🚀Launch Week 04, May 13th - 17th, 2024!🚀

Plugins Docs Home

turbot/terraform_azure_compliance

apimanagement_backend_uses_https apimanagement_service_client_certificate_enabled apimanagement_service_restrict_public_access apimanagement_service_uses_latest_tls_version apimanagement_service_with_virtual_network app_configuration_encryption_enabled app_configuration_local_auth_disabled app_configuration_purge_protection_enabled app_configuration_restrict_public_access app_configuration_sku_standard application_gateway_restrict_message_lookup_log4j2 application_gateway_use_secure_ssl_cipher application_gateway_uses_https_listener application_gateway_waf_enabled appservice_authentication_enabled appservice_azure_defender_enabled appservice_environment_internal_encryption_enabled appservice_environment_zone_redundant_enabled appservice_ftp_deployment_disabled appservice_function_app_builtin_logging_enabled appservice_function_app_client_certificates_on appservice_function_app_cors_no_star appservice_function_app_ftps_enabled appservice_function_app_latest_http_version appservice_function_app_latest_java_version appservice_function_app_latest_python_version appservice_function_app_latest_tls_version appservice_function_app_only_https_accessible appservice_function_app_public_access_disabled appservice_function_app_uses_managed_identity appservice_plan_minimum_sku appservice_plan_zone_redundant appservice_web_app_always_on appservice_web_app_client_certificates_on appservice_web_app_cors_no_star appservice_web_app_detailed_error_messages_enabled appservice_web_app_diagnostic_logs_enabled appservice_web_app_failed_request_tracing_enabled appservice_web_app_ftps_enabled appservice_web_app_health_check_enabled appservice_web_app_http_logs_enabled appservice_web_app_incoming_client_cert_on appservice_web_app_latest_dotnet_framework_version appservice_web_app_latest_http_version appservice_web_app_latest_java_version appservice_web_app_latest_php_version appservice_web_app_latest_python_version appservice_web_app_latest_tls_version appservice_web_app_public_access_disabled appservice_web_app_register_with_active_directory_enabled appservice_web_app_remote_debugging_disabled appservice_web_app_slot_latest_tls_version appservice_web_app_slot_remote_debugging_disabled appservice_web_app_slot_use_https appservice_web_app_use_https appservice_web_app_use_virtual_service_endpoint appservice_web_app_uses_azure_file appservice_web_app_uses_managed_identity appservice_web_app_worker_more_than_one automation_account_variables_encryption_enabled azure_redis_cache_in_virtual_network azure_redis_cache_ssl_enabled batch_account_encrypted_with_cmk batch_account_logging_enabled cdn_endpoint_custom_domain_uses_latest_tls_version cdn_endpoint_http_disabled cdn_endpoint_https_enabled cognitive_account_encrypted_with_cmk cognitive_account_public_network_access_disabled cognitive_account_restrict_public_access cognitive_service_local_auth_disabled compute_managed_disk_set_encryption_enabled compute_vm_allow_extension_operations_disabled compute_vm_and_scale_set_agent_installed compute_vm_and_scale_set_encryption_at_host_enabled compute_vm_and_scale_set_ssh_key_enabled_linux compute_vm_automatic_updates_enabled_windows compute_vm_disable_password_authentication compute_vm_disable_password_authentication_linux compute_vm_guest_configuration_installed compute_vm_guest_configuration_installed_linux compute_vm_guest_configuration_installed_windows compute_vm_malware_agent_installed compute_vm_scale_set_automatic_os_upgrade_enabled compute_vm_scale_set_disable_password_authentication_linux compute_vm_system_updates_installed compute_vm_uses_azure_resource_manager compute_vm_utilizing_managed_disk container_instance_container_group_in_virtual_network container_instance_container_group_secure_environment_variable container_registry_admin_user_disabled container_registry_anonymous_pull_disabled container_registry_azure_defender_enabled container_registry_encrypted_with_cmk container_registry_geo_replication_enabled container_registry_image_scan_enabled container_registry_public_network_access_disabled container_registry_quarantine_policy_enabled container_registry_restrict_public_access container_registry_retention_policy_enabled container_registry_trust_policy_enabled container_registry_use_virtual_service_endpoint container_registry_zone_redundant_enabled cosmodb_account_access_key_metadata_writes_disabled