feat(queries): add 97 custom Terraform queries for Azure, GCP, IBM Cloud, and OCI

[cx-antero-silva]

Summary

This PR adds 97 new Terraform queries covering four cloud providers, identified through a gap analysis of the IaC scanner coverage:

• 30 Azure queries — covering bastion host presence, App Service logging/insights, Backup Vault encryption, Elastic SAN, IoT Hub Defender, Key Vault key rotation, Managed Lustre encryption, NetApp CMK, PaaS private endpoints, Recovery Services Vault, SQL Server TDE with CMK, Storage Account (geo-redundancy, versioning, infrastructure encryption, immutability, read-only lock), and storage logging (blob, queue, table)
• 17 GCP queries — covering Access Approval, API key restrictions and targets, App Engine HTTPS enforcement, Compute logging, GKE (default service account, image vulnerability scanning, IAM, metadata server, Sandbox, secrets CMEK, security posture, workload identity), HTTP load balancer logging, IAP backend services, and Cloud SQL PostgreSQL log settings
• 25 IBM Cloud queries — covering Activity Tracker (global events, platform logs), block/object storage encryption, Certificate Manager auto-renewal, CIS DNS/WAF, Cloudant CMK, Container cluster entitlement, Container Registry VA alerts, database CMK, IAM (MFA, API key policies, IP restrictions, session expiration), IKS logging/monitoring, KMS key rotation, LogDNA archiving and alerting
• 25 OCI queries — covering Cloud Guard, compute (legacy metadata, secure boot), default tags, IAM (password policy, password expiration/reuse, group/policy/user change events, service admins), IDP events, network gateway/NSG/route table/security list/subnet/VCN change events, notification topics, Object Storage (logging, versioning), resource root compartment, storage (CMK, admin delete), and instance transit encryption

New provider directories created: assets/queries/terraform/ibm/ and assets/queries/terraform/oci/

Each query follows the standard KICS structure:

<query_name>/
├── metadata.json
├── query.rego
├── README.md
└── test/
    ├── positive1.tf
    ├── negative1.tf
    └── positive_expected_result.json

Test plan

• Verify metadata.json IDs are unique across the full query set
• Run KICS e2e tests against each new query's test fixtures
• Confirm no regressions on existing Azure and GCP queries
• Validate IBM and OCI queries load correctly with the new provider directories
• Review severity and category classifications per provider guidelines

I submit this contribution under the Apache-2.0 license.

[kicsbot]

Your pull request can't be merged due to missing the Apache license statement.

Please add the following statement at the end of the pr description:

I submit this contribution under the Apache-2.0 license.

In case the statement has already been added, make sure it is the last sentence in the description and the only one in its line.

Thank you!
KICS Team