() +144 | maria-003 | Operational Excellence | Naming Convention (CAF) | MariaDB server Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +145 | maria-004 | Reliability | SLA | MariaDB server should have a SLA | High | [Learn]() +146 | maria-005 | Operational Excellence | Tags | MariaDB should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +147 | maria-006 | Security | TLS | MariaDB should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/mariadb/howto-tls-configurations) +148 | mysqlf-001 | Reliability | Diagnostic Logs | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-query-performance-insights#set-up-diagnostics) +149 | mysqlf-002 | Reliability | Availability Zones | Azure Database for MySQL - Flexible Server should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-configure-high-availability-cli) +150 | mysqlf-003 | Reliability | SLA | Azure Database for MySQL - Flexible Server should have a SLA | High | [Learn](hhttps://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) +151 | mysqlf-004 | Security | Private IP Address | Azure Database for MySQL - Flexible Server should have private access enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-manage-virtual-network-cli) +152 | mysqlf-005 | Reliability | SKU | Azure Database for MySQL - Flexible Server SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-service-tiers-storage) +153 | mysqlf-006 | Operational Excellence | Naming Convention (CAF) | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +154 | mysqlf-007 | Operational Excellence | Tags | Azure Database for MySQL - Flexible Server should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +155 | mysql-001 | Reliability | Diagnostic Logs | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-monitoring#server-logs) +156 | mysql-003 | Reliability | SLA | Azure Database for MySQL - Flexible Server should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/mysql/) +157 | mysql-004 | Security | Private Endpoint | Azure Database for MySQL - Flexible Server should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-data-access-security-private-link) +158 | mysql-005 | Reliability | SKU | Azure Database for MySQL - Flexible Server SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-pricing-tiers) +159 | mysql-006 | Operational Excellence | Naming Convention (CAF) | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +160 | mysql-007 | Reliability | SKU | Azure Database for MySQL - Single Server is on the retirement path | High | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/whats-happening-to-mysql-single-server) +161 | mysql-008 | Operational Excellence | Tags | Azure Database for MySQL - Single Server should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +162 | app-001 | Reliability | Diagnostic Logs | App Service should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#send-logs-to-azure-monitor) +163 | app-004 | Security | Private Endpoint | App Service should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint) +164 | app-006 | Operational Excellence | Naming Convention (CAF) | App Service Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +165 | app-007 | Security | HTTPS Only | App Service should use HTTPS only | High | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) +166 | app-008 | Operational Excellence | Tags | App Service should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +167 | func-001 | Reliability | Diagnostic Logs | Function should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-functions/functions-monitor-log-analytics?tabs=csharp) +168 | func-004 | Security | Private Endpoint | Function should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet) +169 | func-006 | Operational Excellence | Naming Convention (CAF) | Function Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +170 | func-007 | Security | HTTPS Only | Function should use HTTPS only | High | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) +171 | func-008 | Operational Excellence | Tags | Function should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +172 | logics-001 | Reliability | Diagnostic Logs | Logic App should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data) +173 | logics-004 | Security | Private Endpoint | Logic App should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint) +174 | logics-006 | Operational Excellence | Naming Convention (CAF) | Logic App Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +175 | logics-007 | Security | HTTPS Only | Logic App should use HTTPS only | High | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) +176 | logics-008 | Operational Excellence | Tags | Logic App should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +177 | plan-001 | Reliability | Diagnostic Logs | Plan should have diagnostic settings enabled | Medium | [Learn]() +178 | plan-002 | Reliability | Availability Zones | Plan should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service) +179 | plan-003 | Reliability | SLA | Plan should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/app-service/) +180 | plan-005 | Reliability | SKU | Plan SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans) +181 | plan-006 | Operational Excellence | Naming Convention (CAF) | Plan Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +182 | plan-007 | Operational Excellence | Tags | Plan should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +183 | psqlf-001 | Reliability | Diagnostic Logs | PostgreSQL should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-and-access-logs) +184 | psqlf-002 | Reliability | Availability Zones | PostgreSQL should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview#architecture-and-high-availability) +185 | psqlf-003 | Reliability | SLA | PostgreSQL should have a SLA | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-compare-single-server-flexible-server) +186 | psqlf-004 | Security | Private IP Address | PostgreSQL should have private access enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking#private-access-vnet-integration) +187 | psqlf-005 | Reliability | SKU | PostgreSQL SKU | High | [Learn](https://azure.microsoft.com/en-gb/pricing/details/postgresql/flexible-server/) +188 | psqlf-006 | Operational Excellence | Naming Convention (CAF) | PostgreSQL Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +189 | psqlf-007 | Operational Excellence | Tags | PostgreSQL should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +190 | psql-001 | Reliability | Diagnostic Logs | PostgreSQL should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#resource-logs) +191 | psql-003 | Reliability | SLA | PostgreSQL should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/postgresql/) +192 | psql-004 | Security | Private Endpoint | PostgreSQL should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-data-access-and-security-private-link) +193 | psql-005 | Reliability | SKU | PostgreSQL SKU | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-pricing-tiers) +194 | psql-006 | Operational Excellence | Naming Convention (CAF) | PostgreSQL Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +195 | psql-007 | Operational Excellence | Tags | PostgreSQL should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +196 | psql-008 | Security | SSL | PostgreSQL should enforce SSL | High | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-ssl-connection-security#enforcing-tls-connections) +197 | psql-009 | Security | TLS | PostgreSQL should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations) +198 | redis-001 | Reliability | Diagnostic Logs | Redis should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings) +199 | redis-002 | Reliability | Availability Zones | Redis should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability) +200 | redis-003 | Reliability | SLA | Redis should have a SLA | High | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) +201 | redis-004 | Security | Private Endpoint | Redis should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-private-link) +202 | redis-005 | Reliability | SKU | Redis SKU | High | [Learn](https://azure.microsoft.com/en-gb/pricing/details/cache/) +203 | redis-006 | Operational Excellence | Naming Convention (CAF) | Redis Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +204 | redis-007 | Operational Excellence | Tags | Redis should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +205 | redis-008 | Security | SSL | Redis should not enable non SSL ports | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-configure#access-ports) +206 | redis-009 | Security | TLS | Redis should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-remove-tls-10-11) +207 | sb-001 | Reliability | Diagnostic Logs | Service Bus should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/monitor-service-bus#collection-and-routing) +208 | sb-002 | Reliability | Availability Zones | Service Bus should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones) +209 | sb-003 | Reliability | SLA | Service Bus should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/service-bus/) +210 | sb-004 | Security | Private Endpoint | Service Bus should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/network-security) +211 | sb-005 | Reliability | SKU | Service Bus SKU | High | [Learn](https://azure.microsoft.com/en-us/pricing/details/service-bus/) +212 | sb-006 | Operational Excellence | Naming Convention (CAF) | Service Bus Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +213 | sb-007 | Operational Excellence | Tags | Service Bus should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +214 | sb-008 | Security | Identity and Access Control | Service Bus should have local authentication disabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas) +215 | sigr-001 | Reliability | Diagnostic Logs | SignalR should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-howto-diagnostic-logs) +216 | sigr-002 | Reliability | Availability Zones | SignalR should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/availability-zones) +217 | sigr-003 | Reliability | SLA | SignalR should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/signalr-service/) +218 | sigr-004 | Security | Private Endpoint | SignalR should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/howto-private-endpoints) +219 | sigr-005 | Reliability | SKU | SignalR SKU | High | [Learn](https://azure.microsoft.com/en-us/pricing/details/signalr-service/) +220 | sigr-006 | Operational Excellence | Naming Convention (CAF) | SignalR Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +221 | sigr-007 | Operational Excellence | Tags | SignalR should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +222 | sql-001 | Reliability | Diagnostic Logs | SQL should have diagnostic settings enabled | Medium | [Learn]() +223 | sql-004 | Security | Private Endpoint | SQL should have private endpoints enabled | High | [Learn]() +224 | sql-006 | Operational Excellence | Naming Convention (CAF) | SQL Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +225 | sql-007 | Operational Excellence | Tags | SQL should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +226 | sql-008 | Security | TLS | SQL should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version) +227 | sqldb-001 | Reliability | Diagnostic Logs | SQL Database should have diagnostic settings enabled | Medium | [Learn]() +228 | sqldb-002 | Reliability | Availability Zones | SQL Database should have availability zones enabled | High | [Learn]() +229 | sqldb-003 | Reliability | SLA | SQL Database should have a SLA | High | [Learn]() +230 | sqldb-005 | Reliability | SKU | SQL Database SKU | High | [Learn](https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tiers-vcore?tabs=azure-portal) +231 | sqldb-006 | Operational Excellence | Naming Convention (CAF) | SQL Database Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +232 | sqldb-007 | Operational Excellence | Tags | SQL Database should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +233 | st-001 | Reliability | Diagnostic Logs | Storage should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage) +234 | st-002 | Reliability | Availability Zones | Storage should have availability zones enabled | High | [Learn](https://learn.microsoft.com/EN-US/azure/reliability/migrate-storage) +235 | st-003 | Reliability | SLA | Storage should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/storage/) +236 | st-004 | Security | Private Endpoint | Storage should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints) +237 | st-005 | Reliability | SKU | Storage SKU | High | [Learn](https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types) +238 | st-006 | Operational Excellence | Naming Convention (CAF) | Storage Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +239 | st-007 | Security | HTTPS Only | Storage Account should use HTTPS only | High | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer) +240 | st-008 | Operational Excellence | Tags | Storage Account should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +241 | st-009 | Security | TLS | Storage Account should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal) +242 | vm-001 | Reliability | Diagnostic Logs | Virtual Machine should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-windows-install) +243 | vm-002 | Reliability | Availability Zones | Virtual Machine should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-machines/availability#availability-zones) +244 | vm-003 | Reliability | SLA | Virtual Machine should have a SLA | High | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) +245 | vm-006 | Operational Excellence | Naming Convention (CAF) | Virtual Machine Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +246 | vm-007 | Operational Excellence | Tags | Virtual Machine should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +247 | vm-008 | Reliability | Reliability | Virtual Machine should use managed disks | High | [Learn](https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#virtual-machines) +248 | vm-009 | Reliability | Reliability | Virtual Machine should host application or database data on a data disk | Low | [Learn](https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#data-disk) +249 | vnet-001 | Reliability | Diagnostic Logs | Virtual Network should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/monitor-virtual-network#collection-and-routing) +250 | vnet-002 | Reliability | Availability Zones | Virtual Network should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zones) +251 | vnet-006 | Operational Excellence | Naming Convention (CAF) | Virtual Network Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +252 | vnet-007 | Operational Excellence | Tags | Virtual Network should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +253 | vnet-008 | Security | Networking | Virtual Network: All Subnets should have a Network Security Group associated | High | [Learn](https://learn.microsoft.com/azure/virtual-network/concepts-and-best-practices) +254 | vnet-009 | Reliability | Reliability | Virtual NetworK should have at least two DNS servers assigned | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat#specify-dns-servers) +255 | wps-001 | Reliability | Diagnostic Logs | Web Pub Sub should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-troubleshoot-resource-logs) +256 | wps-002 | Reliability | Availability Zones | Web Pub Sub should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/concept-availability-zones) +257 | wps-003 | Reliability | SLA | Web Pub Sub should have a SLA | High | [Learn](https://azure.microsoft.com/en-gb/support/legal/sla/web-pubsub/) +258 | wps-004 | Security | Private Endpoint | Web Pub Sub should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-secure-private-endpoints) +259 | wps-005 | Reliability | SKU | Web Pub Sub SKU | High | [Learn](https://azure.microsoft.com/en-us/pricing/details/web-pubsub/) +260 | wps-006 | Operational Excellence | Naming Convention (CAF) | Web Pub Sub Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +261 | wps-007 | Operational Excellence | Tags | Web Pub Sub should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) diff --git a/go.mod b/go.mod index c30b84c2..8d98c276 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/Azure/azqr go 1.19 require ( - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0-beta.1 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/advisor/armadvisor v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/apimanagement/armapimanagement v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appconfiguration/armappconfiguration v1.0.0 @@ -25,6 +25,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/eventhub/armeventhub v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/kusto/armkusto v1.3.1 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/logic/armlogic v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mariadb/armmariadb v1.1.1 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/monitor/armmonitor v0.8.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql v1.0.0 @@ -34,7 +35,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/postgresql/armpostgresqlflexibleservers v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.7.1 - github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.9.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/servicebus/armservicebus v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/signalr/armsignalr v1.0.0 @@ -45,14 +46,14 @@ require ( github.com/rs/zerolog v1.30.0 github.com/spf13/cobra v1.6.1 github.com/xuri/excelize/v2 v2.7.0 - golang.org/x/text v0.13.0 + golang.org/x/text v0.14.0 ) require ( - github.com/Azure/azure-sdk-for-go/sdk/internal v1.4.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect + github.com/golang-jwt/jwt/v5 v5.0.0 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect @@ -64,8 +65,8 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/xuri/efp v0.0.0-20220603152613-6918739fd470 // indirect github.com/xuri/nfp v0.0.0-20220409054826-5e722a1d9e22 // indirect - golang.org/x/crypto v0.14.0 // indirect + golang.org/x/crypto v0.15.0 // indirect golang.org/x/image v0.10.0 // indirect - golang.org/x/net v0.17.0 // indirect - golang.org/x/sys v0.13.0 // indirect + golang.org/x/net v0.18.0 // indirect + golang.org/x/sys v0.14.0 // indirect ) diff --git a/go.sum b/go.sum index f4a8da3c..0bfee975 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,9 @@ -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 h1:9kDVnTz3vbfweTqAUmk/a/pH5pWFCHtvRpHYC0G/dcA= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0/go.mod h1:3Ug6Qzto9anB6mGlEdgYMDF5zHQ+wwhEaYR4s17PHMw= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0-beta.1 