🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-azure-compliance
Overview
46Dashboards
291Benchmarks
291Queries
2Variables
GitHub

Control: Storage Accounts should use a virtual network service endpoint

Description

This policy audits any Storage Account not configured to use a virtual network service endpoint.

Usage

Run the control in your terminal:

powerpipe control run terraform_azure_compliance.control.storage_account_use_virtual_service_endpoint

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_azure_compliance.control.storage_account_use_virtual_service_endpoint --share

SQL

This control uses a named query:

with storage_account_network_rules as (
  select
    name,
    address,
    type,
    path,
    start_line,
    split_part((attributes_std ->> 'storage_account_name'), '.',2) as storage_account_name
  from
    terraform_resource
  where
    type = 'azurerm_storage_account_network_rules'
    and (attributes_std ->> 'default_action') = 'Deny'
), storage_account_name as (
    select
      name,
      address,
      type,
      path,
      _ctx,
      start_line
    from
      terraform_resource
    where
      type = 'azurerm_storage_account'
)
select
  san.address as resource,
  case
    when sanr.address is null then 'alarm'
    else 'ok'
  end status,
  split_part(san.address, '.', 2) || case
    when sanr.address is null then ' does not use virtual service endpoint'
    else ' uses virtual service endpoint'
  end || '.' reason
  
  , san.path || ':' || san.start_line
from
  storage_account_name as san
  left join storage_account_network_rules as sanr on sanr.storage_account_name = san.name;

Tags

category = Compliance
hipaa_hitrust_v92 = true
plugin = terraform
service = Azure/Storage