feat: add prevent-custom-role-creation check (#471)

* add prevent-custom-role-creation check

* turn actions into a set

* implemented feedback

* fix lint

* Empty commit

* Update checks/cloud/azure/authorization/prevent_custom_role_creation.rego

Co-authored-by: simar7 <[email protected]>

---------

Co-authored-by: simar7 <[email protected]>

Author: yagreut

avd_docs/azure/authorization/AZU-0052/Terraform.md

@@ -0,0 +1,30 @@
+
+Avoid granting 'Microsoft.Authorization/roleDefinitions/write' permission in custom roles. Restrict role creation capability to core admins only.
+
+```hcl
+data "azurerm_subscription" "primary" {
+}
+
+resource "azurerm_role_definition" "example" {
+  name        = "my-custom-role"
+  scope       = data.azurerm_subscription.primary.id
+  description = "This is a custom role created via Terraform"
+
+  permissions {
+    actions = [
+      "Microsoft.Authorization/roleDefinitions/read",
+      "Microsoft.Resources/subscriptions/resourceGroups/read",
+      "Microsoft.Storage/storageAccounts/read"
+    ]
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    data.azurerm_subscription.primary.id,
+  ]
+}
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions
+

avd_docs/azure/authorization/AZU-0052/docs.md

@@ -0,0 +1,14 @@
+
+Allowing custom roles to include 'roleDefinitions/write' enables privilege escalation. A user could define or alter roles to gain excessive permissions.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions
+
+

checks/cloud/azure/authorization/prevent_custom_role_creation.rego

@@ -0,0 +1,46 @@
+# METADATA
+# title: Role Definition Allows Custom Role Creation
+# description: |
+#   Allowing custom roles to include 'roleDefinitions/write' enables privilege escalation. A user could define or alter roles to gain excessive permissions.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions
+# custom:
+#   id: AZU-0052
+#   aliases:
+#     - AVD-AZU-0052
+#     - azure-role-definition-allows-custom-role-creation
+#   long_id: azure-authorization-prevent-custom-role-creation
+#   provider: azure
+#   service: authorization
+#   severity: MEDIUM
+#   recommended_action: Avoid granting 'Microsoft.Authorization/roleDefinitions/write' permission in custom roles. Restrict role creation capability to core admins only.
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: authorization
+#             provider: azure
+#   examples: checks/cloud/azure/authorization/prevent_custom_role_creation.yaml
+package builtin.azure.authorization.azure0052
+
+import rego.v1
+
+deny contains res if {
+	some roledef in input.azure.authorization.roledefinitions
+	isManaged(roledef)
+	some action in roledef.permissions[_].actions
+	allows_custom_role_creation(action.value)
+	res := result.new(
+		"Role definition allows custom role creation via 'Microsoft.Authorization/roleDefinitions/write' permission.",
+		action,
+	)
+}
+
+dangerous_actions := {"Microsoft.Authorization/roleDefinitions/write", "Microsoft.Authorization/*/Write", "Microsoft.Authorization/*", "*"}
+
+allows_custom_role_creation(action_value) if {
+	action_value in dangerous_actions
+}

checks/cloud/azure/authorization/prevent_custom_role_creation.yaml

@@ -0,0 +1,87 @@
+terraform:
+  links:
+    - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions
+  good:
+    - |-
+      data "azurerm_subscription" "primary" {
+      }
+
+      resource "azurerm_role_definition" "example" {
+        name        = "my-custom-role"
+        scope       = data.azurerm_subscription.primary.id
+        description = "This is a custom role created via Terraform"
+
+        permissions {
+          actions = [
+            "Microsoft.Authorization/roleDefinitions/read",
+            "Microsoft.Resources/subscriptions/resourceGroups/read",
+            "Microsoft.Storage/storageAccounts/read"
+          ]
+          not_actions = []
+        }
+
+        assignable_scopes = [
+          data.azurerm_subscription.primary.id,
+        ]
+      }
+  bad:
+    - |-
+      data "azurerm_subscription" "primary" {
+      }
+
+      resource "azurerm_role_definition" "example" {
+        name        = "my-custom-role"
+        scope       = data.azurerm_subscription.primary.id
+        description = "This is a custom role created via Terraform"
+
+        permissions {
+          actions = [
+            "Microsoft.Authorization/roleDefinitions/write"
+          ]
+          not_actions = []
+        }
+
+        assignable_scopes = [
+          data.azurerm_subscription.primary.id,
+        ]
+      }
+    - |-
+      data "azurerm_subscription" "primary" {
+      }
+
+      resource "azurerm_role_definition" "example" {
+        name        = "my-custom-role"
+        scope       = data.azurerm_subscription.primary.id
+        description = "This is a custom role created via Terraform"
+
+        permissions {
+          actions = [
+            "Microsoft.Authorization/*"
+          ]
+          not_actions = []
+        }
+
+        assignable_scopes = [
+          data.azurerm_subscription.primary.id,
+        ]
+      }
+    - |-
+      data "azurerm_subscription" "primary" {
+      }
+
+      resource "azurerm_role_definition" "example" {
+        name        = "my-custom-role"
+        scope       = data.azurerm_subscription.primary.id
+        description = "This is a custom role created via Terraform"
+
+        permissions {
+          actions = [
+            "*"
+          ]
+          not_actions = []
+        }
+
+        assignable_scopes = [
+          data.azurerm_subscription.primary.id,
+        ]
+      }

checks/cloud/azure/authorization/prevent_custom_role_creation_test.rego

@@ -0,0 +1,57 @@
+package builtin.azure.authorization.azure0052_test
+
+import rego.v1
+
+import data.builtin.azure.authorization.azure0052 as check
+
+test_deny_role_with_explicit_roleDefinitions_write if {
+	inp := build_input({"permissions": [{"actions": [{"value": "Microsoft.Authorization/roleDefinitions/write"}]}]})
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_role_with_authorization_wildcard if {
+	inp := build_input({"permissions": [{"actions": [{"value": "Microsoft.Authorization/*"}]}]})
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_role_with_full_wildcard if {
+	inp := build_input({"permissions": [{"actions": [{"value": "*"}]}]})
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_role_with_specific_read_permission if {
+	inp := build_input({"permissions": [{"actions": [{"value": "Microsoft.Authorization/roleDefinitions/read"}]}]})
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_allow_role_with_other_permissions if {
+	inp := build_input({"permissions": [{"actions": [{"value": "Microsoft.Resources/subscriptions/resourceGroups/read"}]}]})
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_allow_role_with_multiple_safe_permissions if {
+	inp := build_input({"permissions": [{"actions": [
+		{"value": "Microsoft.Authorization/roleDefinitions/read"},
+		{"value": "Microsoft.Resources/subscriptions/resourceGroups/read"},
+		{"value": "Microsoft.Storage/storageAccounts/read"},
+	]}]})
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_deny_role_with_mixed_permissions_including_dangerous if {
+	inp := build_input({"permissions": [{"actions": [
+		{"value": "Microsoft.Authorization/roleDefinitions/read"},
+		{"value": "Microsoft.Authorization/roleDefinitions/write"},
+		{"value": "Microsoft.Resources/subscriptions/resourceGroups/read"},
+	]}]})
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+build_input(roledef) := {"azure": {"authorization": {"roledefinitions": [roledef]}}}