Control: Container Registry should use a virtual network service endpoint
Description
This policy audits any Container Registry not configured to use a virtual network service endpoint.
Usage
Run the control in your terminal:
powerpipe control run terraform_azure_compliance.control.container_registry_use_virtual_service_endpointSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_azure_compliance.control.container_registry_use_virtual_service_endpoint --shareSQL
This control uses a named query:
with container_registry as ( select * from terraform_resource where type = 'azurerm_container_registry'), container_registry_subnet as ( select distinct address from container_registry as a, jsonb_array_elements(attributes_std -> 'network_rule_set' -> 'virtual_network') as rule)select a.address as resource, case when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then 'alarm' when s.address is null then 'alarm' else 'ok' end as status, case when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then ' not configured with virtual service endpoint' when s.address is null then ' not configured with virtual service endpoint' else ' configured with virtual service endpoint' end || '.' reason , path || ':' || start_linefrom container_registry as a left join container_registry_subnet as s on a.address = s.address;