Turbot Guardrails Hub 
Hub
Policy Packs
Azure CIS v2.0.0 - Section 5 - Logging and Monitoring
Overview
9
Policy Settings
0
Variables
DevelopersGithub

Policy Setting: Azure > Network Watcher > Flow Log > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "azure_networkwatcher_flowlog_approved_custom" {
  resource = turbot_policy_pack.main.id
  type     = "tmod:@turbot/azure-networkwatcher#/policy/types/flowLogApprovedCustom"
  note     = "Azure CIS v2.0.0 - Control: 5.1.6"


  template_input = <<-EOT
    {
      flowLog {
        logAnalyticsEnabled: get(path: "flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled")
        targetResourceId: get(path: "targetResourceId")
      }
    }
  EOT
  template       = <<-EOT
    {%- if $.flowLog.logAnalyticsEnabled and "networkSecurityGroups" in $.flowLog.targetResourceId -%}


      {%- set data = {
          "title": "Flow Logging to Log Analytics",
          "result": "Approved",
          "message": "Flow logs are captured and sent to Log Analytics"
      } -%}


    {%- elif not $.flowLog.logAnalyticsEnabled or $.flowLog.targetResourceId == "" or $.flowLog.targetResourceId == null -%}


      {%- set data = {
          "title": "Flow Logging to Log Analytics",
          "result": "Not approved",
          "message": "Flow logs are not captured and sent to Log Analytics"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "Flow Logging to Log Analytics",
          "result": "Skip",
          "message": "No data for flow log yet"
      } -%}


    {%- endif -%}


    {{ data | json }}
  EOT
}