--- policy: /ce/ca/azure/sql-database/database-transparent-data-encryption logic: /ce/ca/azure/sql-database/database-transparent-data-encryption/prod.logic.yaml executionTime: 2026-02-10T22:33:35.793138818Z generationMs: 61 executionMs: 900 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__name__c') == 'master' && extract('CA10__kind__c').contains('system') actual: extract('CA10__name__c') == 'master' && extract('CA10__kind__c').contains('system') runtimeError: {} - id: test3 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: extract('CA10__dataEncryption__c') == 'Enabled' actual: extract('CA10__dataEncryption__c') == 'Enabled' runtimeError: {} - id: test4 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__dataEncryption__c') == 'Disabled' actual: extract('CA10__dataEncryption__c') == 'Disabled' runtimeError: {} - id: test5 match: true status: expected: UNDETERMINED actual: UNDETERMINED conditionIndex: expected: 201 actual: 201 conditionText: expected: CA10__dataEncryption__c.delegatedTo(CA10__dataEncryption__c).isEmpty() actual: CA10__dataEncryption__c.delegatedTo(CA10__dataEncryption__c).isEmpty() runtimeError: {} usedFiles: - path: /ce/ca/azure/sql-database/database-transparent-data-encryption/policy.yaml md5Hash: 1F90943DC075368A5547C6854414FF4A content: | --- names: full: Azure SQL Database Transparent Data Encryption is not enabled contextual: Database Transparent Data Encryption is not enabled description: "Azure SQL Database transparent data encryption helps protect against\ \ the threat of malicious activity by performing real-time encryption and decryption\ \ of the database, associated backups, and transaction log files at rest without\ \ requiring changes to the application." type: COMPLIANCE_POLICY categories: - SECURITY frameworkMappings: - "/frameworks/cis-azure-v2.1.0/04/01/05" - "/frameworks/cis-azure-v3.0.0/05/01/05" - "/frameworks/cloudaware/resource-security/data-encryption" frameworkIgnoreMappings: - "/frameworks/cis-azure-v2.1.0/04/01/04" - "/frameworks/cis-azure-v1.1.0/04/08" - "/frameworks/cis-azure-v1.3.0/04/04" - "/frameworks/cis-azure-v1.4.0/04/05" - "/frameworks/cis-azure-v2.0.0/04/01/04" - "/frameworks/cis-azure-v1.5.0/04/01/04" similarPolicies: internal: - dec-x-2fcb6d85 cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/microsoft-entra-admin.html name: Use Microsoft Entra Admin for SQL Authentication - path: /ce/ca/azure/sql-database/database-transparent-data-encryption/prod.logic.yaml md5Hash: 5D8465CCAA37002714E1A2CA09C559DC content: | --- inputType: "CA10__CaAzureSqlDatabase__c" testData: - file: "test-data.json" importExtracts: - file: "/types/CA10__CaAzureSqlDatabase__c/object.extracts.yaml" conditions: - status: "INAPPLICABLE" currentStateMessage: "This is the master database. TDE cannot encrypt the logical master database." check: AND: args: - IS_EQUAL: left: EXTRACT: "CA10__name__c" right: TEXT: "master" - CONTAINS: arg: EXTRACT: "CA10__kind__c" search: TEXT: "system" - status: "INCOMPLIANT" currentStateMessage: "SQL Database Transparent Data Encryption is disabled." remediationMessage: "Enable SQL Database Transparent Data Encryption." check: IS_EQUAL: left: EXTRACT: "CA10__dataEncryption__c" right: TEXT: "Disabled" - status: "COMPLIANT" currentStateMessage: "SQL Database Transparent Data Encryption is enabled." check: IS_EQUAL: left: EXTRACT: "CA10__dataEncryption__c" right: TEXT: "Enabled" otherwise: status: "UNDETERMINED" currentStateMessage: "Unexpected value in the field." - path: /ce/ca/azure/sql-database/database-transparent-data-encryption/test-data.json md5Hash: 7B7D547736F2CFB4D0BAC8A4FB664CD3 content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-06-13T04:17:29Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2024-06-12T23:04:50Z", "CA10__name__c": "databaseName", "CA10__kind__c": "user", "CA10__dataEncryption__c": "Disabled" }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('CA10__name__c') == 'master' && extract('CA10__kind__c').contains('system')", "runtimeError": null }, "context": { "snapshotTime": "2024-06-13T04:17:29Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__name__c": "master", "CA10__kind__c": "system", "CA10__dataEncryption__c": "Disabled" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "399", "conditionText": "extract('CA10__dataEncryption__c') == 'Enabled'", "runtimeError": null }, "context": { "snapshotTime": "2024-06-13T04:17:29Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "CA10__name__c": "databaseName", "CA10__kind__c": "user", "CA10__dataEncryption__c": "Enabled" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10__dataEncryption__c') == 