rspec/rules/S6321/terraform/rule.adoc

include::../description.adoc[]

include::../recommended.adoc[]

== Noncompliant Code Example

An ingress rule allowing all inbound SSH traffic for AWS:

[source,terraform]
----
resource "aws_security_group" "noncompliant" {
  name        = "allow_ssh_noncompliant"
  description = "allow_ssh_noncompliant"
  vpc_id      = aws_vpc.main.id

  ingress {
    description      = "SSH rule"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]  # Noncompliant
  }
}
----

A security rule allowing all inbound SSH traffic for Azure:

[source,terraform]
----
resource "azurerm_network_security_rule" "noncompliant" {
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "22"
  source_address_prefix       = "*"  # Noncompliant
  destination_address_prefix  = "*"
}
----

A firewall rule allowing all inbound SSH traffic for GCP:

[source,terraform]
----
resource "google_compute_firewall" "noncompliant" {
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["0.0.0.0/0"]  # Noncompliant
}
----

A security rule allowing all inbound SSH traffic for Azure:

[source,terraform]
----
resource "azurerm_network_security_rule" "noncompliant" {
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "22"
  source_address_prefix       = "*"  # Noncompliant
  destination_address_prefix  = "*"
}
----

== Compliant Solution

An ingress rule allowing inbound SSH traffic from specific IP addresses for AWS:

[source,terraform]
----
resource "aws_security_group" "compliant" {
  name        = "allow_ssh_compliant"
  description = "allow_ssh_compliant"
  vpc_id      = aws_vpc.main.id

  ingress {
    description      = "SSH rule"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["1.2.3.0/24"]
  }
}
----

A security rule allowing inbound SSH traffic from specific IP addresses for Azure:


[source,terraform]
----
resource "azurerm_network_security_rule" "compliant" {
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "22"
  source_address_prefix       = "1.2.3.0"
  destination_address_prefix  = "*"
}
----

A firewall rule allowing inbound SSH traffic from specific IP addresses for GCP:

[source,terraform]
----
resource "google_compute_firewall" "compliant" {
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["10.0.0.1/32"]
}
----
include::../see.adoc[]
Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00			`include::../description.adoc[]`

			`include::../recommended.adoc[]`

			`== Noncompliant Code Example`

Modify rule S6321: Turn into generic rule (#649) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Update description * Fix asciidoc and metadata Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-07 11:08:29 +01:00			`An ingress rule allowing all inbound SSH traffic for AWS:`
Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00			`----`
			`resource "aws_security_group" "noncompliant" {`
			`name = "allow_ssh_noncompliant"`
			`description = "allow_ssh_noncompliant"`
			`vpc_id = aws_vpc.main.id`

			`ingress {`
			`description = "SSH rule"`
			`from_port = 22`
Modify rule S6321: Turn into generic rule (#649) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Update description * Fix asciidoc and metadata Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-07 11:08:29 +01:00			`to_port = 22`
Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00			`protocol = "tcp"`
Modify rule S6321: Turn into generic rule (#649) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Update description * Fix asciidoc and metadata Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-07 11:08:29 +01:00			`cidr_blocks = ["0.0.0.0/0"] # Noncompliant`
Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00			`}`
			`}`
			`----`

Modify rule S6321: Turn into generic rule (#649) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Update description * Fix asciidoc and metadata Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-07 11:08:29 +01:00			`A security rule allowing all inbound SSH traffic for Azure:`

			`[source,terraform]`
			`----`
			`resource "azurerm_network_security_rule" "noncompliant" {`
			`priority = 100`
			`direction = "Inbound"`
			`access = "Allow"`
			`protocol = "Tcp"`
			`source_port_range = "*"`
			`destination_port_range = "22"`
			`source_address_prefix = "*" # Noncompliant`
			`destination_address_prefix = "*"`
			`}`
			`----`

