fix(azure): Improve query of CIS v1.3.0 Section 4.2.1 (#10362)

Aruneko · web-flow · commit 48138bed72ae · 2023-05-11T10:02:20.000Z
#### Summary
I noticed that the current query of CIS v1.3.0 Section 4.2.1 checks the ATP (Advanced Threat Protection) status by SQL databases. But the original document says that the we have to check the status by SQL Servers.

In addition, even though I have enabled the ATP settings on my Azure SQL Server, current query always returns `fails`, because the status is managed by not database level but server level.


To solve the problem, I have added a new table `azure_sql_server_advanced_threat_protection_settings` to store the status, and use the table to check the policy.
diff --git a/plugins/source/azure/docs/tables/README.md b/plugins/source/azure/docs/tables/README.md
@@ -278,6 +278,7 @@
   - [azure_sql_managed_instance_vulnerability_assessments](../../../../../website/tables/azure/azure_sql_managed_instance_vulnerability_assessments.md)
 - [azure_sql_servers](../../../../../website/tables/azure/azure_sql_servers.md)
   - [azure_sql_server_admins](../../../../../website/tables/azure/azure_sql_server_admins.md)
+  - [azure_sql_server_advanced_threat_protection_settings](../../../../../website/tables/azure/azure_sql_server_advanced_threat_protection_settings.md)
   - [azure_sql_server_blob_auditing_policies](../../../../../website/tables/azure/azure_sql_server_blob_auditing_policies.md)
   - [azure_sql_server_databases](../../../../../website/tables/azure/azure_sql_server_databases.md)
     - [azure_sql_server_database_blob_auditing_policies](../../../../../website/tables/azure/azure_sql_server_database_blob_auditing_policies.md)
diff --git a/plugins/source/azure/policies/queries/sql/atp_on_sql_server_disabled.sql b/plugins/source/azure/policies/queries/sql/atp_on_sql_server_disabled.sql
@@ -7,11 +7,8 @@ SELECT
   s.subscription_id,
   s.id AS server_id,
   case
-    when p.properties->>'state' is distinct from 'Enabled'
+    when atp.properties->>'state' is distinct from 'Enabled'
     then 'fail' else 'pass'
   end
 FROM azure_sql_servers s
-    LEFT JOIN azure_sql_server_databases d ON
-        s._cq_id = d._cq_parent_id
-    LEFT JOIN azure_sql_server_database_threat_protections p ON
-        d._cq_id = p._cq_parent_id
+    JOIN azure_sql_server_advanced_threat_protection_settings atp ON s._cq_id = atp._cq_parent_id
diff --git a/plugins/source/azure/resources/services/sql/server_advanced_threat_protection_settings.go b/plugins/source/azure/resources/services/sql/server_advanced_threat_protection_settings.go
@@ -0,0 +1,42 @@
+package sql
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql"
+	"github.com/cloudquery/cloudquery/plugins/source/azure/client"
+	"github.com/cloudquery/plugin-sdk/v2/schema"
+	"github.com/cloudquery/plugin-sdk/v2/transformers"
+)
+
+func serverAdvancedThreatProtections() *schema.Table {
+	return &schema.Table{
+		Name:        "azure_sql_server_advanced_threat_protection_settings",
+		Resolver:    fetchServerAdvancedThreatProtections,
+		Description: "https://learn.microsoft.com/en-us/rest/api/sql/2021-11-01/server-advanced-threat-protection-settings/list-by-server?tabs=HTTP#advancedthreatprotectionstate",
+		Transform:   transformers.TransformWithStruct(&armsql.ServerAdvancedThreatProtection{}, transformers.WithPrimaryKeys("ID")),
+		Columns:     schema.ColumnList{client.SubscriptionID},
+	}
+}
+
+func fetchServerAdvancedThreatProtections(ctx context.Context, meta schema.ClientMeta, parent *schema.Resource, res chan<- any) error {
+	p := parent.Item.(*armsql.Server)
+	cl := meta.(*client.Client)
+	svc, err := armsql.NewServerAdvancedThreatProtectionSettingsClient(cl.SubscriptionId, cl.Creds, cl.Options)
+	if err != nil {
+		return err
+	}
+	group, err := client.ParseResourceGroup(*p.ID)
+	if err != nil {
+		return err
+	}
+	pager := svc.NewListByServerPager(group, *p.Name, nil)
+	for pager.More() {
+		p, err := pager.NextPage(ctx)
+		if err != nil {
+			return err
+		}
+		res <- p.Value
+	}
+	return nil
+}
diff --git a/plugins/source/azure/resources/services/sql/server_advanced_threat_protection_settings_mock_test.go b/plugins/source/azure/resources/services/sql/server_advanced_threat_protection_settings_mock_test.go
@@ -0,0 +1,33 @@
+package sql
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql"
+	"github.com/cloudquery/plugin-sdk/v2/faker"
+	"github.com/gorilla/mux"
+)
+
+func createServerAdvancedThreatProtectionSettings(router *mux.Router) error {
+	var item armsql.ServerAdvancedThreatProtectionSettingsClientListByServerResponse
+	if err := faker.FakeObject(&item); err != nil {
+		return err
+	}
+
+	emptyStr := ""
+	item.NextLink = &emptyStr
+
+	router.HandleFunc("/subscriptions/{subscriptionId}/resourceGroups/debug/providers/Microsoft.Sql/servers/test string/advancedThreatProtectionSettings", func(w http.ResponseWriter, r *http.Request) {
+		b, err := json.Marshal(&item)
+		if err != nil {
+			http.Error(w, "unable to marshal request: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		if _, err := w.Write(b); err != nil {
+			http.Error(w, "failed to write", http.StatusBadRequest)
+			return
+		}
+	})
+	return nil
+}
diff --git a/plugins/source/azure/resources/services/sql/servers.go b/plugins/source/azure/resources/services/sql/servers.go
@@ -25,6 +25,7 @@ func Servers() *schema.Table {
 			serverDatabases(),
 			virtualNetworkRules(),
 			serverSecurityAlertPolicies(),
+			serverAdvancedThreatProtections(),
 		},
 	}
 }
diff --git a/plugins/source/azure/resources/services/sql/servers_mock_test.go b/plugins/source/azure/resources/services/sql/servers_mock_test.go
@@ -51,6 +51,9 @@ func createServers(router *mux.Router) error {
 	if err := createMockServerSecurityAlertPolicies(router); err != nil {
 		return err
 	}
+	if err := createServerAdvancedThreatProtectionSettings(router); err != nil {
+		return err
+	}
 	return createDatabases(router)
 }
 
