rspec/rules/S6281/terraform/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

By default, when not set, the ``++aws_s3_bucket_public_access_block++`` is fully deactivated (nothing is blocked):

[source,terraform]
----
resource "aws_s3_bucket" "example" { # Sensitive: no Public Access Block defined for this bucket
  bucket = "example"
}
----

This ``++aws_s3_bucket_public_access_block++`` allows public ACL to be set:

[source,terraform]
----
resource "aws_s3_bucket" "example" {  # Sensitive
  bucket = "examplename"
}

resource "aws_s3_bucket_public_access_block" "example-public-access-block" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = false # should be true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

----

== Compliant Solution

This ``++aws_s3_bucket_public_access_block++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_public_access_block" "example-public-access-block" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Primary locations
** Make sure allowing public ACL/policies to be set is safe here.
** No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here.
* Secondary location
** Set this property to true
** Related bucket


=== Highlighting

* Primary locations
** aws_s3_bucket_public_access_block
** aws_s3_bucket resource
* Secondary location
** block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets properties set to false
** aws_s3_bucket resource


endif::env-github,rspecator-view[]
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			By default, when not set, the ``++aws_s3_bucket_public_access_block++`` is fully deactivated (nothing is blocked):

Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`[source,terraform]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`resource "aws_s3_bucket" "example" { # Sensitive: no Public Access Block defined for this bucket`
			`bucket = "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`}`
			`----`

			This ``++aws_s3_bucket_public_access_block++`` allows public ACL to be set:

Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`[source,terraform]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`resource "aws_s3_bucket" "example" { # Sensitive`
			`bucket = "examplename"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`}`

Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`resource "aws_s3_bucket_public_access_block" "example-public-access-block" {`
			`bucket = aws_s3_bucket.example.id`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`block_public_acls = false # should be true`
			`block_public_policy = true`
			`ignore_public_acls = true`
			`restrict_public_buckets = true`
			`}`

			`----`

			`== Compliant Solution`

			This ``++aws_s3_bucket_public_access_block++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`resource "aws_s3_bucket" "example" {`
			`bucket = "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`}`

Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`resource "aws_s3_bucket_public_access_block" "example-public-access-block" {`
			`bucket = aws_s3_bucket.example.id`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`block_public_acls = true`
			`block_public_policy = true`
			`ignore_public_acls = true`
			`restrict_public_buckets = true`
			`}`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`* Primary locations`
			`** Make sure allowing public ACL/policies to be set is safe here.`
			`** No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here.`
			`* Secondary location`
			`** Set this property to true`
			`** Related bucket`


			`=== Highlighting`

			`* Primary locations`
			`** aws_s3_bucket_public_access_block`
			`** aws_s3_bucket resource`
			`* Secondary location`
			`** block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets properties set to false`
			`** aws_s3_bucket resource`
Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`endif::env-github,rspecator-view[]`