skip: update CI 221

auto_policy_testing/green/cosmosdb/cosmosdb.tf

@@ -25,7 +25,7 @@ resource "azurerm_cosmosdb_account" "this" {
 
   ip_range_filter = "127.0.0.1"
 
-  key_vault_key_id = data.terraform_remote_state.common.outputs.key_versionless_id
+  #key_vault_key_id = data.terraform_remote_state.common.outputs.key_versionless_id
 
   access_key_metadata_writes_enabled = false
 

auto_policy_testing/green/cosmosdb/key_vault.tf

@@ -1,14 +1,14 @@
 data "azurerm_client_config" "current" {}
 
-data "azuread_service_principal" "cosmosdb" {
-  display_name = "Azure Cosmos DB"
-}
+#data "azuread_service_principal" "cosmosdb" {
+#  display_name = "Azure Cosmos DB"
+#}
 
-resource "azurerm_key_vault_access_policy" "cosmosdb" {
-  key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = data.azuread_service_principal.cosmosdb.id
+#resource "azurerm_key_vault_access_policy" "cosmosdb" {
+#  key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id
+#  tenant_id = data.azurerm_client_config.current.tenant_id
+#  object_id = data.azuread_service_principal.cosmosdb.id
 
-  key_permissions    = ["Get", "UnwrapKey", "WrapKey"]
-  secret_permissions = ["Get"]
-}
+#  key_permissions    = ["Get", "UnwrapKey", "WrapKey"]
+#  secret_permissions = ["Get"]
+#}

auto_policy_testing/scripts/exception_rules.py

@@ -13,6 +13,7 @@
               "ecc-azure-345-mysql_infrastructure_encryption", #policy doesn't work
               "ecc-azure-368-vmss_omi_vulnerability", #policy doesn't work
               "ecc-azure-378-cis_nsg_flow_log_analytics", #policy doesn't work
+              "ecc-azure-201-asb_cosmosdb_encrypt_cmk", #policy work but need additional permissions
               "ecc-azure-302-redis_cache_disabled_public_access", #python sdk should be updated
               "ecc-azure-354-acr_anonymous_pull", #issue with policy, should be reviewed and fixed
               "ecc-azure-143-asb_api_mgmt_vnet" #issue with terraform, should be reviewed and fixed
@@ -32,7 +33,7 @@
             "ecc-azure-141-asb_fw_traffic_route", #temporary in block
             "ecc-azure-176-asb_ddos_protection_enabled", #temporary in block
             "ecc-azure-302-redis_cache_disabled_public_access", #python sdk should be updated
-            "ecc-azure-058-cis_aks_rbac", #cannot create red infra, screen in tg
+            "ecc-azure-058-cis_aks_rbac", # Cannot create red tf for 058 rule because Azure AD integration (Legacy) is deprecated.
             "ecc-azure-235-asb_k8s_policy", #issue with rule, should be fixed
             "ecc-azure-281-aks_non_vulnerable_version", #cannot create red tf because azure restrict to deploy new aks with vulnerable version
             "ecc-azure-038-cis_log_keyvaults", # policy and tf works but "Azure Policy" automatically deploys DS to keyvault