From e30dc3b62a1ba58547e49d45eccaf524c0733f0b Mon Sep 17 00:00:00 2001
From: vit-corp <liashuk.corp@gmail.com>
Date: Tue, 27 Aug 2024 18:38:59 +0300
Subject: [PATCH] skip: update CI 220

---
 .github/workflows/auto-test.yml               |  4 ++--
 .../green/cosmosdb/cosmosdb.tf                |  2 +-
 .../green/cosmosdb/key_vault.tf               | 22 +++++++++----------
 .../green/postgresql/postgresql_server_cmk.tf |  2 +-
 .../scripts/exception_rules.py                |  1 -
 5 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml
index f28cb189..822d4195 100644
--- a/.github/workflows/auto-test.yml
+++ b/.github/workflows/auto-test.yml
@@ -10,7 +10,7 @@ on:
       resource_priority_list:
         type: string
         description: Priority list for resources (you can remove unnecessary resources during testing)
-        default: '["postgresql"]'
+        default: '["postgresql", "cosmosdb"]'
         #'["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
         required: true
 
@@ -24,7 +24,7 @@ env:
   AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
   AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
   AZURE_SECRET_VALUE: ${{ secrets.AZURE_SECRET_VALUE }}
-  default_resource_priority_list: '["postgresql"]'
+  default_resource_priority_list: '["postgresql", "cosmosdb"]'
   #default_resource_priority_list: '["storage", "webapp", "vnet", "network", "vm", "synapse", "sql", "mysql", "subscription", "disk", "postgresql", "cosmosdb", "signalr", "spring", "search", "service-fabric", "stream", "redis", "servicebus", "role", "monitor", "machine-learning", "logic", "kusto", "aks", "keyvault", "iothub", "front-door", "event", "data", "defender", "container", "cognitiveservice", "batch", "automation", "application", "app-configuration", "api", "alert"]'
   TF_VAR_project: ${{ secrets.TF_VAR_project }}
   TF_VAR_region: ${{ secrets.AWS_REGION }}
diff --git a/auto_policy_testing/green/cosmosdb/cosmosdb.tf b/auto_policy_testing/green/cosmosdb/cosmosdb.tf
index 6597d724..01dd25e6 100644
--- a/auto_policy_testing/green/cosmosdb/cosmosdb.tf
+++ b/auto_policy_testing/green/cosmosdb/cosmosdb.tf
@@ -25,7 +25,7 @@ resource "azurerm_cosmosdb_account" "this" {
 
   ip_range_filter = "127.0.0.1"
 
-#  key_vault_key_id = data.terraform_remote_state.common.outputs.key_versionless_id
+  key_vault_key_id = data.terraform_remote_state.common.outputs.key_versionless_id
 
   access_key_metadata_writes_enabled = false
 
diff --git a/auto_policy_testing/green/cosmosdb/key_vault.tf b/auto_policy_testing/green/cosmosdb/key_vault.tf
index 04db5020..9b36bcea 100644
--- a/auto_policy_testing/green/cosmosdb/key_vault.tf
+++ b/auto_policy_testing/green/cosmosdb/key_vault.tf
@@ -1,14 +1,14 @@
-#data "azurerm_client_config" "current" {}
+data "azurerm_client_config" "current" {}
 
-#data "azuread_service_principal" "cosmosdb" {
-#  display_name = "Azure Cosmos DB"
-#}
+data "azuread_service_principal" "cosmosdb" {
+  display_name = "Azure Cosmos DB"
+}
 
-#resource "azurerm_key_vault_access_policy" "cosmosdb" {
-#  key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id
-#  tenant_id = data.azurerm_client_config.current.tenant_id
-#  object_id = data.azuread_service_principal.cosmosdb.id
+resource "azurerm_key_vault_access_policy" "cosmosdb" {
+  key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azuread_service_principal.cosmosdb.id
 
-#  key_permissions    = ["Get", "UnwrapKey", "WrapKey"]
-#  secret_permissions = ["Get"]
-#}
\ No newline at end of file
+  key_permissions    = ["Get", "UnwrapKey", "WrapKey"]
+  secret_permissions = ["Get"]
+}
\ No newline at end of file
diff --git a/auto_policy_testing/green/postgresql/postgresql_server_cmk.tf b/auto_policy_testing/green/postgresql/postgresql_server_cmk.tf
index 08969e35..7df0f3af 100644
--- a/auto_policy_testing/green/postgresql/postgresql_server_cmk.tf
+++ b/auto_policy_testing/green/postgresql/postgresql_server_cmk.tf
@@ -29,5 +29,5 @@ resource "azurerm_postgresql_server" "cmk" {
 
 resource "azurerm_postgresql_server_key" "this" {
   server_id        = azurerm_postgresql_server.cmk.id
-  key_vault_key_id = data.terraform_remote_state.common.outputs.key_id
+  key_vault_key_id = azurerm_key_vault_key.this.id
 }
diff --git a/auto_policy_testing/scripts/exception_rules.py b/auto_policy_testing/scripts/exception_rules.py
index 3b14df79..1b90b917 100644
--- a/auto_policy_testing/scripts/exception_rules.py
+++ b/auto_policy_testing/scripts/exception_rules.py
@@ -13,7 +13,6 @@
               "ecc-azure-345-mysql_infrastructure_encryption", #policy doesn't work
               "ecc-azure-368-vmss_omi_vulnerability", #policy doesn't work
               "ecc-azure-378-cis_nsg_flow_log_analytics", #policy doesn't work
-              "ecc-azure-201-asb_cosmosdb_encrypt_cmk", #policy work but need additional permissions
               "ecc-azure-302-redis_cache_disabled_public_access", #python sdk should be updated
               "ecc-azure-354-acr_anonymous_pull", #issue with policy, should be reviewed and fixed
               "ecc-azure-143-asb_api_mgmt_vnet" #issue with terraform, should be reviewed and fixed