From f85f69a6ed7a731ec4c57f8a713d89d0b2f6ae23 Mon Sep 17 00:00:00 2001
From: Khushboo <46913995+khushboo9024@users.noreply.github.com>
Date: Thu, 2 Nov 2023 14:12:27 +0530
Subject: [PATCH 1/3] Update mod.sp to address deprecation warning closes #221
 (#222)

---
 mod.sp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mod.sp b/mod.sp
index 6987f441..a3fdef05 100644
--- a/mod.sp
+++ b/mod.sp
@@ -87,10 +87,10 @@ mod "azure_compliance" {
 
   require {
     plugin "azure" {
-      version = "0.46.0"
+      min_version = "0.46.0"
     }
     plugin "azuread" {
-      version = "0.0.3"
+      min_version = "0.0.3"
     }
   }
 }

From 1a8e756b05897d1f0d87ebcb98aabb19c1c01e20 Mon Sep 17 00:00:00 2001
From: Khushboo <46913995+khushboo9024@users.noreply.github.com>
Date: Fri, 3 Nov 2023 12:38:52 +0530
Subject: [PATCH 2/3] compute_vm_tcp_udp_access_restricted_internet fails to
 evaluate join condition closes #223 (#224)

---
 regulatory_compliance/compute.sp | 97 ++++++++++++++++++++++++--------
 1 file changed, 72 insertions(+), 25 deletions(-)

diff --git a/regulatory_compliance/compute.sp b/regulatory_compliance/compute.sp
index 5ba2720c..c1aee418 100644
--- a/regulatory_compliance/compute.sp
+++ b/regulatory_compliance/compute.sp
@@ -975,29 +975,47 @@ query "compute_vm_tcp_udp_access_restricted_internet" {
   sql = <<-EOQ
     with network_sg as (
       select
-        distinct name as sg_name,
+        distinct id as sg_id,
+        subscription_id,
         network_interfaces
       from
         azure_network_security_group as nsg,
         jsonb_array_elements(security_rules) as sg,
-        jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) as dport,
-        jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) as sip
+        jsonb_array_elements_text(
+          sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb
+        ) as dport,
+        jsonb_array_elements_text(
+          sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb
+        ) as sip
       where
         sg -> 'properties' ->> 'access' = 'Allow'
         and sg -> 'properties' ->> 'direction' = 'Inbound'
         and sg -> 'properties' ->> 'protocol' in ('TCP', 'UDP')
-        and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '<nw>/0', '/0')
+        and sip in (
+          '*',
+          '0.0.0.0',
+          '0.0.0.0/0',
+          'Internet',
+          'any',
+          '<nw>/0',
+          '/0'
+        )
         and (
           dport in ('22', '3389', '*')
           or (
             dport like '%-%'
             and (
               (
-              53 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
-              or 123 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
-              or 161 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
-              or 389 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
-              or 1900 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
+                53 between split_part(dport, '-', 1) :: integer
+                and split_part(dport, '-', 2) :: integer
+                or 123 between split_part(dport, '-', 1) :: integer
+                and split_part(dport, '-', 2) :: integer
+                or 161 between split_part(dport, '-', 1) :: integer
+                and split_part(dport, '-', 2) :: integer
+                or 389 between split_part(dport, '-', 1) :: integer
+                and split_part(dport, '-', 2) :: integer
+                or 1900 between split_part(dport, '-', 1) :: integer
+                and split_part(dport, '-', 2) :: integer
               )
               or (
                 split_part(dport, '-', 1) :: integer <= 3389
@@ -1010,24 +1028,53 @@ query "compute_vm_tcp_udp_access_restricted_internet" {
             )
           )
         )
-    )
+    ), network_security_group_subnets as (
     select
-      vm.vm_id as resource,
-      case
-        when sg.sg_name is null then 'ok'
-        else 'alarm'
-      end as status,
-      case
-        when sg.sg_name is null then vm.title || ' restricts remote access from internet.'
-        else vm.title || ' allows remote access from internet.'
-      end as reason
-      ${local.tag_dimensions_sql}
-      ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "vm.")}
-      ${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
+      nsg.id as nsg_id,
+      sub ->> 'id' as subnet_id
     from
-      azure_compute_virtual_machine as vm
-      left join network_sg as sg on sg.network_interfaces @> vm.network_interfaces
-      join azure_subscription as sub on sub.subscription_id = vm.subscription_id;
+      azure_network_security_group as nsg,
+      jsonb_array_elements(nsg.subnets) as sub
+    where
+      nsg.id in (select sg_id from network_sg )
+  ),
+  virtual_machines_with_access as (
+    select
+      nic.virtual_machine_id as virtual_machine_id
+    from
+      azure_network_interface as nic,
+      jsonb_array_elements(nic.ip_configurations) as config
+      left join network_security_group_subnets as sub on config -> 'properties' -> 'subnet' ->> 'id' = sub.subnet_id
+  where
+    nic.virtual_machine_id is not null
+    and sub.nsg_id is not null
+  union
+    select
+      n.virtual_machine_id as virtual_machine_id
+  from
+    network_sg as nsg,
+    jsonb_array_elements(network_interfaces)  as vm_nic
+    left join azure_network_interface as n on n.id = vm_nic ->> 'id'
+  )
+  select
+    vm.id as resource,
+    case
+      when m.virtual_machine_id is not null then 'alarm'
+      else 'ok'
+    end as status,
+    case
+      when m.virtual_machine_id is not null then vm.title || ' restricts remote access from internet.'
+      else vm.title || ' allows remote access from internet.'
+    end as reason,
+    vm.resource_group as resource_group,
+    sub.display_name as subscription
+    ${local.tag_dimensions_sql}
+    ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "vm.")}
+    ${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
+  from
+    azure_compute_virtual_machine as vm
+    left join virtual_machines_with_access as m on lower(m.virtual_machine_id) = lower(vm.id)
+    join azure_subscription as sub on sub.subscription_id = vm.subscription_id;
   EOQ
 }
 

From efce3f858c7f891bd4f8ab1d085140ce45dc3b1e Mon Sep 17 00:00:00 2001
From: Madhushree Ray <madhushree@turbot.com>
Date: Fri, 3 Nov 2023 15:07:57 +0530
Subject: [PATCH 3/3] Add CHANGELOG for v0.37 (#225)

---
 CHANGELOG.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 01db2d74..8e29699e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,13 @@
+## v0.37 [2023-11-03]
+
+_Breaking changes_
+
+- Updated the plugin dependency section of the mod to use `min_version` instead of `version`. ([#222](https://github.com/turbot/steampipe-mod-azure-compliance/pull/222))
+
+_Bug fixes_
+
+- Fixed the `compute_vm_tcp_udp_access_restricted_internet` query to ensure internet-facing virtual machines are protected with network security groups. ([#224](https://github.com/turbot/steampipe-mod-azure-compliance/pull/224)) 
+
 ## v0.36 [2023-10-20]
 
 _Bug fixes_