feat(bicep): Add bicep version of policy (#6191)

* Add bicep version of policy

* Add test

* Fix test

* Update expected.yaml

checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml

@@ -0,0 +1,34 @@
+metadata:
+  id: "CKV_AZURE_24"
+  name: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
+  category: "LOGGING"
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      value:
+        - "Microsoft.Sql/servers"
+      operator: "within"
+    - cond_type: "connection"
+      resource_types:
+        - "Microsoft.Sql/servers"
+      connected_resource_types:
+        - "Microsoft.Sql/servers/auditingSettings"
+      operator: "exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "Microsoft.Sql/servers/auditingSettings"
+      attribute: "properties.retentionDays"
+      operator: "exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "Microsoft.Sql/servers/auditingSettings"
+      attribute: "properties.retentionDays"
+      operator: "greater_than_or_equal"
+      value: 90
+    - cond_type: "attribute"
+      resource_types:
+        - "Microsoft.Sql/servers/auditingSettings"
+      attribute: "properties.state"
+      operator: "equals"
+      value: Enabled

tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/expected.yaml

@@ -0,0 +1,10 @@
+pass:
+  - 'Microsoft.Sql/servers.sqlServer_pass'
+fail:
+  - 'Microsoft.Sql/servers.sqlServer_fail1'
+  - 'Microsoft.Sql/servers.sqlServer_fail2'
+  - 'Microsoft.Sql/servers.sqlServer_fail3'
+evaluated_keys:
+  - 'properties/retentionDays'
+  - 'properties/state'
+  - 'resource_type'

tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail1_less_90.bicep

@@ -0,0 +1,15 @@
+resource sqlServer_fail1 'Microsoft.Sql/servers@2023-05-01-preview' = {  
+  name: sqlServerName
+}
+
+/// SQL Auditing
+
+resource sql_auditing_fail1 'Microsoft.Sql/servers/auditingSettings@2023-05-01-preview' = {
+  name: 'default'
+  parent: sqlServer_fail1
+  properties: {
+    isAzureMonitorTargetEnabled: true
+    retentionDays: 67
+    state: 'Enabled'
+  }
+}

tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail2_no_auditsettings.bicep

@@ -0,0 +1,5 @@
+resource sqlServer_fail2 'Microsoft.Sql/servers@2023-05-01-preview' = {  
+  name: sqlServerName
+}
+
+/// No SQL Audit Settings

tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail3_not_enabled.bicep

@@ -0,0 +1,15 @@
+resource sqlServer_fail3 'Microsoft.Sql/servers@2023-05-01-preview' = {  
+  name: sqlServerName
+}
+
+/// SQL Auditing
+
+resource sql_auditing_fail3 'Microsoft.Sql/servers/auditingSettings@2023-05-01-preview' = {
+  name: 'default'
+  parent: sqlServer_fail3
+  properties: {
+    isAzureMonitorTargetEnabled: true
+    retentionDays: 92
+    state: 'Disabled'
+  }
+}

tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/pass1.bicep

@@ -0,0 +1,15 @@
+resource sqlServer_pass 'Microsoft.Sql/servers@2023-05-01-preview' = {  
+  name: sqlServerName
+}
+
+/// SQL Auditing
+
+resource sql_auditing_pass 'Microsoft.Sql/servers/auditingSettings@2023-05-01-preview' = {
+  name: 'default'
+  parent: sqlServer_pass
+  properties: {
+    isAzureMonitorTargetEnabled: true
+    retentionDays: 92
+    state: 'Enabled'
+  }
+}

tests/bicep/graph/checks/test_yaml_policies.py

@@ -36,6 +36,9 @@ def setUp(self) -> None:
     def test_SQLServerAuditingEnabled(self):
         self.go("SQLServerAuditingEnabled")
 
+    def test_SQLServerAuditingRetention90Days(self):
+        self.go("SQLServerAuditingRetention90Days")
+
     def test_registry_load(self):
         registry = self.get_checks_registry()
         self.assertGreater(len(registry.checks), 0)