cosmodb_account_local_authentication_disabled cosmodb_account_public_network_access_disabled cosmodb_account_restrict_public_access cosmosdb_account_encryption_at_rest_using_cmk cosmosdb_account_with_firewall_rules cosmosdb_use_virtual_service_endpoint data_factory_encrypted_with_cmk data_factory_restrict_public_access data_factory_uses_git_repository databricks_workspace_restrict_public_access datalake_store_account_encryption_enabled dns_azure_defender_enabled eventgrid_domain_local_auth_disabled eventgrid_domain_restrict_public_access eventgrid_domain_uses_managed_identity eventgrid_topic_local_auth_disabled eventgrid_topic_restrict_public_access eventgrid_topic_uses_managed_identity eventhub_namespace_cmk_encryption_enabled eventhub_namespace_use_virtual_service_endpoint eventhub_namespace_uses_latest_tls_version eventhub_namespace_zone_redundant firewall_has_firewall_policy_set firewall_policy_intrusion_detection_mode_set_to_deny firewall_threat_intel_mode_set_to_deny frontdoor_firewall_policy_restrict_message_lookup_log4j2 frontdoor_waf_enabled healthcare_fhir_azure_api_encrypted_at_rest_with_cmk healthcare_fhir_public_network_access_disabled iam_no_custom_subscription_owner_roles_created iot_hub_logging_enabled iot_hub_restrict_public_access keyvault_azure_defender_enabled keyvault_key_expiration_set keyvault_logging_enabled keyvault_managed_hms_logging_enabled keyvault_managed_hms_purge_protection_enabled keyvault_purge_protection_enabled keyvault_secret_content_type_set keyvault_secret_expiration_set keyvault_vault_public_network_access_disabled keyvault_vault_use_virtual_service_endpoint kubernetes_azure_defender_enabled kubernetes_cluster_add_on_azure_policy_enabled kubernetes_cluster_authorized_ip_range_defined kubernetes_cluster_critical_pods_on_system_nodes kubernetes_cluster_key_vault_secret_rotation_enabled kubernetes_cluster_local_admin_disabled kubernetes_cluster_logging_enabled kubernetes_cluster_max_pod_50 kubernetes_cluster_network_policy_enabled kubernetes_cluster_node_pool_type_scale_set kubernetes_cluster_node_restrict_public_access kubernetes_cluster_os_and_data_disks_encrypted_with_cmk kubernetes_cluster_os_disk_ephemeral kubernetes_cluster_restrict_public_access kubernetes_cluster_sku_standard kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host kubernetes_cluster_upgrade_channel kubernetes_instance_rbac_enabled kusto_cluster_disk_encryption_enabled kusto_cluster_double_encryption_enabled kusto_cluster_encrypted_at_rest_with_cmk kusto_cluster_sku_with_sla kusto_cluster_uses_managed_identity logic_app_workflow_logging_enabled machine_learning_compute_cluster_local_auth_disabled machine_learning_compute_cluster_minimum_node_zero machine_learning_workspace_encrypted_with_cmk machine_learning_workspace_restrict_public_access mariadb_server_geo_redundant_backup_enabled mariadb_server_public_network_access_disabled mariadb_server_ssl_enabled monitor_log_profile_enabled_for_all_categories monitor_log_profile_enabled_for_all_regions monitor_log_profile_retention_365_days monitor_logs_storage_container_not_public_accessible mysql_db_server_geo_redundant_backup_enabled mysql_server_encrypted_at_rest_using_cmk mysql_server_infrastructure_encryption_enabled mysql_server_min_tls_1_2 mysql_server_public_network_access_disabled mysql_server_threat_detection_enabled mysql_ssl_enabled network_dns_server_2 network_interface_ip_forwarding_disabled network_security_group_http_access_restricted network_security_group_not_configured_gateway_subnets network_security_group_rdp_access_restricted network_security_group_ssh_access_restricted network_security_group_subnet_associated network_security_group_udp_access_restricted network_security_rule_http_access_restricted network_security_rule_rdp_access_restricted network_security_rule_ssh_access_restricted network_security_rule_udp_access_restricted network_virtual_network_dns_server_2 network_watcher_flow_log_retention_period_90_days postgres_db_flexible_server_geo_redundant_backup_enabled postgres_db_server_connection_throttling_on postgres_db_server_geo_redundant_backup_enabled postgres_db_server_latest_tls_version postgres_db_server_log_checkpoints_on postgres_db_server_log_connections_on postgres_db_server_log_disconnections_on postgres_db_server_log_retention_days_3 postgres_db_server_threat_detection_policy_enabled postgresql_server_encrypted_at_rest_using_cmk postgresql_server_infrastructure_encryption_enabled