Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
When the mssql_managed_instance_vulnerability_assessment_enabled.sql statement is run as part of the control.mssql_managed_instance_vulnerability_assessment_enabled check, a false positive is returned due to the SQL statement incorrectly parsing the resulting JSON structure

Steampipe version (steampipe -v)
v0.9.1

Plugin version (steampipe plugin list)
Azure v0.20.0

To reproduce
Run the compliance check against a managed SQL instance that has periodic vulnerability scanning enabled.
The output will show an alarm and indicate that vulnerability scanning is disabled.

Expected behavior
The output should show the status as OK

Additional context

The SQL statement used to perform the check contains the following:

with vulnerability_assessments as (
  select
    distinct i.id as id
  from
    azure_mssql_managed_instance as i,
    jsonb_array_elements(vulnerability_assessments) a
    where
      a -> 'vulnerabilityAssessmentProperties' -> 'recurringScans' ->> 'isEnabled' = 'true'
      and a ->> 'name' = 'Default'
)

The returned JSON structure for an instance that has vulnerability scanning enabled is as follows:

{
     "id": "/subscriptions/[removed]
     "name": "Default",
     "type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments"
     "recurringScans": {
         "emails": [
         ],
        "isEnabled": true,
         "emailSubscriptionAdmins": true
     },
     "storageContainerPath": "https://[removed].blob.core.windows.net/vulnerability-assessment/"
}

The vulnerabilityAssessmentProperties key does not exist in the returned structure and therefor line 8 of mssql_managed_instance_vulnerability_assessment_enabled.sql should be:

a -> 'recurringScans' ->> 'isEnabled' = 'true'

Is your feature request related to a problem? Please describe.
https://docs.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-53-r5

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
CIS section 1.1 to 1.23 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 1.1 to 1.23 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
CIS section 4.2.1 to 4.2.5 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 4.2.1 to 4.2.5 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
CIS section 2.1 to 2.15 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 2.1 to 2.15 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Describe the bug
A clear and concise description of what the bug is.
The current queries are not checked against the provisioning_state, as when the provisioning_state either 'InProgress', 'Failed', 'Canceled', 'Deleting', then the control still alarm/ok

Steampipe version (steampipe -v)
Example: v0.12.1

Plugin version (steampipe plugin list)
Example: v0.23.2

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.
We should skip those steps, as HD clusters remain in any of the failed states for a long time in the console, and this may create confusion. We should check provisioning_state = Succeeded to report the control ok/alarm rest can be skipped with the state info to be specific.

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
CIS section 6 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 6 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
CIS section 5.1 & 5.2 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 5.1 & 5.2 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
Add Hippa Hitrust v9.2 compliance queries

Describe the solution you'd like
Queries to achieve the Hippa Hitrust compliance to be added.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
CIS section 9.1 to 9.11 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 9.1 to 9.11 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
CIS section 1 typo fixes

Describe the solution you'd like
N/A

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
N/A

Describe the solution you'd like
N/A

Describe alternatives you've considered
N/A

Additional context
N/A

In August 2022, CIS released a new version of their Azure benchmark:

• CIS Microsoft Azure Foundations Benchmark v1.5.0

I was surprised to see that the newly released CIS AWS 1.5.0 benchmark is already integrated in the AWS Compliance Mod.
Do you plan to integrate also the new CIS benchmark in the Azure Compliance Mod?

Is your feature request related to a problem? Please describe.
Add Hippa Hitrust v9.2 compliance queries

Describe the solution you'd like
Queries to achieve the Hippa Hitrust compliance to be added.

Describe alternatives you've considered
N/A

Additional context
N/A

Describe the bug
The site refers to another query.

To reproduce
Visit https://hub.steampipe.io/mods/turbot/azure_compliance/controls/control.network_security_group_udp_service_restricted?context=benchmark.nist_sp_800_53_rev_5/benchmark.nist_sp_800_53_rev_5_sc/benchmark.nist_sp_800_53_rev_5_sc_5
the query is pointed to https://github.com/turbot/steampipe-mod-azure-compliance/blob/v0.8/regulatory_compliance/network.sp#L90-L98

Expected behavior
A query for DDOS Protection Standard should be used.

Is your feature request related to a problem? Please describe.
CIS section 5.2 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 5.2 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
When the Kubernetes cluster has a whitelist of IP addresses and the steampipe tool is not whitelisted, the field "disk_encryption_set_id" from the table "azure_kubernetes_cluster" is null. In turn, the disks are encrypted, but steampipe is not whitelisted, which can lead to false positives.