'Disabled'", "runtimeError": null }, "context": { "snapshotTime": "2024-06-13T04:17:29Z" }, "Id": "test4", "CA10__disappearanceTime__c": null, "CA10__name__c": "databaseName", "CA10__kind__c": "user", "CA10__dataEncryption__c": "Disabled" }, { "expectedResult": { "status": "UNDETERMINED", "conditionIndex": "201", "conditionText": "CA10__dataEncryption__c.delegatedTo(CA10__dataEncryption__c).isEmpty()", "runtimeError": null }, "context": { "snapshotTime": "2024-06-13T04:17:29Z" }, "Id": "test5", "CA10__disappearanceTime__c": null, "CA10__name__c": "databaseName", "CA10__kind__c": "user", "CA10__dataEncryption__c": "" } ] - path: /types/CA10__CaAzureSqlDatabase__c/object.extracts.yaml md5Hash: B4BDC0B62AEF4B03FB276D037CE05688 content: "---\nextracts:\n# Not Nullable. Can't have no access, retrieved via\ \ Microsoft.Sql/servers/databases/read\n - name: \"CA10__name__c\"\n value:\ \ \n FIELD:\n path: \"CA10__name__c\"\n undeterminedIf:\n\ \ isEmpty: \"Corrupted Data. Database Name cannot be empty.\"\n# Not\ \ Nullable. Can't have no access, retrieved via Microsoft.Sql/servers/databases/read\n\ \ - name: \"CA10__kind__c\"\n value: \n FIELD:\n path: \"CA10__kind__c\"\ \n undeterminedIf:\n isEmpty: \"Corrupted Data. Database Kind\ \ cannot be empty.\"\n# Values: Enabled, Disabled. Not Nullable. \n - name:\ \ \"CA10__dataEncryption__c\"\n value: \n FIELD:\n path: \"CA10__dataEncryption__c\"\ \n undeterminedIf:\n noAccessDelegate:\n path: \"\ CA10__dataEncryption__c\"\n currentStateMessage: \"Unable to determine\ \ Transparent Data Encryption. Possible permission issue with Microsoft.Sql/servers/databases/transparentDataEncryption/read.\"\ \n isEmpty: \"SQL Database Transparent Data Encryption is not populated\ \ yet.\"\n# Not nullable \n - name: \"CA10__satus__c\"\n value: \n \ \ FIELD:\n path: \"CA10__satus__c\"\n# Nullable \n - name: \"CA10__monitorCpuPercentAvg30Day__c\"\ \n value: \n FIELD:\n path: \"CA10__monitorCpuPercentAvg30Day__c\"\ \n# Nullable \n - name: \"CA10__monitorStoragePercentMax30Day__c\"\n value:\ \ \n FIELD:\n path: \"CA10__monitorStoragePercentMax30Day__c\"\n\ # Nullable \n - name: \"CA10__monitorDtuConsumptionPercentAvg30Day__c\"\n \ \ value: \n FIELD:\n path: \"CA10__monitorDtuConsumptionPercentAvg30Day__c\"\ \n# Nullable \n - name: \"CA10__monitorAppMemoryPercentAvg30Day__c\"\n value:\ \ \n FIELD:\n path: \"CA10__monitorAppMemoryPercentAvg30Day__c\"\ \n# Not Nullable \n - name: \"CA10__creationDate__c\"\n value: \n FIELD:\n\ \ path: \"CA10__creationDate__c\"\n# Nullable \n - name: \"CA10__pausedDate__c\"\ \n value: \n FIELD:\n path: \"CA10__pausedDate__c\"\n# Not Nullable\ \ \n - name: \"CA10__skuName__c\"\n value: \n FIELD:\n path:\ \ \"CA10__skuName__c\"\n# Text. Not Nullable \n - name: \"CA10__locationName__c\"\ \n value: \n FIELD:\n path: \"CA10__locationName__c\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('CA10__name__c') == 'master' && extract('CA10__kind__c').contains('system')", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "399", "conditionText" : "extract('CA10__dataEncryption__c') == 'Enabled'", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10__dataEncryption__c') == 'Disabled'", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "UNDETERMINED", "conditionIndex" : "201", "conditionText" : "CA10__dataEncryption__c.delegatedTo(CA10__dataEncryption__c).isEmpty()", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAzureSqlDatabase__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-06-13T04:17:29Z") }, "CA10__disappearanceTime__c" : new Date("2024-06-12T23:04:50Z"), "CA10__name__c" : "databaseName", "CA10__kind__c" : "user", "CA10__dataEncryption__c" : "Disabled", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2024-06-13T04:17:29Z") }, "CA10__name__c" : "master", "CA10__kind__c" : "system", "CA10__dataEncryption__c" : "Disabled", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2024-06-13T04:17:29Z") }, "CA10__name__c" : "databaseName", "CA10__kind__c" : "user", "CA10__dataEncryption__c" : "Enabled", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2024-06-13T04:17:29Z") }, "CA10__name__c" : "databaseName", "CA10__kind__c" : "user", "CA10__dataEncryption__c" : "Disabled", "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2024-06-13T04:17:29Z") }, "CA10__name__c" : "databaseName", "CA10__kind__c" : "user", "CA10__dataEncryption__c" : "", "Id" : "test5" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAzureSqlDatabase__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__name__c