in internal/scanners/psql/rules.go [15:105]
func (a *PostgreScanner) GetRecommendations() map[string]models.AzqrRecommendation {
return map[string]models.AzqrRecommendation{
"psql-001": {
RecommendationID: "psql-001",
ResourceType: "Microsoft.DBforPostgreSQL/servers",
Category: models.CategoryMonitoringAndAlerting,
Recommendation: "PostgreSQL should have diagnostic settings enabled",
Impact: models.ImpactLow,
Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
service := target.(*armpostgresql.Server)
_, ok := scanContext.DiagnosticsSettings[strings.ToLower(*service.ID)]
return !ok, ""
},
LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#resource-logs",
},
"psql-003": {
RecommendationID: "psql-003",
ResourceType: "Microsoft.DBforPostgreSQL/servers",
Category: models.CategoryHighAvailability,
Recommendation: "PostgreSQL should have a SLA",
RecommendationType: models.TypeSLA,
Impact: models.ImpactHigh,
Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
return false, "99.99%"
},
LearnMoreUrl: "https://www.azure.cn/en-us/support/sla/postgresql/",
},
"psql-004": {
RecommendationID: "psql-004",
ResourceType: "Microsoft.DBforPostgreSQL/servers",
Category: models.CategorySecurity,
Recommendation: "PostgreSQL should have private endpoints enabled",
Impact: models.ImpactHigh,
Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
i := target.(*armpostgresql.Server)
pe := len(i.Properties.PrivateEndpointConnections) > 0
return !pe, ""
},
LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-data-access-and-security-private-link",
},
"psql-006": {
RecommendationID: "psql-006",
ResourceType: "Microsoft.DBforPostgreSQL/servers",
Category: models.CategoryGovernance,
Recommendation: "PostgreSQL Name should comply with naming conventions",
Impact: models.ImpactLow,
Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
c := target.(*armpostgresql.Server)
caf := strings.HasPrefix(*c.Name, "psql")
return !caf, ""
},
LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
},
"psql-007": {
RecommendationID: "psql-007",
ResourceType: "Microsoft.DBforPostgreSQL/servers",
Category: models.CategoryGovernance,
Recommendation: "PostgreSQL should have tags",
Impact: models.ImpactLow,
Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
c := target.(*armpostgresql.Server)
return len(c.Tags) == 0, ""
},
LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json",
},
"psql-008": {
RecommendationID: "psql-008",
ResourceType: "Microsoft.DBforPostgreSQL/servers",
Category: models.CategorySecurity,
Recommendation: "PostgreSQL should enforce SSL",
Impact: models.ImpactHigh,
Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
c := target.(*armpostgresql.Server)
return c.Properties.SSLEnforcement == nil || *c.Properties.SSLEnforcement == armpostgresql.SSLEnforcementEnumDisabled, ""
},
LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-ssl-connection-security#enforcing-tls-connections",
},
"psql-009": {
RecommendationID: "psql-009",
ResourceType: "Microsoft.DBforPostgreSQL/servers",
Category: models.CategorySecurity,
Recommendation: "PostgreSQL should enforce TLS >= 1.2",
Impact: models.ImpactLow,
Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
c := target.(*armpostgresql.Server)
return c.Properties.MinimalTLSVersion == nil || *c.Properties.MinimalTLSVersion != armpostgresql.MinimalTLSVersionEnumTLS12, ""
},
LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations",
},
}
}