Merge pull request #6727 from Checkmarx/fix6718

fix(query): added new way of setting extended_auditing_policy in tf azure to the query

assets/queries/terraform/azure/mssql_server_auditing_disabled/metadata.json

@@ -4,7 +4,7 @@
   "severity": "MEDIUM",
   "category": "Observability",
   "descriptionText": "Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database_extended_auditing_policy",
   "platform": "Terraform",
   "descriptionID": "f0be3ea8",
   "cloudProvider": "azure"

assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego

@@ -3,17 +3,19 @@ package Cx
 import data.generic.terraform as tf_lib
 
 CxPolicy[result] {
-	resource := input.document[i].resource.azurerm_mssql_server[name]
-
-	not resource.extended_auditing_policy
+	resource := input.document[i].resource
+
+	server:= resource.azurerm_mssql_server[name]
+
+	not resource.azurerm_mssql_server_extended_auditing_policy[name]
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "azurerm_mssql_server",
-		"resourceName": tf_lib.get_resource_name(resource, name),
+		"resourceName": tf_lib.get_resource_name(server, name),
 		"searchKey": sprintf("azurerm_mssql_server[%s]", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'azurerm_mssql_server.%s.extended_auditing_policy' should exist", [name]),
-		"keyActualValue": sprintf("'azurerm_mssql_server.%s.extended_auditing_policy' does not exist", [name]),
+		"keyExpectedValue": sprintf("'azurerm_mssql_server[%s].extended_auditing_policy' resource should exist", [name]),
+		"keyActualValue": sprintf("'azurerm_mssql_server[%s].extended_auditing_policy' resource does not exist", [name]),
 	}
 }

assets/queries/terraform/azure/mssql_server_auditing_disabled/test/negative.tf

@@ -1,15 +1,38 @@
-resource "azurerm_mssql_server" "negative1" {
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_mssql_server" "example" {
     name                         = "mssqlserver"
     resource_group_name          = azurerm_resource_group.example.name
     location                     = azurerm_resource_group.example.location
     version                      = "12.0"
     administrator_login          = "mradministrator"
     administrator_login_password = "thisIsDog11"
+}
+
+resource "azurerm_mssql_database" "example" {
+  name      = "example-db"
+  server_id = azurerm_mssql_server.example.id
+}
+
+resource "azurerm_storage_account" "example" {
+  name                     = "examplesa"
+  resource_group_name      = azurerm_resource_group.example.name
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
 
-    extended_auditing_policy {
-       storage_endpoint           = azurerm_storage_account.example.primary_blob_endpoint
-       storage_account_access_key = azurerm_storage_account.example.primary_access_key
-       storage_account_access_key_is_secondary = true
-       retention_in_days                       = 90
-    }
-}
+resource "azurerm_mssql_server_extended_auditing_policy" "example" {
+  database_id                             = azurerm_mssql_database.example.id
+  storage_endpoint                        = azurerm_storage_account.example.primary_blob_endpoint
+  storage_account_access_key              = azurerm_storage_account.example.primary_access_key
+  storage_account_access_key_is_secondary = false
+  retention_in_days                       = 6
+}