ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6275/terraform/rule.adoc

71 lines
1.6 KiB
Plaintext
Raw Normal View History

Add new IAAS-related rules
2021-05-21 18:34:30 +02:00
== Sensitive Code Example
Terraform documentation: \https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume
----
resource "aws_ebs_volume" "foo_disabled" { # Sensitive: no "encrypted" entry provided
availability_zone = "us-west-2a"
size = 40
tags = {
Name = "HelloWorld"
}
}
----
----
resource "aws_ebs_encryption_by_default" "foo_disabled" {
enabled = false # Sensitive
}
----
----
resource "aws_launch_configuration" "foo-launch-config" { # Sensitive: no "encrypted" entry provided
}
resource "aws_launch_configuration" "foo-launch-config" {
root_block_device {
encrypted = true # OK
}
ebs_block_device {
encrypted = false # Sensitive
}
}
resource "aws_launch_configuration" "foo-launch-config" {
root_block_device {
encrypted = false # Sensitive: default is "false": https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#encrypted
}
ebs_block_device {
encrypted = false # Sensitive: default is "false": https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#encrypted
}
}
----
== Compliant Solution
----
resource "aws_ebs_volume" "foo_enabled" {
availability_zone = "us-west-2a"
size = 40
tags = {
Name = "HelloWorld"
}
encrypted = true # OK
}
----
----
resource "aws_ebs_encryption_by_default" "foo_enabled" {
enabled = true # OK
}
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default#enabled
resource "aws_ebs_encryption_by_default" "foo_enabled" { # OK, default is "true"
}
----
Reference in New Issue Copy Permalink