postgresql_server_public_network_access_disabled postgresql_ssl_enabled redis_cache_min_tls_1_2 redis_cache_restrict_public_access redis_cache_standard_replication_enabled resource_manager_azure_defender_enabled search_service_public_allowed_ip_restrict_public_access search_service_public_network_access_disabled search_service_replica_count_3 search_service_uses_managed_identity search_service_uses_sku_supporting_private_link securitycenter_automatic_provisioning_monitoring_agent_on securitycenter_azure_defender_on_for_appservice securitycenter_azure_defender_on_for_containerregistry securitycenter_azure_defender_on_for_k8s securitycenter_azure_defender_on_for_keyvault securitycenter_azure_defender_on_for_server securitycenter_azure_defender_on_for_sqldb securitycenter_azure_defender_on_for_sqlservervm securitycenter_azure_defender_on_for_storage securitycenter_contact_number_configured securitycenter_email_configured securitycenter_notify_alerts_configured securitycenter_security_alerts_to_owner_enabled securitycenter_uses_standard_pricing_tier service_bus_namespace_encrypted_with_cmk service_bus_namespace_infrastructure_encryption_enabled service_bus_namespace_latest_tls_version service_bus_namespace_local_auth_disabled service_bus_namespace_restrict_public_access service_bus_namespace_uses_managed_identity servicefabric_cluster_active_directory_authentication_enabled servicefabric_cluster_protection_level_as_encrypt_and_sign signalr_services_uses_paid_sku spring_cloud_api_https_only_enabled spring_cloud_api_restrict_public_access spring_cloud_service_network_injection_enabled sql_database_allow_internet_access sql_database_ledger_enabled sql_database_log_monitoring_enabled sql_database_long_term_geo_redundant_backup_enabled sql_database_server_azure_defender_enabled sql_database_zone_redundant_enabled sql_db_active_directory_admin_configured sql_db_public_network_access_disabled sql_server_admins_email_security_alert_enabled sql_server_all_security_alerts_enabled sql_server_atp_enabled sql_server_auditing_storage_account_destination_retention_90_days sql_server_audting_retention_period_90 sql_server_azure_ad_authentication_enabled sql_server_email_security_alert_enabled sql_server_uses_latest_tls_version sql_server_vm_azure_defender_enabled storage_account_blob_containers_public_access_private storage_account_blob_service_logging_enabled storage_account_block_public_access storage_account_default_network_access_rule_denied storage_account_encryption_at_rest_using_cmk storage_account_encryption_scopes_encrypted_at_rest_with_cmk storage_account_infrastructure_encryption_enabled storage_account_queue_services_logging_enabled storage_account_replication_type_set storage_account_restrict_network_access storage_account_secure_transfer_required_enabled storage_account_trusted_microsoft_services_enabled storage_account_use_virtual_service_endpoint storage_account_uses_azure_resource_manager storage_account_uses_latest_minimum_tls_version storage_account_uses_private_link storage_azure_defender_enabled storage_container_restrict_public_access storage_sync_private_link_used synapse_workspace_data_exfiltration_protection_enabled synapse_workspace_encryption_at_rest_using_cmk synapse_workspace_private_link_used web_pubsub_sku_with_sla web_pubsub_uses_managed_identity

Query: mysql_server_encrypted_at_rest_using_cmk

Usage

powerpipe query terraform_azure_compliance.query.mysql_server_encrypted_at_rest_using_cmk

Steampipe Tables

terraform_resource

Terraform plugin

SQL

with mysql_server as (
  select
    *
  from
    terraform_resource
  where
    type = 'azurerm_mysql_server'
),
server_keys as (
  select
    *
  from
    terraform_resource
  where
    type = 'azurerm_mysql_server_key'
    and (attributes_std -> 'key_vault_key_id') is not null
)
select
  a.address as resource,
  case
    when (s.attributes_std ->> 'server_id') is not null then 'ok'
    else 'alarm'
  end as status,
  split_part(a.address, '.', 2) || case
    when (s.attributes_std ->> 'server_id') is not null then ' encrypted with CMK'
    else ' not encrypted with CMK'
  end || '.' reason,
  a.path || ':' || a.start_line
from
  mysql_server as a
  left join server_keys as s on a.name = (
    split_part((s.attributes_std ->> 'server_id'), '.', 2)
  );

Controls

The query is being used by the following controls:

MySQL servers should use customer-managed keys to encrypt data at rest