skip: update CI 218

.github/workflows/auto-test.yml

@@ -10,7 +10,7 @@ on:
       resource_priority_list:
         type: string
         description: Priority list for resources (you can remove unnecessary resources during testing)
-        default: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
+        default: '["postgresql"]'
         #'["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
         required: true
 
@@ -24,7 +24,7 @@ env:
   AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
   AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
   AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }}
-  default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
+  default_resource_priority_list: '["postgresql"]'
   #default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
   TF_VAR_project: ${{ secrets.TF_VAR_project }}
   TF_VAR_region: ${{ secrets.AWS_REGION }}

auto_policy_testing/green/postgresql/key_vault.tf

@@ -1,42 +1,10 @@
-#data "azurerm_client_config" "current" {}
-#
-#resource "azurerm_key_vault" "this" {
-#  name                       = "${module.naming.resource_prefix.keyvault}${random_integer.this.result}"
-#  location                   = data.terraform_remote_state.common.outputs.location
-#  resource_group_name        = data.terraform_remote_state.common.outputs.resource_group
-#  tenant_id                  = data.azurerm_client_config.current.tenant_id
-#  sku_name                   = "premium"
-#
-#  purge_protection_enabled = true
-#}
+data "azurerm_client_config" "current" {}
 
-#resource "azurerm_key_vault_access_policy" "server" {
-#  key_vault_id = azurerm_key_vault.this.id
-#  tenant_id    = azurerm_postgresql_server.cmk.identity[0].tenant_id
-#  object_id    = azurerm_postgresql_server.cmk.identity[0].principal_id
-#
-#  key_permissions    = ["Get", "UnwrapKey", "WrapKey"]
-#  secret_permissions = ["Get"]
-#}
+resource "azurerm_key_vault_access_policy" "server" {
+  key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id
+  tenant_id    = azurerm_postgresql_server.cmk.identity[0].tenant_id
+  object_id    = azurerm_postgresql_server.cmk.identity[0].principal_id
 
-#resource "azurerm_key_vault_access_policy" "client" {
-#  key_vault_id = azurerm_key_vault.this.id
-#  tenant_id    = data.azurerm_client_config.current.tenant_id
-#  object_id    = data.azurerm_client_config.current.object_id
-#
-#  key_permissions    = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy", "SetRotationPolicy"]
-#  secret_permissions = ["Get"]
-#}
-
-#resource "azurerm_key_vault_key" "this" {
-#  name         = "${module.naming.resource_prefix.keyvault-key}-${random_integer.this.result}"
-#  key_vault_id = azurerm_key_vault.this.id
-#  key_type     = "RSA"
-#  key_size     = 2048
-#  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
-#
-#  depends_on = [
-#    azurerm_key_vault_access_policy.server,
-#    azurerm_key_vault_access_policy.client
-#  ]
-#}
+  key_permissions    = ["Get", "UnwrapKey", "WrapKey"]
+  secret_permissions = ["Get"]
+}

auto_policy_testing/green/postgresql/outputs.tf

@@ -1,6 +1,6 @@
 output "postgresql" {
   value = {
     postgresql-server = azurerm_postgresql_server.this.id
-    #ecc-azure-203-asb_postgresql_encrypt_cmk = azurerm_postgresql_server.cmk.id
+    ecc-azure-203-asb_postgresql_encrypt_cmk = azurerm_postgresql_server.cmk.id
   }
 }

auto_policy_testing/green/postgresql/postgresql_server.tf

@@ -30,32 +30,6 @@ resource "azurerm_postgresql_server" "this" {
   tags = module.naming.default_tags
 }
 
-#resource "azurerm_postgresql_server" "cmk" {
-#  name                = "${module.naming.resource_prefix.postgresql-server}-cmk"
-#  location                      = data.terraform_remote_state.common.outputs.location
-#  resource_group_name           = data.terraform_remote_state.common.outputs.resource_group
-#
-#  sku_name   = "GP_Gen5_2"
-#  version    = "11"
-#  storage_mb = 51200
-#
-#  administrator_login          = random_string.this.result
-#  administrator_login_password = random_password.this.result
-#
-#  ssl_enforcement_enabled = true
-#
-#  identity {
-#    type = "SystemAssigned"
-#  }
-#
-#  tags = module.naming.default_tags
-#}
-
-#resource "azurerm_postgresql_server_key" "this" {
-#  server_id        = azurerm_postgresql_server.cmk.id
-#  key_vault_key_id = azurerm_key_vault_key.this.id
-#}
-
 resource "azurerm_postgresql_configuration" "log_checkpoints" {
   name                = "log_checkpoints"
   resource_group_name = data.terraform_remote_state.common.outputs.resource_group

auto_policy_testing/green/postgresql/postgresql_server_cmk.tf

@@ -0,0 +1,25 @@
+resource "azurerm_postgresql_server" "cmk" {
+  name                = "${module.naming.resource_prefix.postgresql-server}-cmk"
+  location                      = data.terraform_remote_state.common.outputs.location
+  resource_group_name           = data.terraform_remote_state.common.outputs.resource_group
+
+  sku_name   = "GP_Gen5_2"
+  version    = "11"
+  storage_mb = 51200
+
+  administrator_login          = random_string.this.result
+  administrator_login_password = random_password.this.result
+
+  ssl_enforcement_enabled = true
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = module.naming.default_tags
+}
+
+resource "azurerm_postgresql_server_key" "this" {
+  server_id        = azurerm_postgresql_server.cmk.id
+  key_vault_key_id = data.terraform_remote_state.common.outputs.key_id
+}

auto_policy_testing/scripts/exception_rules.py

@@ -14,7 +14,6 @@
               "ecc-azure-368-vmss_omi_vulnerability", #policy doesn't work
               "ecc-azure-378-cis_nsg_flow_log_analytics", #policy doesn't work
               "ecc-azure-201-asb_cosmosdb_encrypt_cmk", #policy work but need additional permissions
-              "ecc-azure-203-asb_postgresql_encrypt_cmk", #policy work but terraform destroy fails pipeline
               "ecc-azure-302-redis_cache_disabled_public_access", #python sdk should be updated
               "ecc-azure-354-acr_anonymous_pull", #issue with policy, should be reviewed and fixed
               "ecc-azure-143-asb_api_mgmt_vnet" #issue with terraform, should be reviewed and fixed