feat(query): implements "Beta - VM Without Managed Disk"

[cx-andre-pereira]

Reason for Proposed Changes

• Currently there is no query to ensure that resources of type "azurerm_virtual_machine", "azurerm_linux_virtual_machine" and "azurerm_windows_virtual_machine" are utilizing Managed Disks.

• Quoting CIS_Microsoft_Azure_Compute_Services_Benchmark_v2.0.0 page 307: "Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts. For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.".

Proposed Changes

• Implemented the missing query.

• The query will flag legacy "azurerm_virtual_machine" resources if :

  • They are missing the "storage_os_disk" field
  • They set the "vhd_uri" field (inside "storage_os_disk"), this field is used specifically for "Unmanaged OS Disk"
  • They set "storage_os_disk" without a "managed_disk_type" or "managed_disk_id" defined within

• For "azurerm_linux_virtual_machine" and "azurerm_windows_virtual_machine" resources it is simply checked that "os_managed_disk_id" field is undefined.

• Note - 2 queries that are also related to vm resources exist but both miss resources. The query "VM Not Attached To Network" only checks for "azurerm_virtual_machine" resources while the second query "Azure Instance Using Basic Authentication" checks for "azurerm_virtual_machine" and "azurerm_linux_virtual_machine" but does not check for "azurerm_windows_virtual_machine".

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0