h1:U7R494cK8Co9Hre1WvugptflSxb6mJ8pVvvU1mFGFmg= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0-beta.1/go.mod h1:OcBSIbRqQILk3z7FoYL+RcoXl4jHPm4FL14OU9jAB8g= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.4.0 h1:TuEMD+E+1aTjjLICGQOW6vLe8UWES7kopac9mUXL56Y= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.4.0/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 h1:fb8kj/Dh4CSwgsOzHeZY4Xh68cFVbzXx+ONXGMY//4w= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0/go.mod h1:uReU2sSxZExRPBAg3qKzmAucSi51+SP1OhohieR821Q= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 h1:d81/ng9rET2YqdVkVwkb6EXeRrLJIwyGnJcAlAWKwhs= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/advisor/armadvisor v1.0.0 h1:ERsafDBaNDDqWkymL+O79nqZPYyKFpnLbpRZgzWrN8g= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/advisor/armadvisor v1.0.0/go.mod h1:LLZFwp34+rh7+ygg+kV+tFBKRVW852DaW1yqq8lDYuE= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/apimanagement/armapimanagement v1.0.0 h1:Ai3+BE11JvwQ2PxLGNKAfMNSceYXjeijReLJiCouO6o= @@ -41,10 +41,14 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/eventgrid/armeventgrid v1. github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/eventhub/armeventhub v1.0.0 h1:BWeAAEzkCnL0ABVJqs+4mYudNch7oFGPtTlSmIWL8ms= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/eventhub/armeventhub v1.0.0/go.mod h1:Y3gnVwfaz8h6L1YHar+NfWORtBoVUSB5h4GlGkdeF7Q= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.1.2 h1:mLY+pNLjCUeKhgnAJWAKhEUQM+RJQo2H1fuGSw1Ky1E= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0 h1:Jc2KcpCDMu7wJfkrzn7fs/53QMDXH78GuqnH4HOd7zs= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0/go.mod h1:PFVgFsclKzPqYRT/BiwpfUN22cab0C7FlgXR3iWpwMo= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/kusto/armkusto v1.3.1 h1:ik0pyYcwUqdiPPXOioZfKL62SVu7iN5eh5zxHEbV3VE= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/kusto/armkusto v1.3.1/go.mod h1:st4TFPle8b16a2B9MEN+ofQT6iJjWBPAD9F5rfMQtZg= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/logic/armlogic v1.2.0 h1:EMNgS+pCj2/2LL7+nWG8zPf9sp4u8icP5FNwoBhyc8M= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/logic/armlogic v1.2.0/go.mod h1:TsM36SmGxYC24DiOTR9wPuBj5HYphihMC6xlnX536bE= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0 h1:pPvTJ1dY0sA35JOeFq6TsY2xj6Z85Yo23Pj4wCCvu4o= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mariadb/armmariadb v1.1.1 h1:enm1l0hL9NXwetMOl2s9fIZrHDNQqAKUJafgCz+X1Pw= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mariadb/armmariadb v1.1.1/go.mod h1:XTDYspbMnf4yoJ6DxcA67WIZmFoJiwDZgemGVKWFRQ4= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/monitor/armmonitor v0.8.0 h1:dKxKBzh+XIEoYNmx/c8HeiwghuRExXf61WmVotWESeA= @@ -63,8 +67,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis v1.0.0 h1:n github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis v1.0.0/go.mod h1:3yjiOtnkVociBTlF7UZrwAGfJrGaOCsvtVS4HzNajxQ= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.7.1 h1:eoQrCw9DMThzbJ32fHXZtISnURk6r0TozXiWuTsay5s= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.7.1/go.mod h1:21rlzm+SuYrS9ARS92XEGxcHQeLVDcaY2YV30rHjSd4= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0/go.mod h1:s1tW/At+xHqjNFvWU4G0c0Qv33KOhvbGNj0RCTQDV8s= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 h1:7CBQ+Ei8SP2c6ydQTGCCrS35bDxgTMfoP2miAwK++OU= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1/go.mod h1:c/wcGeGx5FUPbM/JltUYHZcKmigwyVLJlDq+4HdtXaw= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.9.0 h1:leZbYXt1X1+IXOhinVq/eyCu4J/fR/RcgdF6lWeaa5o= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity v0.9.0/go.mod h1:iwDIDV5jIo+eXQf6RA7PwyJnycTQxX4s4MGKSy+m1LA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/servicebus/armservicebus v1.0.0 h1:6UQQTUHvwuxb0DmRqLUsE7RnvKCxlrsCLpXcNePe64g= @@ -79,8 +83,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscripti github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription v1.0.0/go.mod h1:UZy1vHcRdEymNP1d6fTrvYHpSdkXoUdowfrvffcQOOU= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/webpubsub/armwebpubsub v1.0.0 h1:+6LGeEEwrlIGYNKMk0qBIk2ZctPf5Nj1YEChRQyfeqo= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/webpubsub/armwebpubsub v1.0.0/go.mod h1:yH6zjuxrF7K4TBS/Wssvsz7iDORvZAGbnu2bWFcrxDI= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk= +github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -88,10 +92,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= @@ -138,8 +142,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= golang.org/x/image v0.0.0-20220902085622-e7cb96979f69/go.mod h1:doUCurBvlfPMKfmIpRIywoHmhN3VyhnoFDbvIEWF4hY= golang.org/x/image v0.10.0 h1:gXjUUtwtx5yOE0VKWq1CH4IJAClq4UGgUA3i+rpON9M= golang.org/x/image v0.10.0/go.mod