feat(azure): Add policy docs (#10253)

disq · web-flow · commit e5b9ec7a36cd · 2023-04-23T10:10:21.000Z
Including views (just like #10250) Looks like: https://cloudquery-rhkamisgy-cloudquery.vercel.app/docs/plugins/sources/azure/policies This PR also removes the static `policies.mdx` file.
diff --git a/plugins/source/azure/Makefile b/plugins/source/azure/Makefile
@@ -5,6 +5,10 @@ test:
 
 .PHONY: gen-docs
 gen-docs:
+	go run main.go doc --format json docs
+	go run scripts/policy_docs/main.go azure policies ../../../website/pages/docs/plugins/sources/azure/policies.md docs/__tables.json
+	rm docs/__tables.json
+
 	rm -rf ../../../website/tables/azure
 	go run main.go doc ../../../website/tables/azure
 	sed 's_(\(.*\))_(../../../../../website/tables/azure/\1)_' ../../../website/tables/azure/README.md > ./docs/tables/README.md
diff --git a/plugins/source/azure/scripts/policy_docs/main.go b/plugins/source/azure/scripts/policy_docs/main.go
@@ -12,16 +12,18 @@ import (
 	"sort"
 	"strings"
 	"text/template"
+
+	"golang.org/x/exp/maps"
 )
 
 //go:embed templates/*.go.tpl
 var templatesFS embed.FS
 
-var (
-	reInline = regexp.MustCompile(`(?im)^\\ir (.+)`)
-	reTable  = regexp.MustCompile(`(?i)(?:from|join)\s+(\w+)`)
-	reTitle  = regexp.MustCompile(`(?i)\:'check_id'(?:\s+as\s+check_id\s*)?,\s+'(.+)'(?:\s+as\s+title\s*)?,`)
-)
+var reInline = regexp.MustCompile(`(?im)^\\ir (.+)`)
+var reTable = regexp.MustCompile(`(?i)(?:from|join)\s+(\w+)`)
+var reTitle = regexp.MustCompile(`(?i)\:'check_id'(?:\s+as\s+check_id\s*)?,\s+'(.+)'(?:\s+as\s+title\s*)?,`)
+var reViewName = regexp.MustCompile(`(?i)create\s+(or\s+replace\s+)view\s+(.+)\s+as`)
+var reIsPolicyQuery *regexp.Regexp
 
 type Index struct {
 	Policies []Policy `json:"policies"`
@@ -50,6 +52,10 @@ type PolicyInfo struct {
 	Name    string
 	Queries []Query
 	Tables  []string
+
+	CreatedViews   map[string]bool
+	DependentViews []string
+	UnusedViews    []string
 }
 
 func newPolicyInfo(name string, queries []Query, allTables []Table) *PolicyInfo {
@@ -63,28 +69,62 @@ func newPolicyInfo(name string, queries []Query, allTables []Table) *PolicyInfo
 
 // Tables returns the unique set of tables needed to run all queries
 func (pi *PolicyInfo) setTables(allTables Tables) {
-	t := map[string]struct{}{}
+	t, v := map[string]struct{}{}, map[string]struct{}{}
+	pi.CreatedViews = map[string]bool{}
+
+	// Add all views detected from CREATE VIEW statements
 	for _, q := range pi.Queries {
+		if q.View {
+			pi.CreatedViews[q.ViewName] = true
+		}
+	}
+
+	// Accessed views from queries, should be a subset of the above
+	for _, q := range pi.Queries {
+		for _, vi := range q.Views {
+			v[vi] = struct{}{}
+		}
+	}
+
+	for _, q := range pi.Queries {
+		// Add all tables from queries *and* views
 		for _, table := range q.Tables {
+			if pi.CreatedViews[table] {
+				// This is a view, not a table
+				v[table] = struct{}{}
+			}
+
 			t[table] = struct{}{}
 			ancestors := allTables.FindAncestors(table)
 			for _, a := range ancestors {
 				t[a.Name] = struct{}{}
 			}
 		}
 	}
-	var final []string
-	for k := range t {
-		final = append(final, k)
+
+	pi.Tables, pi.DependentViews = maps.Keys(t), maps.Keys(v)
+
+	unused := make(map[string]struct{}, len(pi.CreatedViews))
+	for k := range pi.CreatedViews {
+		if _, ok := v[k]; !ok {
+			unused[k] = struct{}{}
+		}
 	}
-	sort.Strings(final)
-	pi.Tables = final
+	pi.UnusedViews = maps.Keys(unused)
+
+	sort.Strings(pi.Tables)
+	sort.Strings(pi.DependentViews)
+	sort.Strings(pi.UnusedViews)
 }
 