STRING, CA10__kind__c STRING, CA10__dataEncryption__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From Azure [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.CA10__name__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__name__c.isEmpty()", currentStateMessage: "Corrupted Data. Database Name cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__name__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; function fieldChecked7() { if (TextLib.isEmpty(obj.CA10__kind__c)) { throw new Error("UNDETERMINED condition:102", {cause: {status: 'UNDETERMINED', conditionIndex: 102, conditionText: "CA10__kind__c.isEmpty()", currentStateMessage: "Corrupted Data. Database Kind cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__kind__c; } function extract6() { if (!this.out) { this.out = fieldChecked7(); } return this.out; }; references1.push('Name [obj.CA10__name__c]: ' + obj.CA10__name__c); references1.push('Kind [obj.CA10__kind__c]: ' + obj.CA10__kind__c); try { if (TextLib.equal(extract3.call(extract3), 'master') && TextLib.contains(extract6.call(extract6), 'system')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__name__c') == 'master' && extract('CA10__kind__c').contains('system')", currentStateMessage: "This is the master database. TDE cannot encrypt the logical master database.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function fieldChecked10() { if (TextLib.isEmpty(obj.CA10__dataEncryption__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__dataEncryption__c.delegatedTo(CA10__dataEncryption__c).isEmpty()", currentStateMessage: "Unable to determine Transparent Data Encryption. Possible permission issue with Microsoft.Sql/servers/databases/transparentDataEncryption/read.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (TextLib.isEmpty(obj.CA10__dataEncryption__c)) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "CA10__dataEncryption__c.isEmpty()", currentStateMessage: "SQL Database Transparent Data Encryption is not populated yet.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__dataEncryption__c; } function extract9() { if (!this.out) { this.out = fieldChecked10(); } return this.out; }; references1.push('Data Encryption [obj.CA10__dataEncryption__c]: ' + obj.CA10__dataEncryption__c); try { if (TextLib.equal(extract9.call(extract9), 'Disabled')) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__dataEncryption__c') == 'Disabled'", currentStateMessage: "SQL Database Transparent Data Encryption is disabled.", currentStateReferences: references1.join('\n'), remediation: "Enable SQL Database Transparent Data Encryption.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[3], conditionIndex:[300..399] function fieldChecked13() { if (TextLib.isEmpty(obj.CA10__dataEncryption__c)) { throw new Error("UNDETERMINED condition:301", {cause: {status: 'UNDETERMINED', conditionIndex: 301, conditionText: "CA10__dataEncryption__c.delegatedTo(CA10__dataEncryption__c).isEmpty()", currentStateMessage: "Unable to determine Transparent Data Encryption. Possible permission issue with Microsoft.Sql/servers/databases/transparentDataEncryption/read.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (TextLib.isEmpty(obj.CA10__dataEncryption__c)) { throw new Error("UNDETERMINED condition:302", {cause: {status: 'UNDETERMINED', conditionIndex: 302, conditionText: "CA10__dataEncryption__c.isEmpty()", currentStateMessage: "SQL Database Transparent Data Encryption is not populated yet.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__dataEncryption__c; } function extract12() { if (!this.out) { this.out = fieldChecked13(); } return this.out; }; try { if (TextLib.equal(extract12.call(extract12), 'Enabled')) { return {status: 'COMPLIANT', conditionIndex: 399, conditionText: "extract('CA10__dataEncryption__c') == 'Enabled'", currentStateMessage: "SQL Database Transparent Data Encryption is enabled.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'UNDETERMINED', conditionIndex: 400, conditionText: "otherwise", currentStateMessage: "Unexpected value in the field.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__name__c AS CA10__name__c, sObject.CA10__kind__c AS CA10__kind__c, sObject.CA10__dataEncryption__c AS CA10__dataEncryption__c, sObject.Id AS Id, process_CA10__CaAzureSqlDatabase__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__name__c AS CA10__name__c, sObject.CA10__kind__c AS CA10__kind__c, sObject.CA10__dataEncryption__c AS CA10__dataEncryption__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAzureSqlDatabase__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;