rspec/rules/S6258/terraform/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket[S3 access requests]:
[source,terraform]
----
resource "aws_s3_bucket" "example" { # Sensitive
  bucket = "example"
}
----

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage[API Gateway stages]:
[source,terraform]
----
resource "aws_api_gateway_stage" "example" { # Sensitive
  xray_tracing_enabled = false # Sensitive
}
----

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster[MSK Broker logs]:
[source,terraform]
----
resource "aws_msk_cluster" "example" {
  cluster_name           = "example"
  kafka_version          = "2.7.1"
  number_of_broker_nodes = 3

  logging_info {
    broker_logs { # Sensitive
      firehose {
        enabled = false
      }
      s3 {
        enabled = false
      }
    }
  }
}
----

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker[MQ Brokers]:
[source,terraform]
----
resource "aws_mq_broker" "example" {
  logs {  # Sensitive
    audit   = false
    general = false
  }
}
----

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster[Amazon DocumentDB]:
[source,terraform]
----
resource "aws_docdb_cluster" "example" { # Sensitive
  cluster_identifier = "example"
}
----

For Azure https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service[App Services]:
[source,terraform]
----
resource "azurerm_app_service" "example" {
  logs {
    application_logs {
      file_system_level = "Off" # Sensitive
      azure_blob_storage {
        level = "Off"           # Sensitive
      }
    }
  }
}
----

For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork/[VPC Subnetwork]:
[source,terraform]
----
resource "google_compute_subnetwork" "example" { # Sensitive
  name          = "example"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.example.id
}
----

For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance/[SQL Database Instance]:
[source,terraform]
----
resource "google_sql_database_instance" "example" {
  name = "example"

  settings { # Sensitive
    tier = "db-f1-micro"
    ip_configuration {
      require_ssl  = true
      ipv4_enabled = true
    }
  }
}
----

For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster/[Kubernetes Engine (GKE) cluster]:
[source,terraform]
----
resource "google_container_cluster" "example" {
  name               = "example"
  logging_service    = "none" # Sensitive
}
----

== Compliant Solution

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket[S3 access requests]:
[source,terraform]
----
resource "aws_s3_bucket" "example-logs" {
  bucket = "example_logstorage"
  acl    = "log-delivery-write"
}

resource "aws_s3_bucket" "example" {
  bucket = "example"

  logging { # AWS provider <= 3
      target_bucket = aws_s3_bucket.example-logs.id
      target_prefix = "log/example"
  }
}

resource "aws_s3_bucket_logging" "example" { # AWS provider >= 4
  bucket = aws_s3_bucket.example.id

  target_bucket = aws_s3_bucket.example-logs.id
  target_prefix = "log/example"
}
----

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage[API Gateway stages]:
[source,terraform]
----
resource "aws_api_gateway_stage" "example" {
  xray_tracing_enabled = true

  access_log_settings {
    destination_arn = "arn:aws:logs:eu-west-1:123456789:example"
    format = "..."
  }
}
----

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster[MSK Broker logs]:
[source,terraform]
----
resource "aws_msk_cluster" "example" {
  cluster_name           = "example"
  kafka_version          = "2.7.1"
  number_of_broker_nodes = 3

  logging_info {
    broker_logs {
      firehose   {
        enabled = false
      }
      s3 {
        enabled = true
        bucket  = "example"
        prefix  = "log/msk-"
      }
    }
  }
}
----

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker[MQ Brokers], enable `audit` or `general`:
[source,terraform]
----
resource "aws_mq_broker" "example" {
  logs {
    audit   = true
    general = true
  }
}
----

For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster[Amazon DocumentDB]:
[source,terraform]
----
resource "aws_docdb_cluster" "example" {
  cluster_identifier              = "example"
  enabled_cloudwatch_logs_exports = ["audit"]
}
----

For Azure https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service[App Services]:
[source,terraform]
----
resource "azurerm_app_service" "example" {
 logs {
    http_logs {
      file_system {
        retention_in_days = 90
        retention_in_mb   = 100
      }
    }

 application_logs {
      file_system_level = "Error"
      azure_blob_storage {
        retention_in_days = 90
        level             = "Error"
      }
    }
  }
}
----

For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork/[VPC Subnetwork]:
[source,terraform]
----
resource "google_compute_subnetwork" "example" {
  name          = "example"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.example.id

  log_config {
    aggregation_interval = "INTERVAL_10_MIN"
    flow_sampling        = 0.5
    metadata             = "INCLUDE_ALL_METADATA"
  }
}
----

For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance/[SQL Database Instance]:
[source,terraform]
----
resource "google_sql_database_instance" "example" {
  name             = "example"

  settings {
    ip_configuration {
      require_ssl  = true
      ipv4_enabled = true
    }
    database_flags {
      name  = "log_connections"
      value = "on"
    }
    database_flags {
      name  = "log_disconnections"
      value = "on"
    }
    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }
    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }
  }
}
----

For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster/[Kubernetes Engine (GKE) cluster]:
[source,terraform]
----
resource "google_container_cluster" "example" {
  name               = "example"
  logging_service    = "logging.googleapis.com/kubernetes"
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]