[8.11](backport #328) Fixing storage account rules after QA cycle

bundle/compliance/cis_azure/rules/cis_3_10/test.rego

@@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter
 import data.lib.test
 
 test_violation {
- eval_fail with input as test_data.generate_storage_account_with_property("privateEndpointConnections", [{"properties": {"privateLinkServiceConnectionState": {"status": "NotApproved"}}}])
+ eval_fail with input as test_data.generate_storage_account_with_property("privateEndpointConnections", [])
 }
 
 test_pass {

bundle/compliance/cis_azure/rules/cis_3_2/test.rego

@@ -7,6 +7,7 @@ import data.lib.test
 test_violation {
  # fail if managed by user
  eval_fail with input as test_data.generate_storage_account_with_property("encryption", {"requireInfrastructureEncryption": false})
+ eval_fail with input as test_data.generate_storage_account_with_property("encryption", {})
 }
 
 test_pass {
@@ -15,7 +16,7 @@ test_pass {
 }
 
 test_not_evaluated {
- not_eval with input as test_data.generate_storage_account_with_property("encryption", {})
+ not_eval with input as test_data.not_eval_non_exist_type
 }
 
 eval_fail {

bundle/compliance/cis_azure/rules/cis_3_7/test.rego

@@ -5,11 +5,11 @@ import data.compliance.policy.azure.data_adapter
 import data.lib.test
 
 test_violation {
- eval_fail with input as test_data.generate_storage_account_with_property("encryption", {"publicNetworkAccess": "Enabled"})
+ eval_fail with input as test_data.generate_storage_account_with_property("publicNetworkAccess", "Enabled")
 }
 
 test_pass {
- eval_pass with input as test_data.generate_storage_account_with_property("encryption", {"publicNetworkAccess": "Disabled"})
+ eval_pass with input as test_data.generate_storage_account_with_property("publicNetworkAccess", "Disabled")
 }
 
 test_not_evaluated {

bundle/compliance/policy/azure/storage_account/ensure_connection.rego

@@ -5,9 +5,9 @@ import data.compliance.policy.azure.data_adapter
 import future.keywords.every
 
 is_every_private_connections {
- every connection in data_adapter.private_endpoint_connections {
-  connection.properties.privateLinkServiceConnectionState.status == "Approved"
- }
+ # Azure implemented it differently (like previous version of this file)
+ # Simplified and implemented exactly like the PDF audit
+ count(data_adapter.private_endpoint_connections) > 0
 } else = false
 
 is_private_connections = r {

bundle/compliance/policy/azure/storage_account/ensure_encryption.rego

@@ -2,4 +2,6 @@ package compliance.policy.azure.storage_account.ensure_encryption
 
 import data.compliance.policy.azure.data_adapter
 
-is_encryption_enabled = data_adapter.properties.encryption.requireInfrastructureEncryption
+is_encryption_enabled {
+ data_adapter.properties.encryption.requireInfrastructureEncryption
+} else = false

bundle/compliance/policy/azure/storage_account/ensure_public_access.rego

@@ -5,10 +5,10 @@ import data.compliance.policy.azure.data_adapter
 import future.keywords.if
 
 verify_public_access if {
- data_adapter.properties.encryption.publicNetworkAccess == "Disabled"
+ data_adapter.properties.publicNetworkAccess == "Disabled"
 } else = false
 
 is_public_access_disabled = r if {
- data_adapter.properties.encryption.publicNetworkAccess
+ data_adapter.properties.publicNetworkAccess
  r = verify_public_access
 }