Skip to content

fix(query): fix fp for dynamic network_rules for Trusted Microsoft Services Not Enabled #7522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
cx-ricardo-jesus wants to merge 15 commits into
base: master
Choose a base branch
from
Draft

fix(query): fix fp for dynamic network_rules for Trusted Microsoft Services Not Enabled #7522

cx-ricardo-jesus wants to merge 15 commits into from

Conversation

@cx-ricardo-jesus
Copy link
Contributor

@cx-ricardo-jesus cx-ricardo-jesus commented Jul 7, 2025

Closes #

Reason for Proposed Changes

  • The current query incorrectly flags a false positive when network_rules are defined using a dynamic block in Terraform.
  • This happens because the query only checks for the presence of the network_rules key at the static level, and does not account for cases where the dynamic keywork is used.

Proposed Changes

  • Updated the query to include checks for the presence of the network_rules key inside the dynamic block, using: not common_lib.valid_key(resource.dynamic, "network_rules").
  • Added a validation path or the network_rules.bypass inside dynamic.network_rules.content, mirroring the logic already applied to the static structure.
  • Ensure that the verification that the bypass field should contain 'AzureServices' is performed even when this attribute is part of a dynamic block.
  • Preserved existing logic for the resource azurerm_storage_account_network_rules, which is a separate resource.

I submit this contribution under the Apache-2.0 license.

@cx-ricardo-jesus cx-ricardo-jesus requested a review from a team as a code owner July 7, 2025 20:38
@github-actions github-actions bot added community Community contribution query New query feature terraform Terraform query labels Jul 7, 2025
cx-artur-ribeiro
cx-artur-ribeiro requested changes Jul 9, 2025
View reviewed changes
Copy link
Contributor

@cx-artur-ribeiro cx-artur-ribeiro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Ricardo,
First of all, nice job tackling different available options for terraform azure instances!

Can you check my comments and see if you agree, please?
Thanks!

cx-artur-ribeiro
cx-artur-ribeiro requested changes Jul 14, 2025
View reviewed changes
Copy link
Contributor

@cx-artur-ribeiro cx-artur-ribeiro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Ricardo, take a look at my comments please.

cx-eduardo-semanas
cx-eduardo-semanas approved these changes Jul 14, 2025
View reviewed changes
Copy link
Contributor

@cx-eduardo-semanas cx-eduardo-semanas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cx-ricardo-jesus cx-ricardo-jesus marked this pull request as draft July 16, 2025 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-eduardo-semanas cx-eduardo-semanas cx-eduardo-semanas approved these changes

@cx-artur-ribeiro cx-artur-ribeiro Awaiting requested review from cx-artur-ribeiro

Requested changes must be addressed to merge this pull request.

Assignees

@cx-ricardo-jesus cx-ricardo-jesus

Labels

community Community contribution query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cx-ricardo-jesus @cx-eduardo-semanas @cx-artur-ribeiro @cx-andre-pereira