diff --git a/website/pages/docs/plugins/sources/azure/policies.md b/website/pages/docs/plugins/sources/azure/policies.md
@@ -25,9 +25,9 @@ tables:
   - azure_security_auto_provisioning_settings
   - azure_security_pricings
   - azure_sql_server_admins
+  - azure_sql_server_advanced_threat_protection_settings
   - azure_sql_server_blob_auditing_policies
   - azure_sql_server_database_blob_auditing_policies
-  - azure_sql_server_database_threat_protections
   - azure_sql_server_databases
   - azure_sql_server_encryption_protectors
   - azure_sql_server_vulnerability_assessments
diff --git a/website/pages/docs/plugins/sources/azure/tables.md b/website/pages/docs/plugins/sources/azure/tables.md
diff --git a/website/tables/azure/azure_sql_server_advanced_threat_protection_settings.md b/website/tables/azure/azure_sql_server_advanced_threat_protection_settings.md
@@ -0,0 +1,26 @@
+# Table: azure_sql_server_advanced_threat_protection_settings
+
+This table shows data for Azure SQL Server Advanced Threat Protection Settings.
+
+https://learn.microsoft.com/en-us/rest/api/sql/2021-11-01/server-advanced-threat-protection-settings/list-by-server?tabs=HTTP#advancedthreatprotectionstate
+
+The primary key for this table is **id**.
+
+## Relations
+
+This table depends on [azure_sql_servers](azure_sql_servers).
+
+## Columns
+
+| Name          | Type          |
+| ------------- | ------------- |
+|_cq_source_name|String|
+|_cq_sync_time|Timestamp|
+|_cq_id|UUID|
+|_cq_parent_id|UUID|
+|subscription_id|String|
+|properties|JSON|
+|id (PK)|String|
+|name|String|
+|system_data|JSON|
+|type|String|
diff --git a/website/tables/azure/azure_sql_servers.md b/website/tables/azure/azure_sql_servers.md
@@ -10,6 +10,7 @@ The primary key for this table is **id**.
 
 The following tables depend on azure_sql_servers:
   - [azure_sql_server_admins](azure_sql_server_admins)
+  - [azure_sql_server_advanced_threat_protection_settings](azure_sql_server_advanced_threat_protection_settings)
   - [azure_sql_server_blob_auditing_policies](azure_sql_server_blob_auditing_policies)
   - [azure_sql_server_databases](azure_sql_server_databases)
   - [azure_sql_server_encryption_protectors](azure_sql_server_encryption_protectors)

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ func Servers() *schema.Table {`
`25`	`25`	`serverDatabases(),`
`26`	`26`	`virtualNetworkRules(),`
`27`	`27`	`serverSecurityAlertPolicies(),`
	`28`	`+ serverAdvancedThreatProtections(),`
`28`	`29`	`},`
`29`	`30`	`}`
`30`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,9 @@ func createServers(router *mux.Router) error {`
`51`	`51`	`if err := createMockServerSecurityAlertPolicies(router); err != nil {`
`52`	`52`	`return err`
`53`	`53`	`}`
	`54`	`+ if err := createServerAdvancedThreatProtectionSettings(router); err != nil {`
	`55`	`+ return err`
	`56`	`+ }`
`54`	`57`	`return createDatabases(router)`
`55`	`58`	`}`
`56`	`59`