terraform.azure.best-practice.azure-monitor-log-profile-categories.azure-monitor-log-profile-categories
semgrepAuthor
unknown
Download Count*
License
Ensure audit profile captures all the activities
Run Locally
Run in CI
Defintion
rules:
- id: azure-monitor-log-profile-categories
message: Ensure audit profile captures all the activities
patterns:
- pattern: resource
- pattern-not-inside: |
resource "azurerm_monitor_log_profile" "..." {
...
categories = [
"Action",
"Delete",
"Write",
]
...
}
- pattern-inside: |
resource "azurerm_monitor_log_profile" "..." {
...
}
metadata:
category: best-practice
technology:
- terraform
- azure
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- hcl
severity: WARNING
Examples
azure-monitor-log-profile-categories.tf
# fail
# ruleid: azure-monitor-log-profile-categories
resource "azurerm_monitor_log_profile" "example" {
name = "default"
categories = [
"Action"
]
locations = [
"westus",
"global",
]
retention_policy {
enabled = true
days = 7
}
}
# fail
# ruleid: azure-monitor-log-profile-categories
resource "azurerm_monitor_log_profile" "example" {
name = "default"
locations = [
"westus",
"global",
]
retention_policy {
enabled = false
days = 0
}
}
# fail
# ruleid: azure-monitor-log-profile-categories
resource "azurerm_monitor_log_profile" "example" {
name = "default"
categories = []
locations = [
"westus",
"global",
]
retention_policy {
enabled = false
days = 0
}
}
# pass
resource "azurerm_monitor_log_profile" "example" {
name = "default"
categories = [
"Action",
"Delete",
"Write",
]
locations = [
"westus",
"global",
]
retention_policy {
enabled = true
days = 365
}
}Short Link: https://sg.run/w2JY