DoD for Open Rules - epam/ecc-azure-rulepack GitHub Wiki

* DoD (Definition of Done)

1. Create Terraform script
2. Create static rule
   2.1. Reverse rules
3. Create a file with minimal permissions

In order to test the rules, we create two infrastructures using Terraform – red and green. The green one is used to check that rule returns 0 resources, when there are no resources that violate the rule. There can be several green infrastructures to check each case that can happen when we use our rules to scan customers' cloud infrastructure.
The red one is used to check that rule returns 1 resource, when there is a resource that violates the rule. There can be several red infrastructures to check each case that can happen when we use our rules to scan customers' cloud infrastructure.

These terraform scripts must be written in accordance with this guide – Terraform - Guide. You should add comments to scripts if some steps must be done manually, or if you think these comments can help others to run terraform infrastructure successfully as it was designed. 

⚠️ Warning Before applying terraform, you must check the cost of resources that you are creating.
Use the cheapest configuration for resources that you create and do not forget to shut them down when you no longer need them.
Sometimes they can be expensive and you should work quickly to avoid spending a lot of money. In this case, it's better to prepare a rule and test file in advance.

Rules name convention - see here

A policy should have the following format:

policies:
  - name: ecc-[cloud]-[id]-[rule_name]
    resource: [cloud].[resource_name]
    description: |
      [Policy description in case a resource(-s) found] 
    filters:
      ...

policies:
  - name: ecc-azure-002-cis_iam_owner_roles
    description: |
      Custom role with Owner privileges on a subscription scope is created
    resource: azure.roledefinition
    filters:
      ...

Check that rule works. Deploy green and red terraform infrastructure and run a rule.

From time to time, we come across rules that do not require to return all resources that violate a rule, but return an Azure Subscription that does not have at least ONE resource that satisfies all conditions in a rule.
These rules have resource set to azure**.subscription** and return 0 projects for green infrastructure and a maximum of 1 for the red one. We use custom filters for this purpose.

An example of such rule is:

In this example, rule returns subscription where Activity Log Alert with appropriate scope not configured

policies:
  - name: ecc-azure-039-cis_log_create_policy
    description: |
      Subscription where Activity Log Alert does not exsist for Create Policy Assignment
    resource: azure.subscription
    filters:
      - or:
          - type: activity-log-alert
            key: length(alerts[?location == 'Global' && condition.all_of[?(field == 'operationName' && equals == 'Microsoft.Authorization/policyAssignments/write' && containsAny == \`null\` )] && enabled == \`true\` && actions.action_groups[?contains(keys(@), 'action_group_id')]])
            value: 0
          - and:
              - type: activity-log-alert
                key: length(alerts[?location == 'Global' && condition.all_of[?(field == 'operationName' && equals == 'Microsoft.Authorization/policyAssignments/write' && containsAny == \`null\` )] && enabled == \`true\` && actions.action_groups[?contains(keys(@), 'action_group_id')]])
                value: 1
                op: gte
              - not:
                  - type: activity-log-alert
                    key: alerts[].scopes[]
                    value: ^\\/[a-z]{13}\\/[a-z0-9A-Z]{8}\\-[a-z0-9A-Z]{4}\\-[a-z0-9A-Z]{4}\\-[a-z0-9A-Z]{4}\\-[a-z0-9A-Z]{12}$
                    op: regex

Create a file with minimal permissions for running the rule.

Update custom RBAC files if they do not contain required provider operations