turbot/terraform_azure_compliance

Query: application_gateway_restrict_message_lookup_log4j2

Usage

powerpipe query terraform_azure_compliance.query.application_gateway_restrict_message_lookup_log4j2

Steampipe Tables

SQL

with managed_rule as (
select
distinct name
from
terraform_resource,
jsonb_array_elements (
case jsonb_typeof(attributes_std -> 'managed_rules' -> 'managed_rule_set')
when 'array' then (attributes_std -> 'managed_rules' -> 'managed_rule_set')
when 'object' then jsonb_build_array(attributes_std -> 'managed_rules' -> 'managed_rule_set')
else null end
) r,
jsonb_array_elements(
case jsonb_typeof(r -> 'rule_group_override')
when 'array' then (r -> 'rule_group_override')
when 'object' then jsonb_build_array(r -> 'rule_group_override')
else null end
) as o
where
type = 'azurerm_web_application_firewall_policy'
and r ->> 'type' = 'OWASP'
and r ->> 'version' in ('3.1', '3.2')
and o ->> 'rule_group_name' = 'REQUEST-944-APPLICATION-ATTACK-JAVA'
and o -> 'disabled_rules' @> '["944240"]'
), managed_rule_set_version as (
select
distinct name
from
terraform_resource,
jsonb_array_elements (
case jsonb_typeof(attributes_std -> 'managed_rules' -> 'managed_rule_set')
when 'array' then (attributes_std -> 'managed_rules' -> 'managed_rule_set')
when 'object' then jsonb_build_array(attributes_std -> 'managed_rules' -> 'managed_rule_set')
else null end
) r
where
type = 'azurerm_web_application_firewall_policy'
and r ->> 'type' = 'OWASP'
and r ->> 'version' not in ('3.1', '3.2')
)
select
address as resource,
case
when v.name is not null then 'alarm'
when m.name is not null then 'alarm'
else 'ok'
end status,
split_part(address, '.', 2) || case
when v.name is not null then ' managed rule set vesion is old'
when m.name is not null then ' does not restrict message lookup in Log4j2'
else ' restrict message lookup in Log4j2'
end || '.' reason
, path || ':' || start_line
from
terraform_resource as r
left join managed_rule as m on r.name = m.name
left join managed_rule_set_version as v on v.name = r.name
where
type = 'azurerm_web_application_firewall_policy';

Controls

The query is being used by the following controls: