inputType: "CA10__CaAzureDiagnosticSetting__c"
recordTypes:
  - "caDiagnosticSettingOnAzureSubscription"
importExtracts:
  - file: "/types/CA10__CaAzureStorageAccount__c/object.extracts.yaml"
testData:
  - file: "test-data.json"
conditions:
  - status: "INAPPLICABLE"
    currentStateMessage: "Diagnostic setting logs are not sent to a storage account."
    check:
      IS_EMPTY_LOOKUP: "CA10__storageAccount__r"
  - status: "INCOMPLIANT"
    currentStateMessage: "Diagnostic setting logs are sent to a storage account without a customer-managed key."
    remediationMessage: "Encrypt the destination storage account with a customer-managed key."
    check:
      AND:
        args:
          - NOT_EQUAL:
              left:
                EXTRACT: "CA10__storageAccount__r.CA10__encryptionKeySource__c"
              right:
                TEXT: "Microsoft.Keyvault"
          - IS_EMPTY:
              arg:
                EXTRACT: "CA10__storageAccount__r.CA10__encryptionKeyVaultUri__c"
  - status: "COMPLIANT"
    currentStateMessage: "Diagnostic setting logs are sent to a storage account encrypted with a customer-managed key."
    check:
      AND:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: "CA10__storageAccount__r.CA10__encryptionKeySource__c"
              right:
                TEXT: "Microsoft.Keyvault"
          - NOT_EMPTY:
              arg:
                EXTRACT: "CA10__storageAccount__r.CA10__encryptionKeyVaultUri__c"
otherwise:
  status: "UNDETERMINED"
  currentStateMessage: "Unexpected values in the fields."