rspec/rules/S6379/terraform/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://docs.microsoft.com/en-us/azure/batch/nodes-and-pools#pools[Azure Batch Pools]:

[source,terraform,diff-id=1,diff-type=noncompliant]
----
resource "azurerm_batch_pool" "example" {
  name = "sensitive"

  start_task {
    user_identity {
      auto_user {
        elevation_level = "Admin" # Sensitive
        scope = "Task"
      }
    }
  }
}
----

For https://azure.microsoft.com/en-us/services/container-registry/[Azure Container Registries]:

[source,terraform,diff-id=2,diff-type=noncompliant]
----
resource "azurerm_container_registry" "example" {
  name = "example"
  admin_enabled = true # Sensitive
}
----

== Compliant Solution

For https://docs.microsoft.com/en-us/azure/batch/nodes-and-pools#pools[Azure Batch Pools]:

[source,terraform,diff-id=1,diff-type=compliant]
----
resource "azurerm_batch_pool" "example" {
  name = "example"

  start_task {
    user_identity {
      auto_user {
        elevation_level = "NonAdmin"
        scope = "Task"
      }
    }
  }
}
----

For https://azure.microsoft.com/en-us/services/container-registry/[Azure Container Registries]:

[source,terraform,diff-id=2,diff-type=compliant]
----
resource "azurerm_container_registry" "exemple" {
  name = "example"
  admin_enabled = false
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]


=== Highlighting

* For ``azurerm_batch_pool``, highlight ``elevation_level = "Admin"``.
* For ``azurerm_container_registry``, highlight ``admin_enabled = true``.

endif::env-github,rspecator-view[]