 type Query struct {
-	Title  string
+	Title  string // Empty for views
 	Path   string
 	Tables []string
+	Views  []string
+
+	View     bool   `json:",omitempty"`
+	ViewName string `json:",omitempty"`
 }
 
 func removeDuplicates(queries []Query) []Query {
@@ -115,26 +155,40 @@ func extractQueries(prefix, sqlPath string) ([]Query, error) {
 	}
 	content := string(b)
 	var queries []Query
-	tableMatches := reTable.FindAllStringSubmatch(content, -1)
-	reIsPolicyQuery := regexp.MustCompile(`(?i)insert\s+into\s+` + prefix + `_policy_results`)
-	isPolicyQuery := reIsPolicyQuery.MatchString(content)
-	if isPolicyQuery && len(tableMatches) > 0 {
-		q := Query{}
+	q := Query{}
+	if tableMatches := reTable.FindAllStringSubmatch(content, -1); len(tableMatches) > 0 {
 		for _, m := range tableMatches {
-			if !strings.HasPrefix(m[1], prefix) {
-				continue
+			switch {
+			case strings.HasPrefix(m[1], prefix):
+				// This could be a table or still a view, will sort out later
+				q.Tables = append(q.Tables, m[1])
+				q.Path = sqlPath
+			case strings.HasPrefix(m[1], "view_"+prefix):
+				q.Views = append(q.Views, m[1])
+				q.Path = sqlPath
 			}
-			q.Tables = append(q.Tables, m[1])
-			q.Path = sqlPath
 		}
+	}
 
+	isPolicyQuery := reIsPolicyQuery.MatchString(content)
+	if isPolicyQuery && (len(q.Tables)+len(q.Views)) > 0 {
 		titleMatches := reTitle.FindAllStringSubmatch(content, -1)
 		if len(titleMatches) == 0 {
 			return nil, fmt.Errorf("failed to find title for query in %v", sqlPath)
 		} else if len(titleMatches) >= 1 {
 			q.Title = titleMatches[0][1]
 		}
 		queries = append(queries, q)
+	} else {
+		mv := reViewName.FindStringSubmatch(content)
+		if len(mv) > 0 {
+			q.View = true
+			q.ViewName = mv[2]
+			if !strings.HasPrefix(q.ViewName, prefix+"_") && !strings.HasPrefix(q.ViewName, "view_"+prefix) {
+				return nil, fmt.Errorf("view %q in %s does not start with `%s_` or `view_%s`", q.ViewName, sqlPath, prefix, prefix)
+			}
+			queries = append(queries, q)
+		}
 	}
 
 	// recurse to find queries in inlined files
@@ -151,7 +205,13 @@ func extractQueries(prefix, sqlPath string) ([]Query, error) {
 }
 
 func writePolicyDocs(info []*PolicyInfo, outputPath string) error {
-	t, err := template.New("policies.md.go.tpl").ParseFS(templatesFS, "templates/policies.md.go.tpl")
+	t, err := template.New("policies.md.go.tpl").
+		Funcs(template.FuncMap{
+			"add": func(a int, b int) int {
+				return a + b
+			},
+		}).
+		ParseFS(templatesFS, "templates/policies.md.go.tpl")
 	if err != nil {
 		return fmt.Errorf("failed to parse template for README.md: %v", err)
 	}
@@ -214,6 +274,8 @@ func main() {
 		log.Fatalf("error reading tables JSON: %v", err)
 	}
 
