rspec/rules/S6321/azureresourcemanager/rule.adoc

== Why is this an issue?

Cloud platforms such as Azure support virtual firewalls that can be used to restrict access to services by controlling inbound and outbound traffic. +
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.


include::../impact.adoc[]

== How to fix it

include::../common/how-to-fix-it/intro.adoc[]

=== Code examples

==== Noncompliant code example

[source,json,diff-id=1,diff-type=noncompliant]
----
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "networkSecurityGroups/example",
      "type": "Microsoft.Network/networkSecurityGroups/securityRules",
      "apiVersion": "2022-11-01",
      "properties": {
        "protocol": "*",
        "destinationPortRange": "*",
        "sourceAddressPrefix": "*",
        "access": "Allow",
        "direction": "Inbound"
      }
    }
  ]
}
----

[source,bicep,diff-id=2,diff-type=noncompliant]
----
resource securityRules 'Microsoft.Network/networkSecurityGroups/securityRules@2022-11-01' = {
  name: 'securityRules'
  properties: {
    direction: 'Inbound'
    access: 'Allow'
    protocol: '*'
    destinationPortRange: '*'
    sourceAddressPrefix: '*'
  }
}
----

==== Compliant solution

[source,json,diff-id=1,diff-type=compliant]
----
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "networkSecurityGroups/example",
      "type": "Microsoft.Network/networkSecurityGroups/securityRules",
      "apiVersion": "2022-11-01",
      "properties": {
          "protocol": "*",
          "destinationPortRange": "22",
          "sourceAddressPrefix": "10.0.0.0/24",
          "access": "Allow",
          "direction": "Inbound"
      }
    }
  ]
}
----

[source,bicep,diff-id=2,diff-type=compliant]
----
resource securityRules 'Microsoft.Network/networkSecurityGroups/securityRules@2022-11-01' = {
  name: 'securityRules'
  properties: {
    direction: 'Inbound'
    access: 'Allow'
    protocol: '*'
    destinationPortRange: '22'
    sourceAddressPrefix: '10.0.0.0/24'
  }
}
----

== Resources

include::../common/resources/docs.adoc[]

include::../common/resources/articles.adoc[]

include::../common/resources/presentations.adoc[]

include::../common/resources/standards.adoc[]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

'''

endif::env-github,rspecator-view[]
Create rule S6321: Add language AzureResourceManager (and education format) (#1877) 2023-05-16 08:47:16 +02:00			`== Why is this an issue?`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Cloud platforms such as Azure support virtual firewalls that can be used to restrict access to services by controlling inbound and outbound traffic. +`
			`Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.`

Create rule S6321: Add language AzureResourceManager (and education format) (#1877) 2023-05-16 08:47:16 +02:00
			`include::../impact.adoc[]`

			`== How to fix it`

			`include::../common/how-to-fix-it/intro.adoc[]`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,json,diff-id=1,diff-type=noncompliant]`
			`----`
			`{`
Arm/make examples schema compliant (#3047) This PR changes the JSON examples for ARM rules to make sure that the code samples will be scanned by sonar-iac-plugin. To ensure this all resources need a name field and the schema URL has to be an https and not http URL. ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-13 15:48:50 +02:00			`"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",`
			`"contentVersion": "1.0.0.0",`
			`"resources": [`
			`{`
			`"name": "networkSecurityGroups/example",`
			`"type": "Microsoft.Network/networkSecurityGroups/securityRules",`
			`"apiVersion": "2022-11-01",`
			`"properties": {`
			`"protocol": "*",`
			`"destinationPortRange": "*",`
			`"sourceAddressPrefix": "*",`
			`"access": "Allow",`
			`"direction": "Inbound"`
			`}`
			`}`
			`]`
Create rule S6321: Add language AzureResourceManager (and education format) (#1877) 2023-05-16 08:47:16 +02:00			`}`
			`----`

Modify rule S6321: Add language AzureResourceManager (Bicep) (#2781) 2023-08-10 13:54:24 +02:00			`[source,bicep,diff-id=2,diff-type=noncompliant]`
			`----`
			`resource securityRules 'Microsoft.Network/networkSecurityGroups/securityRules@2022-11-01' = {`
			`name: 'securityRules'`
			`properties: {`
			`direction: 'Inbound'`
			`access: 'Allow'`
			`protocol: '*'`
			`destinationPortRange: '*'`
			`sourceAddressPrefix: '*'`
			`}`
			`}`
			`----`

Create rule S6321: Add language AzureResourceManager (and education format) (#1877) 2023-05-16 08:47:16 +02:00			`==== Compliant solution`

			`[source,json,diff-id=1,diff-type=compliant]`
			`----`
			`{`
Arm/make examples schema compliant (#3047) This PR changes the JSON examples for ARM rules to make sure that the code samples will be scanned by sonar-iac-plugin. To ensure this all resources need a name field and the schema URL has to be an https and not http URL. ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-13 15:48:50 +02:00			`"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",`
			`"contentVersion": "1.0.0.0",`
			`"resources": [`
			`{`
			`"name": "networkSecurityGroups/example",`
			`"type": "Microsoft.Network/networkSecurityGroups/securityRules",`
			`"apiVersion": "2022-11-01",`
			`"properties": {`
			`"protocol": "*",`
			`"destinationPortRange": "22",`
			`"sourceAddressPrefix": "10.0.0.0/24",`
			`"access": "Allow",`
			`"direction": "Inbound"`
			`}`
			`}`
			`]`
Create rule S6321: Add language AzureResourceManager (and education format) (#1877) 2023-05-16 08:47:16 +02:00			`}`
			`----`

Modify rule S6321: Add language AzureResourceManager (Bicep) (#2781) 2023-08-10 13:54:24 +02:00			`[source,bicep,diff-id=2,diff-type=compliant]`
			`----`
			`resource securityRules 'Microsoft.Network/networkSecurityGroups/securityRules@2022-11-01' = {`
			`name: 'securityRules'`
			`properties: {`
			`direction: 'Inbound'`
			`access: 'Allow'`
			`protocol: '*'`
			`destinationPortRange: '22'`
			`sourceAddressPrefix: '10.0.0.0/24'`
			`}`
			`}`
			`----`

Create rule S6321: Add language AzureResourceManager (and education format) (#1877) 2023-05-16 08:47:16 +02:00			`== Resources`

			`include::../common/resources/docs.adoc[]`

			`include::../common/resources/articles.adoc[]`

			`include::../common/resources/presentations.adoc[]`

			`include::../common/resources/standards.adoc[]`


			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`'''`
Validate asciidoc ifdef/endif (#3311) Fix kotlin:S6511 2023-10-18 11:43:40 +02:00
			`endif::env-github,rspecator-view[]`