terraform.azure.best-practice.azure-monitor-log-profile-retention-days.azure-monitor-log-profile-retention-days

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that Activity Log Retention is set 365 days or greater

Run Locally

Run in CI

Defintion

rules:
  - id: azure-monitor-log-profile-retention-days
    message: Ensure that Activity Log Retention is set 365 days or greater
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "azurerm_monitor_log_profile" "..." {
          ...
          retention_policy {
            ...
            enabled = true
            days = 365
            ...
          }
          ...
          }
      - pattern-not-inside: |
          resource "azurerm_monitor_log_profile" "..." {
          ...
          retention_policy {
            ...
            enabled = false
            days = 0
            ...
          }
          ...
          }
      - pattern-inside: |
          resource "azurerm_monitor_log_profile" "..." {
          ...
          }
    metadata:
      category: best-practice
      technology:
        - terraform
        - azure
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

azure-monitor-log-profile-retention-days.tf

# fail
# ruleid: azure-monitor-log-profile-retention-days
resource "azurerm_monitor_log_profile" "example" {
    name = "default"
    categories = [
    "Action",
    "Delete",
    "Write",
    ]
    locations = [
    "westus",
    "global",
    ]
    retention_policy {
    enabled = true
    days    = 7
    }
}

# fail
# ruleid: azure-monitor-log-profile-retention-days
resource "azurerm_monitor_log_profile" "example" {
    name = "default"
    categories = [
    "Action",
    "Delete",
    "Write",
    ]
    locations = [
    "westus",
    "global",
    ]
}

# pass
resource "azurerm_monitor_log_profile" "example" {
    name = "default"
    categories = [
    "Action",
    "Delete",
    "Write",
    ]
    locations = [
    "westus",
    "global",
    ]
    retention_policy {
    enabled = false
    days    = 0
    }
}

# pass
resource "azurerm_monitor_log_profile" "example" {
    name = "default"
    categories = [
    "Action",
    "Delete",
    "Write",
    ]
    locations = [
    "westus",
    "global",
    ]
    retention_policy {
    enabled = true
    days    = 365
    }
}