rspec/rules/S4423/terraform/rule.adoc

include::../summary.adoc[]

== Why is this an issue?

include::../rationale.adoc[]

include::../impact.adoc[]

// How to fix it section

include::how-to-fix-it/aws-api-gateway.adoc[]

include::how-to-fix-it/aws-opensearch.adoc[]

include::how-to-fix-it/azure-databases.adoc[]

include::how-to-fix-it/azure-storage-account.adoc[]

include::how-to-fix-it/gcp-lb.adoc[]


== Resources

include::../common/resources/docs.adoc[]

include::../common/resources/articles.adoc[]

include::../common/resources/presentations.adoc[]

include::../common/resources/standards-iac.adoc[]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

==== AWS

For `aws_elasticsearch_domain`:

* If `tls_security_policy` is specified but has the wrong value
** Change this code to disable support of older TLS versions.
* If `domain_endpoint_options` is specified but does not contain `tls_security_policy`
** Set "tls_security_policy" to disable support of older TLS versions.
* If resource if `domain_endpoint_options` is not specified at all
** Set "domain_endpoint_options.tls_security_policy" to disable support of older TLS versions.

For `aws_api_gateway_domain_name`:

* If `security_policy` is specified but has the wrong value
** Change this code to disable support of older TLS versions.
* If resource if `security_policy` is not specified at all
** Set "security_policy" to disable support of older TLS versions.

For `aws_apigatewayv2_domain_name`:

* If `security_policy` is specified but has the wrong value
** Change this code to disable support of older TLS versions.
* If `domain_name_configuration` is specified but does not contain `security_policy`
** Set "security_policy" to disable support of older TLS versions.
* If resource if `domain_name_configuration` is not specified at all
** Set "domain_name_configuration.security_policy" to disable support of older TLS versions.

==== GCP

For `google_compute_ssl_policy`:

* If `min_tls_version` is specified but has the wrong value
** Change this code to disable support of older TLS versions.

* If `min_tls_version` is not specified at all
** Set "min_tls_version" to disable support of older TLS versions.


=== Highlighting

==== AWS

For `aws_elasticsearch_domain`:

* Highlight `tls_security_policy` if it is specified but has the wrong value
* Highlight `domain_endpoint_options` if it is specified but does not contain `tls_security_policy`
* Highlight resource if `domain_endpoint_options` is not specified at all

For `aws_api_gateway_domain_name`:

* Highlight `security_policy` if it is specified but has the wrong value
* Highlight resource if `security_policy` is not specified at all

For `aws_apigatewayv2_domain_name`:

* Highlight `security_policy` if it is specified but has the wrong value
* Highlight `domain_name_configuration` if it is specified but does not contain `security_policy`
* Highlight resource if `domain_name_configuration` is not specified at all

==== GCP

For `google_compute_ssl_policy`:

* Highlight `min_tls_version` if it is specified but has the wrong value
* Highlight resource if `min_tls_version` is not specified at all


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`include::../summary.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`include::../rationale.adoc[]`

			`include::../impact.adoc[]`

			`// How to fix it section`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`include::how-to-fix-it/aws-api-gateway.adoc[]`

			`include::how-to-fix-it/aws-opensearch.adoc[]`

Modify rule S4423: Add "How to fix" sections for all Azure resources (APPSEC-383) (#2676) Co-authored-by: sebastien-andrivet-sonarsource <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> Co-authored-by: Peter Trifanov <peter.trifanov@sonarsource.com> 2024-05-22 16:35:51 +02:00			`include::how-to-fix-it/azure-databases.adoc[]`

			`include::how-to-fix-it/azure-storage-account.adoc[]`
Modify S4423(Azure): Add MSSQL sample (#2532) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-07-20 16:09:48 +02:00
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`include::how-to-fix-it/gcp-lb.adoc[]`