Modify rule S6321: Add GCP examples (#689) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Add samples * Update rules/S6321/metadata.json Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update rules/S6321/terraform/metadata.json Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove AWS tag * Make description more generic * Update rules/S6321/description.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove GCP tag * Update rules/S6321/see.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove Azure tag Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-02-11 09:19:08 +01:00			`A firewall rule allowing all inbound SSH traffic for GCP:`

			`[source,terraform]`
			`----`
			`resource "google_compute_firewall" "noncompliant" {`
			`network = google_compute_network.default.name`

			`allow {`
			`protocol = "tcp"`
			`ports = ["22"]`
			`}`

			`source_ranges = ["0.0.0.0/0"] # Noncompliant`
			`}`
			`----`

			`A security rule allowing all inbound SSH traffic for Azure:`

			`[source,terraform]`
			`----`
			`resource "azurerm_network_security_rule" "noncompliant" {`
			`priority = 100`
			`direction = "Inbound"`
			`access = "Allow"`
			`protocol = "Tcp"`
			`source_port_range = "*"`
			`destination_port_range = "22"`
			`source_address_prefix = "*" # Noncompliant`
			`destination_address_prefix = "*"`
			`}`
			`----`

Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00			`== Compliant Solution`

Modify rule S6321: Turn into generic rule (#649) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Update description * Fix asciidoc and metadata Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-07 11:08:29 +01:00			`An ingress rule allowing inbound SSH traffic from specific IP addresses for AWS:`
Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00			`----`
			`resource "aws_security_group" "compliant" {`
			`name = "allow_ssh_compliant"`
			`description = "allow_ssh_compliant"`
			`vpc_id = aws_vpc.main.id`

			`ingress {`
			`description = "SSH rule"`
			`from_port = 22`
			`to_port = 22`
			`protocol = "tcp"`
Modify rule S6321: Turn into generic rule (#649) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Update description * Fix asciidoc and metadata Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-07 11:08:29 +01:00			`cidr_blocks = ["1.2.3.0/24"]`
Create rule S6321: Administration services access should be restricted to specific IP addresses (#188) * Create rule S6321 * init S6321 * adjust title to follow guidelines * fix incorrect CWE link * some fixes * fix cis category * fix after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> 2021-09-15 08:10:36 +00:00			`}`
			`}`
			`----`

Modify rule S6321: Turn into generic rule (#649) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Update description * Fix asciidoc and metadata Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-07 11:08:29 +01:00			`A security rule allowing inbound SSH traffic from specific IP addresses for Azure:`

Modify rule S6321: Add GCP examples (#689) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Add samples * Update rules/S6321/metadata.json Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update rules/S6321/terraform/metadata.json Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove AWS tag * Make description more generic * Update rules/S6321/description.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove GCP tag * Update rules/S6321/see.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove Azure tag Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-02-11 09:19:08 +01:00
Modify rule S6321: Turn into generic rule (#649) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Update description * Fix asciidoc and metadata Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-07 11:08:29 +01:00			`[source,terraform]`
			`----`
			`resource "azurerm_network_security_rule" "compliant" {`
			`priority = 100`
			`direction = "Inbound"`
			`access = "Allow"`
			`protocol = "Tcp"`
			`source_port_range = "*"`
			`destination_port_range = "22"`
			`source_address_prefix = "1.2.3.0"`
			`destination_address_prefix = "*"`
			`}`
			`----`

Modify rule S6321: Add GCP examples (#689) * Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Add samples * Update rules/S6321/metadata.json Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update rules/S6321/terraform/metadata.json Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove AWS tag * Make description more generic * Update rules/S6321/description.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove GCP tag * Update rules/S6321/see.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove Azure tag Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-02-11 09:19:08 +01:00			`A firewall rule allowing inbound SSH traffic from specific IP addresses for GCP:`

			`[source,terraform]`
			`----`
			`resource "google_compute_firewall" "compliant" {`
			`network = google_compute_network.default.name`

			`allow {`
			`protocol = "tcp"`
			`ports = ["22"]`
			`}`

			`source_ranges = ["10.0.0.1/32"]`
			`}`
			`----`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`include::../see.adoc[]`