h1:jtrku+n79PfroUbvDdeUWMAI+heR786BofxrbiSF+J0= @@ -150,8 +154,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= +golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -167,8 +171,8 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= @@ -179,8 +183,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= diff --git a/internal/scanners/logic/logic.go b/internal/scanners/logic/logic.go new file mode 100644 index 00000000..96f88ec4 --- /dev/null +++ b/internal/scanners/logic/logic.go @@ -0,0 +1,66 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package logic + +import ( + "github.com/rs/zerolog/log" + + "github.com/Azure/azqr/internal/scanners" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/logic/armlogic" +) + +// LogicAppScanner - Scanner for LogicApp +type LogicAppScanner struct { + config *scanners.ScannerConfig + client *armlogic.WorkflowsClient +} + +// Init - Initializes the LogicAppScanner +func (c *LogicAppScanner) Init(config *scanners.ScannerConfig) error { + c.config = config + var err error + c.client, err = armlogic.NewWorkflowsClient(config.SubscriptionID, config.Cred, config.ClientOptions) + return err +} + +// Scan - Scans all LogicApps in a Resource Group +func (c *LogicAppScanner) Scan(resourceGroupName string, scanContext *scanners.ScanContext) ([]scanners.AzureServiceResult, error) { + log.Info().Msgf("Scanning Logic Apps in Resource Group %s", resourceGroupName) + + vnets, err := c.list(resourceGroupName) + if err != nil { + return nil, err + } + engine := scanners.RuleEngine{} + rules := c.GetRules() + results := []scanners.AzureServiceResult{} + + for _, w := range vnets { + rr := engine.EvaluateRules(rules, w, scanContext) + + results = append(results, scanners.AzureServiceResult{ + SubscriptionID: c.config.SubscriptionID, + ResourceGroup: resourceGroupName, + ServiceName: *w.Name, + Type: *w.Type, + Location: *w.Location, + Rules: rr, + }) + } + return results, nil +} + +func (c *LogicAppScanner) list(resourceGroupName string) ([]*armlogic.Workflow, error) { + pager := c.client.NewListByResourceGroupPager(resourceGroupName, nil) + + logicApps := make([]*armlogic.Workflow, 0) + for pager.More() { + resp, err := pager.NextPage(c.config.Ctx) + if err != nil { + return nil, err + } + logicApps = append(logicApps, resp.Value...) + } + return logicApps, nil +} diff --git a/internal/scanners/logic/rules.go b/internal/scanners/logic/rules.go new file mode 100644 index 00000000..02e46b76 --- /dev/null +++ b/internal/scanners/logic/rules.go @@ -0,0 +1,87 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package logic + +import ( + "strings" + + "github.com/Azure/azqr/internal/scanners" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/logic/armlogic" +) + +// GetRules - Returns the rules for the LogicAppScanner +func (a *LogicAppScanner) GetRules() map[string]scanners.AzureRule { + return map[string]scanners.AzureRule{ + "logic-001": { + Id: "logic-001", + Category: scanners.RulesCategoryReliability, + Subcategory: scanners.RulesSubcategoryReliabilityDiagnosticLogs, + Description: "Logic App should have diagnostic settings enabled", + Severity: scanners.SeverityMedium, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + service := target.(*armlogic.Workflow) + _, ok := scanContext.DiagnosticsSettings[strings.ToLower(*service.ID)] + return !ok, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data", + Field: scanners.OverviewFieldDiagnostics, + }, + "logic-004": { + Id: "logic-004", + Category: scanners.RulesCategorySecurity, + Subcategory: scanners.RulesSubcategorySecurityPrivateEndpoint, + Description: "Logic App should limit access to Http Triggers", + Severity: scanners.SeverityHigh, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + service := target.(*armlogic.Workflow) + http := false + if service.Properties.Definition != nil { + triggers := service.Properties.Definition.(map[string]interface{})["triggers"].(map[string]interface{}) + for _, t := range triggers { + trigger := t.(map[string]interface{}) + if trigger["type"] == "Request" && trigger["kind"] == "Http" { + http = true + break + } + } + } + + broken := http + + if http && service.Properties.AccessControl != nil && service.Properties.AccessControl.Triggers == nil { + broken = len(service.Properties.AccessControl.Triggers.AllowedCallerIPAddresses) == 0 + } + return broken, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal#restrict-access-by-ip-address-range", + }, + "logic-006": { + Id: "logic-006", + Category: scanners.RulesCategoryOperationalExcellence, + Subcategory: scanners.RulesSubcategoryOperationalExcellenceCAF, + Description: "Logic App Name should comply with naming conventions", + Severity: scanners.SeverityLow, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + c := target.