Steampipe version (steampipe -v)
Example: v0.16.4

Plugin version (steampipe plugin list)
+--------------------------------------------------+---------+-------------+
| Name | Version | Connections |
+--------------------------------------------------+---------+-------------+
| hub.steampipe.io/plugins/turbot/aws@latest | 0.77.0 | aws |
| hub.steampipe.io/plugins/turbot/azure@latest | 0.32.0 | azure |
| hub.steampipe.io/plugins/turbot/azuread@latest | 0.6.0 | azuread |
| hub.steampipe.io/plugins/turbot/steampipe@latest | 0.5.0 | steampipe |
+--------------------------------------------------+---------+-------------+

To reproduce
Enforce IP whitelisting on Kubernetes clusters, do not whitelist the IP address of steampipe and encrypt the disks of Kubernetes cluster.

Expected behavior
[A clear and concise description of what you expected to happen.]
The control (https://hub.steampipe.io/mods/turbot/azure_compliance/queries/kubernetes_cluster_os_and_data_disks_encrypted_with_cmk) will mention that the Kubernetes cluster is not encrypted, which is not true.
I know that the easy solution is to whitelist steampipe, but maybe it is possible to provide a way to know if the "disk_encryption_set_id" is null because the Steampipe is not whitelisted or because there really is no encryption. Thank you for your time

Additional context
Add any other context about the problem here.
(https://hub.steampipe.io/mods/turbot/azure_compliance/queries/kubernetes_cluster_os_and_data_disks_encrypted_with_cmk)

Describe the bug
The resource column is currently active_directory, but we should have a better resource ID to use here. Also, we may need another column under Additional Dimensions too.

Steampipe version (steampipe -v)
v0.5.0

Plugin version (steampipe plugin list)
azure v0.7.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Update README image links.

Is your feature request related to a problem? Please describe.
CIS section 3 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 3 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
CIS section 7.1 to 7.7 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 7.1 to 7.7 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
CIS section 5.3 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 5.3 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Reference

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
CIS section 8.1 to 8.5 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 8.1 to 8.5 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
A clear and concise description of what the bug is.

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
CIS section 4.1.1 to 4.1.3 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 4.1.1 to 4.1.3 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

All queries related to IAM in Azure compliance which uses the current Azure plugin queries will be migrated to the new azuread plugin.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug

The query sql_server_audting_retention_period_90 has a false positive alarm if the retention days are configured with 0.

The Azure portal shows for the Audit retention the following help text "The value in days of the retention period (0 is an indication for unlimited retention)."

This means, the Steampipe Mod Azure Compliance CIS benchmark would raise a false positive here.

Steampipe version
v0.14.1 / latest

Plugin version
v0.12 / latest

To reproduce

Set audit log retention of an Azure SQL server to 0 under https://portal.azure.com/#@<TENANT>/resource/subscriptions/<SUBSCRIPTION>/resourceGroups/<RES_GROUP>/providers/Microsoft.Sql/servers/<SQL_SERVER>/serverAuditing and a storage account to log the audit logs to and run the Steampipe Azure CIS benchmark Mod. It will raise it as alarm claiming the retention days are smaller than 90 days.

Expected behavior

Show check status should be OK.

Additional context

The following code should be changed to include a check for value 0:

https://github.com/turbot/steampipe-mod-azure-compliance/blob/v0.11/query/sql/sql_server_audting_retention_period_90.sql#L5

Is your feature request related to a problem? Please describe.
CIS section 5.1 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 5.1 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Describe the bug
A clear and concise description of what the bug is.

iam_deprecated_account.sql
Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
https://docs.microsoft.com/en-us/azure/governance/policy/samples/hipaa-hitrust-9-2

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
When Azure Network security group resource is created using terraform, the protocol property appears as Tcp as opposed to TCP. The query fails to work correctly for such network security groups.

Steampipe version (steampipe -v)
Example: v0.15.3

Plugin version (steampipe plugin list)
Example: v0.31.0

To reproduce

1. Create a network security group as mentioned in - https://github.com/bridgecrewio/terragoat/blob/master/terraform/azure/networking.tf#L69
2. Run the network_security_group_ssh_access_restricted query
3. The resource goes to the ok state instead of being in alarm state.

Expected behavior
The resource should go into an alarm state.

Additional context
Relevant slack thread - https://steampipe.slack.com/archives/C01UECB59A7/p1659035535637629?thread_ts=1659018318.301209&cid=C01UECB59A7

Similar issue exists in the following queries -

• network_security_group_rdp_access_restricted
• network_security_group_remote_access_restricted

Is your feature request related to a problem? Please describe.
CIS section 4.3.1 to 4.5 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 4.3.1 to 4.5 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
CIS section 2.1 to 2.15 benchmark and controls should have supporting documents.

Describe the solution you'd like
Add documents for section 2.1 to 2.15 benchmark and controls.

Describe alternatives you've considered
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
Add Hippa Hitrust v9.2 compliance queries

Describe the solution you'd like
Queries to achieve the Hippa Hitrust compliance to be added.

Describe alternatives you've considered
N/A

Additional context
N/A