feat(tf): Improve Azure provide

GeekMasher · GeekMasher · commit d1c1ce163240 · 2024-09-26T13:39:34.000+01:00
diff --git a/ql/lib/codeql/hcl/providers/Azure.qll b/ql/lib/codeql/hcl/providers/Azure.qll
@@ -109,6 +109,12 @@ module Azure {
      */
     override string getName() { result = this.getAttribute("name").(StringLiteral).getValue() }
 
+    /**
+     * Get the `allow_blob_public_access` property of the storage account. Only available
+     * for `azurerm` v2 and not v3 onwards.
+     * 
+     * https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG-v3.md
+     */
     Expr getAllowBlobPublicAccess() {
       this.getProvider().getSemanticVersion().maybeBefore("3.0.0") and
       result = this.getAttribute("allow_blob_public_access")
@@ -121,43 +127,128 @@ module Azure {
      * https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG-v3.md
      */
     boolean getAllowBlobPublicAccessValue() {
-      result = this.getAllowBlobPublicAccess().(BooleanLiteral).getBool()
+      exists(Expr e | e = this.getAllowBlobPublicAccess() | result = e.(BooleanLiteral).getBool())
       or
-      result = false
+      not exists(this.getAllowBlobPublicAccess()) and
+      result = true
     }
 
+    /**
+     * Get the `public_network_access_enabled` property of the storage account.
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#public_network_access_enabled
+     */
     Expr getEnableHttpsTrafficOnly() {
       result = this.getAttribute("enable_https_traffic_only")
     }
 
     /**
      * Get the `public_network_access_enabled` property of the storage account.
+     * 
+     * Defaults to `true`.
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#public_network_access_enabled
      */
     boolean getEnableHttpsTrafficOnlyValue() {
-      result = this.getEnableHttpsTrafficOnly().(BooleanLiteral).getBool()
+       exists(Expr e | e = this.getEnableHttpsTrafficOnly() | result = e.(BooleanLiteral).getBool())
+       or 
+      not exists(this.getEnableHttpsTrafficOnly()) and
+      result = true
     }
 
+    /**
+     * Get the `public_network_access_enabled` property of the storage account.
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#public_network_access_enabled
+     */
     Expr getPublicNetworkAccess() {
       result = this.getAttribute("public_network_access_enabled")
     }
 
     /**
      * Get the `public_network_access_enabled` property of the storage account.
+     * 
+     * Defaults to `true`.
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#public_network_access_enabled
      */
     boolean getPublicNetworkAccessValue() {
-      result = this.getPublicNetworkAccess().(BooleanLiteral).getBool()
+      exists(Expr e | e = this.getPublicNetworkAccess() | result = e.(BooleanLiteral).getBool())
+      or
+      not exists(this.getPublicNetworkAccess()) and
+      result = true
     }
 
+    /**
+     * Get the `allow_nested_items_to_be_public` property of the storage account.
+     * 
+     * Defaults to `true`
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#allow_nested_items_to_be_public
+     */
     Expr getAllowNestedItemsToBePublic() {
       result = this.getAttribute("allow_nested_items_to_be_public")
     }
 
     /**
      * Get the `allow_nested_items_to_be_public` property of the storage account.
+     * 
+     * Defaults to `true`
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#allow_nested_items_to_be_public
      */
     boolean getAllowNestedItemsToBePublicValue() {
-      result = this.getPublicNetworkAccess().(BooleanLiteral).getBool()
+      exists(Expr e | e = this.getAllowNestedItemsToBePublic() | result = e.(BooleanLiteral).getBool())
+      or
+      not exists(this.getAllowNestedItemsToBePublic()) and
+      result = true
     }
+
+    /**
+     * Get the `https_traffic_only_enabled` property of the storage account.
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#https_traffic_only_enabled
+     */
+    Expr getHttpsTrafficOnlyEnabled() {
+      result = this.getAttribute("https_traffic_only_enabled")
+    }
+
+    /**
+     * Get the `https_traffic_only_enabled` property of the storage account.
+     * 
+     * Defaults to `true`
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#https_traffic_only_enabled
+     */
+    boolean getHttpsTrafficOnlyEnabledValue() {
+      exists(Expr e | e = this.getHttpsTrafficOnlyEnabled() | result = e.(BooleanLiteral).getBool())
+      or
+      not exists(this.getHttpsTrafficOnlyEnabled()) and
+      result = true
+    }
+
+    /**
+     * Get the `min_tls_version` property of the storage account.
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#min_tls_version
+     */
+    Expr getMinTlsVersion() {
+      result = this.getAttribute("min_tls_version")
+    }
+
+    /**
+     * Get the `min_tls_version` property of the storage account.
+     * 
+     * Defaults to `TLS1_2`
+     * 
+     * https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#min_tls_version
+     */
+      string getMinTlsVersionValue() {
+        exists(Expr e | e = this.getMinTlsVersion() | result = e.(StringLiteral).getValue())
+        or 
+        not exists(this.getMinTlsVersion()) and
+        result = "TLS1_2"
+      }
   }
 
   /**
