2021-09-13 14:01:24 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
== Sensitive Code Example
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
For Azure:
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,terraform]
|
2021-09-13 14:01:24 +02:00
|
|
|
----
|
2022-02-07 11:00:36 +01:00
|
|
|
resource "azurerm_postgresql_server" "example" {
|
|
|
|
|
public_network_access_enabled = true # Sensitive
|
2021-09-13 14:01:24 +02:00
|
|
|
}
|
2022-02-07 11:00:36 +01:00
|
|
|
----
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "azurerm_kubernetes_cluster" "production" {
|
|
|
|
|
api_server_authorized_ip_ranges = ["176.0.0.0/4"] # Sensitive
|
|
|
|
|
default_node_pool {
|
|
|
|
|
enable_node_public_ip = true # Sensitive
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
For AWS:
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "aws_instance" "example" {
|
|
|
|
|
associate_public_ip_address = true # Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "aws_dms_replication_instance" "example" {
|
|
|
|
|
publicly_accessible = true # Sensitive
|
2021-09-13 14:01:24 +02:00
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
For Azure:
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,terraform]
|
2021-09-13 14:01:24 +02:00
|
|
|
----
|
2022-02-07 11:00:36 +01:00
|
|
|
resource "azurerm_postgresql_server" "example" {
|
|
|
|
|
public_network_access_enabled = false
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "azurerm_kubernetes_cluster" "production" {
|
|
|
|
|
api_server_authorized_ip_ranges = ["192.168.0.0/16"]
|
|
|
|
|
default_node_pool {
|
|
|
|
|
enable_node_public_ip = false
|
|
|
|
|
}
|
2021-09-13 14:01:24 +02:00
|
|
|
}
|
2022-02-07 11:00:36 +01:00
|
|
|
----
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
For AWS:
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "aws_instance" "example" {
|
|
|
|
|
associate_public_ip_address = false
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "aws_dms_replication_instance" "example" {
|
2021-09-13 14:01:24 +02:00
|
|
|
publicly_accessible = false
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
include::../see.adoc[]
|
2022-02-07 11:00:36 +01:00
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
=== Message
|
|
|
|
|
|
|
|
|
|
* Omitting {parameter} allows network access from the Internet. Make sure it is safe here.
|
|
|
|
|
* Make sure allowing public network access is safe here.
|
|
|
|
|
* For the application_gateway and network_interface resources:
|
|
|
|
|
** Make sure it is safe to use this public IP address.
|
|
|
|
|
* For the kubernetes_cluster {api_server_authorized_ip_ranges} parameter and all firewall_rule resources:
|
|
|
|
|
** Make sure that allowing public IP addresses is safe here.
|
|
|
|
|
|
|
|
|
|
=== Highlighting
|
|
|
|
|
|
|
|
|
|
* If {parameter} is missing, highlight the resource.
|
|
|
|
|
* If the assignment is non-compliant, highlight the entire assignment
|
|
|
|
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