			`== Resources`

			`include::../common/resources/docs.adoc[]`

			`include::../common/resources/articles.adoc[]`

			`include::../common/resources/presentations.adoc[]`

Update security rules: add OWASP Mobile Top 10 2024 security standard (APPSEC-2383) (#4660) 2025-02-19 17:19:00 +01:00			`include::../common/resources/standards-iac.adoc[]`
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00
Create rule S4423[terraform]: Add AWS API Gateway Domain Name (#456) * Add terraform to rule S4423 * Add terraform * Include main description * Improve description * Update rules/S4423/description.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S4423/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Add highlight * Add aws_api_gatewayv2_domain_name example * Add highlight * Change noncompliant api gateway v2 * Fix wrong apigatewayv2 name * Add code sample introduction Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-08 09:10:28 +00:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`==== AWS`

			For `aws_elasticsearch_domain`:

			* If `tls_security_policy` is specified but has the wrong value
			`** Change this code to disable support of older TLS versions.`
			* If `domain_endpoint_options` is specified but does not contain `tls_security_policy`
			`** Set "tls_security_policy" to disable support of older TLS versions.`
			* If resource if `domain_endpoint_options` is not specified at all
			`** Set "domain_endpoint_options.tls_security_policy" to disable support of older TLS versions.`

			For `aws_api_gateway_domain_name`:

			* If `security_policy` is specified but has the wrong value
			`** Change this code to disable support of older TLS versions.`
			* If resource if `security_policy` is not specified at all
			`** Set "security_policy" to disable support of older TLS versions.`

			For `aws_apigatewayv2_domain_name`:

			* If `security_policy` is specified but has the wrong value
			`** Change this code to disable support of older TLS versions.`
			* If `domain_name_configuration` is specified but does not contain `security_policy`
			`** Set "security_policy" to disable support of older TLS versions.`
			* If resource if `domain_name_configuration` is not specified at all
			`** Set "domain_name_configuration.security_policy" to disable support of older TLS versions.`

			`==== GCP`

			For `google_compute_ssl_policy`:

			* If `min_tls_version` is specified but has the wrong value
			`** Change this code to disable support of older TLS versions.`

			* If `min_tls_version` is not specified at all
			`** Set "min_tls_version" to disable support of older TLS versions.`


			`=== Highlighting`

			`==== AWS`

			For `aws_elasticsearch_domain`:

			* Highlight `tls_security_policy` if it is specified but has the wrong value
			* Highlight `domain_endpoint_options` if it is specified but does not contain `tls_security_policy`
			* Highlight resource if `domain_endpoint_options` is not specified at all

			For `aws_api_gateway_domain_name`:

			* Highlight `security_policy` if it is specified but has the wrong value
			* Highlight resource if `security_policy` is not specified at all

			For `aws_apigatewayv2_domain_name`:

			* Highlight `security_policy` if it is specified but has the wrong value
			* Highlight `domain_name_configuration` if it is specified but does not contain `security_policy`
			* Highlight resource if `domain_name_configuration` is not specified at all

			`==== GCP`

			For `google_compute_ssl_policy`:

			* Highlight `min_tls_version` if it is specified but has the wrong value
			* Highlight resource if `min_tls_version` is not specified at all
Create rule S4423[terraform]: Add AWS API Gateway Domain Name (#456) * Add terraform to rule S4423 * Add terraform * Include main description * Improve description * Update rules/S4423/description.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S4423/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Add highlight * Add aws_api_gatewayv2_domain_name example * Add highlight * Change noncompliant api gateway v2 * Fix wrong apigatewayv2 name * Add code sample introduction Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-08 09:10:28 +00:00

Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00
Create rule S4423[terraform]: Add AWS API Gateway Domain Name (#456) * Add terraform to rule S4423 * Add terraform * Include main description * Improve description * Update rules/S4423/description.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S4423/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Add highlight * Add aws_api_gatewayv2_domain_name example * Add highlight * Change noncompliant api gateway v2 * Fix wrong apigatewayv2 name * Add code sample introduction Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-08 09:10:28 +00:00			`'''`
			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Create rule S4423[terraform]: Add AWS API Gateway Domain Name (#456) * Add terraform to rule S4423 * Add terraform * Include main description * Improve description * Update rules/S4423/description.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S4423/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Add highlight * Add aws_api_gatewayv2_domain_name example * Add highlight * Change noncompliant api gateway v2 * Fix wrong apigatewayv2 name * Add code sample introduction Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-08 09:10:28 +00:00			`endif::env-github,rspecator-view[]`