+	reIsPolicyQuery = regexp.MustCompile(`(?i)insert\s+into\s+` + prefix + `_policy_results`)
+
 	var info []*PolicyInfo
 	for _, p := range index.Policies {
 		pi, err := getPolicyInfo(prefix, tables, dir, p)
diff --git a/plugins/source/azure/scripts/policy_docs/templates/policies.md.go.tpl b/plugins/source/azure/scripts/policy_docs/templates/policies.md.go.tpl
@@ -18,9 +18,36 @@ tables:
 ```
 
 ### Queries
+
 {{ .Name }} performs the following checks:
-{{- range $query := .Queries }}
+{{- range $query := .Queries }}{{ if not $query.View }}
   - {{ $query.Title }}
+{{- end }}{{- end }}
+
+{{- if .DependentViews }}
+
+### Dependent Views
+
+{{ .Name }} depends on the following views:
+{{$createdViews := .CreatedViews }}
+{{- $num_created := 0}}
+{{- range $v := .DependentViews }}
+  - {{ $v }}{{ if index $createdViews $v }}<sup>*</sup>{{ $num_created = add $num_created 1 }}{{end}}
+{{- end }}
+
+{{- if gt $num_created 0}}
+
+  <sup>*</sup> {{if eq $num_created 1}}This view is{{else}}These views are{{end}} automatically created or updated by this policy.
+{{- end}}
+{{- end }}
+{{- if .UnusedViews }}
+
+### Unused Views
+
+{{ .Name }} creates {{if eq (len .UnusedViews) 1}}this view but does not use it:{{else}}these views but does not use them:{{end}}
+{{range $v := .UnusedViews }}
+  - {{ $v }}
 {{- end }}
+{{end}}
 
 {{- end }}
diff --git a/website/pages/docs/plugins/sources/azure/policies.md b/website/pages/docs/plugins/sources/azure/policies.md
@@ -8,36 +8,35 @@ This page documents the available CloudQuery SQL Policies for Azure. See the [re
 ### Requirements
 Azure CIS v1.3.0 requires the following tables to be synced before the policy is executed:
 
-```yaml copy
+```yaml
 tables:
+  - azure_appservice_web_app_auth_settings
+  - azure_appservice_web_apps
   - azure_compute_disks
   - azure_compute_virtual_machines
-  - azure_keyvault_keys
-  - azure_keyvault_secrets
-  - azure_keyvault_vaults
+  - azure_keyvault_keyvault
+  - azure_keyvault_keyvault_keys
+  - azure_keyvault_keyvault_secrets
   - azure_mysql_servers
-  - azure_postgresql_configurations
-  - azure_postgresql_firewall_rules
+  - azure_policy_assignments
+  - azure_postgresql_server_configurations
+  - azure_postgresql_server_firewall_rules
   - azure_postgresql_servers
   - azure_security_auto_provisioning_settings
-  - azure_security_contacts
   - azure_security_pricings
-  - azure_security_settings
-  - azure_sql_database_blob_auditing_policies
-  - azure_sql_database_threat_detection_policies
-  - azure_sql_databases
-  - azure_sql_encryption_protectors
   - azure_sql_server_admins
   - azure_sql_server_blob_auditing_policies
+  - azure_sql_server_database_blob_auditing_policies
+  - azure_sql_server_database_threat_protections
+  - azure_sql_server_databases
+  - azure_sql_server_encryption_protectors
   - azure_sql_server_vulnerability_assessments
   - azure_sql_servers
   - azure_sql_transparent_data_encryptions
-  - azure_web_apps
-  - azure_web_publishing_profiles
-  - azure_web_site_auth_settings
 ```
 
 ### Queries
+
 Azure CIS v1.3.0 performs the following checks:
   - Ensure that Azure Defender is set to On for Servers (Automatic)
   - Ensure that Azure Defender is set to On for App Service (Automatic)
@@ -47,11 +46,8 @@ Azure CIS v1.3.0 performs the following checks:
   - Ensure that Azure Defender is set to On for Kubernetes (Automatic)
   - Ensure that Azure Defender is set to On for Container Registries (Automatic)
   - Ensure that Azure Defender is set to On for Key Vault (Manual)
-  - Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected (Automatic)
   - Ensure that "Automatic provisioning of monitoring agent" is set to "On" (Automated)
   - Ensure any of the ASC Default policy setting is not set to "Disabled" (Automated)
-  - Ensure "Additional email addresses" is configured with a security contact email (Automated)
-  - Ensure that "Notify about alerts with the following severity" is set to "High" (Automated)
   - Ensure that "Auditing" is set to "On" (Automated)
   - Ensure that "Data encryption" is set to "On" on a SQL Database (Automated)
   - Ensure that "Auditing" Retention is "greater than 90 days" (Automated)
@@ -79,31 +75,40 @@ Azure CIS v1.3.0 performs the following checks:
   - Ensure the key vault is recoverable (Automated)
   - Ensure App Service Authentication is set on Azure App Service (Automated)
   - Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service (Automated)
+  - Ensure web app is using the latest version of TLS encryption (Automated)
   - Ensure the web app has ''Client Certificates (Incoming client certificates)'' set to ''On'' (Automated)
   - Ensure that Register with Azure Active Directory is enabled on App Service (Automated)
-  - Ensure FTP deployments are disabled (Automated)
+
+### Dependent Views
+
+Azure CIS v1.3.0 depends on the following views:
+
+  - view_azure_security_policy_parameters<sup>*</sup>
+
+  <sup>*</sup> This view is automatically created or updated by this policy.
 ## Azure HIPAA HITRUST v9.2
 