(*armlogic.Workflow) + + caf := strings.HasPrefix(*c.Name, "logic") + return !caf, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + Field: scanners.OverviewFieldCAF, + }, + "logic-007": { + Id: "logic-007", + Category: scanners.RulesCategoryOperationalExcellence, + Subcategory: scanners.RulesSubcategoryOperationalExcellenceTags, + Description: "Logic App should have tags", + Severity: scanners.SeverityLow, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + c := target.(*armlogic.Workflow) + return len(c.Tags) == 0, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json", + }, + } +} diff --git a/internal/scanners/logic/rules_test.go b/internal/scanners/logic/rules_test.go new file mode 100644 index 00000000..30bcc486 --- /dev/null +++ b/internal/scanners/logic/rules_test.go @@ -0,0 +1,98 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package logic + +import ( + "reflect" + "testing" + + "github.com/Azure/azqr/internal/ref" + "github.com/Azure/azqr/internal/scanners" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/logic/armlogic" +) + +func TestLogicAppScanner_Rules(t *testing.T) { + type fields struct { + rule string + target interface{} + scanContext *scanners.ScanContext + } + type want struct { + broken bool + result string + } + tests := []struct { + name string + fields fields + want want + }{ + { + name: "LogicAppScanner DiagnosticSettings", + fields: fields{ + rule: "logic-001", + target: &armlogic.Workflow{ + ID: ref.Of("test"), + }, + scanContext: &scanners.ScanContext{ + DiagnosticsSettings: map[string]bool{ + "test": true, + }, + }, + }, + want: want{ + broken: false, + result: "", + }, + }, + { + name: "LogicAppScanner Limit Http Triggers", + fields: fields{ + rule: "logic-004", + target: &armlogic.Workflow{ + ID: ref.Of("test"), + Properties: &armlogic.WorkflowProperties{ + AccessControl: &armlogic.FlowAccessControlConfiguration{ + Triggers: &armlogic.FlowAccessControlConfigurationPolicy{ + AllowedCallerIPAddresses: []*armlogic.IPAddressRange{}, + }, + }, + }, + }, + scanContext: &scanners.ScanContext{}, + }, + want: want{ + broken: false, + result: "", + }, + }, + { + name: "LogicAppScanner CAF", + fields: fields{ + rule: "logic-006", + target: &armlogic.Workflow{ + Name: ref.Of("logic-test"), + }, + scanContext: &scanners.ScanContext{}, + }, + want: want{ + broken: false, + result: "", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &LogicAppScanner{} + rules := s.GetRules() + b, w := rules[tt.fields.rule].Eval(tt.fields.target, tt.fields.scanContext) + got := want{ + broken: b, + result: w, + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("LogicAppScanner Rule.Eval() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/internal/scanners/plan/plan.go b/internal/scanners/plan/plan.go index bcee5c7c..c4889579 100644 --- a/internal/scanners/plan/plan.go +++ b/internal/scanners/plan/plan.go @@ -46,6 +46,7 @@ func (a *AppServiceScanner) Scan(resourceGroupName string, scanContext *scanners rules := a.getPlanRules() appRules := a.getAppRules() functionRules := a.getFunctionRules() + logicRules := a.getLogicRules() results := []scanners.AzureServiceResult{} for _, p := range plan { @@ -69,7 +70,8 @@ func (a *AppServiceScanner) Scan(resourceGroupName string, scanContext *scanners var result scanners.AzureServiceResult // https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings kind := strings.ToLower(*s.Kind) - if strings.Contains(kind, "functionapp") { + switch kind { + case "functionapp": rr := engine.EvaluateRules(functionRules, s, scanContext) result = scanners.AzureServiceResult{ @@ -80,7 +82,18 @@ func (a *AppServiceScanner) Scan(resourceGroupName string, scanContext *scanners Location: *p.Location, Rules: rr, } - } else { + case "functionapp,workflowapp": + rr := engine.EvaluateRules(logicRules, s, scanContext) + + result = scanners.AzureServiceResult{ + SubscriptionID: a.config.SubscriptionID, + ResourceGroup: resourceGroupName, + ServiceName: *s.Name, + Type: *s.Type, + Location: *p.Location, + Rules: rr, + } + default: rr := engine.EvaluateRules(appRules, s, scanContext) result = scanners.AzureServiceResult{ SubscriptionID: a.config.SubscriptionID, diff --git a/internal/scanners/plan/rules.go b/internal/scanners/plan/rules.go index 1d7bc85f..b2b821a5 100644 --- a/internal/scanners/plan/rules.go +++ b/internal/scanners/plan/rules.go @@ -19,6 +19,9 @@ func (a *AppServiceScanner) GetRules() map[string]scanners.AzureRule { for k, v := range a.getFunctionRules() { result[k] = v } + for k, v := range a.getLogicRules() { + result[k] = v + } return result } @@ -254,3 +257,76 @@ func (a *AppServiceScanner) getFunctionRules() map[string]scanners.AzureRule { }, } } + +func (a *AppServiceScanner) getLogicRules() map[string]scanners.AzureRule { + return map[string]scanners.AzureRule{ + "logics-001": { + Id: "logics-001", + Category: scanners.RulesCategoryReliability, + Subcategory: scanners.RulesSubcategoryReliabilityDiagnosticLogs, + Description: "Logic App should have diagnostic settings enabled", + Severity: scanners.SeverityMedium, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + service := target.(*armappservice.Site) + _, ok := scanContext.DiagnosticsSettings[strings.ToLower(*service.ID)] + return !ok, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data", + Field: scanners.OverviewFieldDiagnostics, + }, + "logics-004": { + Id: "logics-004", + Category: scanners.RulesCategorySecurity, + Subcategory: scanners.RulesSubcategorySecurityPrivateEndpoint, + Description: "Logic App should have private endpoints enabled", + Severity: scanners.SeverityHigh, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + i := target.(*armappservice.Site) + _, pe := scanContext.PrivateEndpoints[*i.ID] + return !pe, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint", + Field: scanners.OverviewFieldPrivate, + }, + "logics-006": { + Id: "logics-006", + Category: scanners.RulesCategoryOperationalExcellence, + Subcategory: scanners.RulesSubcategoryOperationalExcellenceCAF, + Description: "Logic App Name should comply with naming conventions", + Severity: scanners.SeverityLow, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + c := target.(*armappservice.Site) + caf := strings.HasPrefix(*c.Name, "logic") + return !caf, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + Field: scanners.OverviewFieldCAF, + }, + "logics-007": { + Id: "logics-007", + Category: scanners.RulesCategorySecurity, + Subcategory: scanners.RulesSubcategorySecurityHTTPS, + Description: "Logic App should use HTTPS only", + Severity: scanners.SeverityHigh, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + c := target.(*armappservice.Site) + h := c.Properties.HTTPSOnly != nil && *c.Properties.HTTPSOnly + return !h, "" + }, + Url: "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + }, + "logics-008": { + Id: "logics-008", + Category: scanners.RulesCategoryOperationalExcellence, + Subcategory: scanners.RulesSubcategoryOperationalExcellenceTags, + Description: "Logic App should have tags", + Severity: scanners.SeverityLow, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + c := target.(*armappservice.Site) + return len(c.Tags) == 0, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json", + }, + } +} + diff --git a/internal/scanners/plan/rules_test.go b/internal/scanners/plan/rules_test.go index 9dfe192e..476746a3 100644 --- a/internal/scanners/plan/rules_test.go +++ b/internal/scanners/plan/rules_test.go @@ -335,3 +335,101 @@ func TestAppServiceScanner_FunctionRules(t *testing.T) { }) } } + +func TestAppServiceScanner_LogicRules(t *testing.T) { + type fields struct { + rule string + target interface{} + scanContext *scanners.ScanContext + } + type want struct { + broken bool + result string + } + tests := []struct { + name string + fields fields + want want + }{ + { + name: "AppServiceScanner DiagnosticSettings", + fields: fields{ + rule: "logics-001", + target: &armappservice.Site{ + ID: ref.Of("test"), + }, + scanContext: &scanners.ScanContext{ + DiagnosticsSettings: map[string]bool{ + "test": true, + }, + }, + }, + want: want{ + broken: false, + result: "", + }, + }, + { + name: "AppServiceScanner Private Endpoint", + fields: fields{ + rule: "logics-004", + target: &armappservice.Site{ + ID: ref.Of("test"), + }, + scanContext: &scanners.ScanContext{ + PrivateEndpoints: map[string]bool{ + "test": true, + }, + }, + }, + want: want{ + broken: false, + result: "", + }, + }, + { + name: "AppServiceScanner CAF", + fields: fields{ + rule: "logics-006", + target: &armappservice.Site{ + Name: ref.Of("logics-test"), + }, + scanContext: &scanners.ScanContext{}, + }, + want: want{ + broken: false, + result: "", + }, + }, + { + name: "AppServiceScanner HTTPS only", + fields: fields{ + rule: "logics-007", + target: &armappservice.Site{ + Properties: &armappservice.SiteProperties{ + HTTPSOnly: ref.Of(true), + }, + }, + scanContext: &scanners.ScanContext{}, + }, + want: want{ + broken: false, + result: "", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &AppServiceScanner{} + rules := s.getLogicRules() + b, w := rules[tt.fields.rule].Eval(tt.fields.target, tt.fields.scanContext) + got := want{ + broken: b, + result: w, + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("AppServiceScanner Rule.Eval() = %v, want %v", got, tt.want) + } + }) + } +} \ No newline at end of file