 ### Requirements
 Azure HIPAA HITRUST v9.2 requires the following tables to be synced before the policy is executed:
 
-```yaml copy
+```yaml
 tables:
+  - azure_appservice_web_app_vnet_connections
+  - azure_appservice_web_apps
   - azure_authorization_role_assignments
   - azure_authorization_role_definitions
-  - azure_batch_accounts
+  - azure_batch_account
   - azure_compute_virtual_machine_extensions
   - azure_compute_virtual_machine_scale_sets
   - azure_compute_virtual_machines
-  - azure_container_managed_clusters
-  - azure_container_registries
-  - azure_cosmosdb_accounts
-  - azure_datalake_store_accounts
+  - azure_containerregistry_registries
+  - azure_containerservice_managed_clusters
+  - azure_cosmos_database_accounts
+  - azure_datalakestore_accounts
+  - azure_eventhub_namespace_network_rule_sets
   - azure_eventhub_namespaces
-  - azure_eventhub_network_rule_sets
-  - azure_keyvault_managed_hsms
-  - azure_keyvault_vaults
-  - azure_logic_diagnostic_settings
+  - azure_keyvault_keyvault
+  - azure_keyvault_keyvault_managed_hsms
   - azure_logic_workflows
   - azure_mariadb_servers
   - azure_monitor_activity_log_alerts
@@ -122,27 +127,27 @@ tables:
   - azure_security_assessments
   - azure_security_auto_provisioning_settings
   - azure_security_jit_network_access_policies
-  - azure_sql_backup_long_term_retention_policies
-  - azure_sql_database_vulnerability_assessment_scans
-  - azure_sql_databases
-  - azure_sql_encryption_protectors
   - azure_sql_managed_instance_encryption_protectors
   - azure_sql_managed_instance_vulnerability_assessments
   - azure_sql_managed_instances
   - azure_sql_server_blob_auditing_policies
+  - azure_sql_server_database_long_term_retention_policies
+  - azure_sql_server_database_vulnerability_assessment_scans
+  - azure_sql_server_database_vulnerability_assessments
+  - azure_sql_server_databases
+  - azure_sql_server_encryption_protectors
+  - azure_sql_server_virtual_network_rules
   - azure_sql_server_vulnerability_assessments
   - azure_sql_servers
   - azure_sql_transparent_data_encryptions
-  - azure_sql_virtual_network_rules
   - azure_storage_accounts
   - azure_streamanalytics_streaming_jobs
-  - azure_subscriptions
-  - azure_subscriptions_locations
-  - azure_web_apps
-  - azure_web_vnet_connections
+  - azure_subscription_subscription_locations
+  - azure_subscription_subscriptions
 ```
 
 ### Queries
+
 Azure HIPAA HITRUST v9.2 performs the following checks:
   - MFA should be enabled on accounts with owner permissions on your subscription
   - MFA should be enabled on accounts with write permissions on your subscription
@@ -224,3 +229,11 @@ Azure HIPAA HITRUST v9.2 performs the following checks:
   - Audit virtual machines without disaster recovery configured.
   - Azure Key Vault Managed HSM should have purge protection enabled
   - Ensure the key vault is recoverable (Automated)
+
+### Dependent Views
+
+Azure HIPAA HITRUST v9.2 depends on the following views:
+
+  - view_azure_nsg_rules<sup>*</sup>
+
+  <sup>*</sup> This view is automatically created or updated by this policy.
