rspec/rules/S6380/terraform/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]:

[source,terraform,diff-id=1,diff-type=noncompliant]
----
resource "azurerm_function_app" "example" {
  name = "example"

  auth_settings {
    enabled = false # Sensitive
  }

  auth_settings {
    enabled = true
    unauthenticated_client_action = "AllowAnonymous" # Sensitive
  }
}
----

For https://azure.microsoft.com/en-us/services/api-management/[API Management]:

[source,terraform,diff-id=2,diff-type=noncompliant]
----
resource "azurerm_api_management_api" "example" { # Sensitive, the openid_authentication block is missing
  name = "example-api"
}

resource "azurerm_api_management" "example" {
  sign_in {
    enabled = false # Sensitive
  }
}
----

For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services:

[source,terraform,diff-id=3,diff-type=noncompliant]
----
resource "azurerm_data_factory_linked_service_sftp" "example" {
  authentication_type = "Anonymous"
}
----

For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]:

[source,terraform,diff-id=4,diff-type=noncompliant]
----
resource "azurerm_storage_account" "example" {
  allow_blob_public_access = true # Sensitive
}

resource "azurerm_storage_container" "example" {
  container_access_type = "blob" # Sensitive
}
----

For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]:

[source,terraform,diff-id=5,diff-type=noncompliant]
----
resource "azurerm_redis_cache" "example" {
  name = "example-cache"

  redis_configuration {
    enable_authentication = false # Sensitive
  }
}
----

== Compliant Solution

For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]:

[source,terraform,diff-id=1,diff-type=compliant]
----
resource "azurerm_function_app" "example" {
  name = "example"

  auth_settings {
    enabled = true
    unauthenticated_client_action = "RedirectToLoginPage"
  }
}
----

For https://azure.microsoft.com/en-us/services/api-management/[API Management]:

[source,terraform,diff-id=2,diff-type=compliant]
----
resource "azurerm_api_management_api" "example" {
  name = "example-api"

  openid_authentication {
    openid_provider_name = azurerm_api_management_openid_connect_provider.example.name
  }
}

resource "azurerm_api_management" "example" {
  sign_in {
    enabled = true
  }
}
----

For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services:

[source,terraform,diff-id=3,diff-type=compliant]
----
resource "azurerm_data_factory_linked_service_sftp" "example" {
  authentication_type = "Basic"
  username            = local.creds.username
  password            = local.creds.password
}

resource "azurerm_data_factory_linked_service_odata" "example" {
  basic_authentication {
    username = local.creds.username
    password = local.creds.password
  }
}
----

For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]:

[source,terraform,diff-id=4,diff-type=compliant]
----
resource "azurerm_storage_account" "example" {
  allow_blob_public_access = true
}

resource "azurerm_storage_container" "example" {
  container_access_type = "private"
}
----

For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]:

[source,terraform,diff-id=5,diff-type=compliant]
----
resource "azurerm_redis_cache" "example" {
  name = "example-cache"
 
  redis_configuration {
    enable_authentication = true
  }
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* For App Service and equivalent resources:
** If ``auth_settings`` block is missing: Omitting ``auth_settings`` disables authentication. Make sure it is safe here.
** if ``auth_settings->enabled = false``: Make sure that disabling authentication is safe here.
** if ``auth_settings->unauthenticated_client_action = "AllowAnonymous"``: Make sure that authorizing anonymous access is safe here.
* For ``api_management_api``: Omitting ``openid_authentication`` disables authentication. Make sure it is safe here.
* For ``api_management`` resources:
** If ``sign_in`` block is missing: Omitting ``sign_in`` authorizes anonymous access. Make sure it is safe here.
** If ``sign_in->enabled = false``: Make sure that giving anonymous access without enforcing sign-in is safe here.
* For ``data_factory_linked_service_odata``: Omitting the ``basic_authentication`` block disables authentication. Make sure it is safe here.
* For ``data_factory_linked_service_sftp`` and ``data_factory_linked_service_web``: Make sure that authorizing anonymous access is safe here.
* For ``redis_cache``: Make sure that disabling authentication is safe here.
* For ``storage_account``: Make sure that authorizing potential anonymous access is safe here.
* For ``storage_container``: Make sure that authorizing potential anonymous access is safe here.

Note: App Service and equivalents resources:

* ``app_service``
* ``app_service_slot``
* ``function_app``
* ``function_app_slot``
* ``linux_web_app``
* ``windows_web_app``
=== Highlighting

* For App Service and equivalents:
** Highlight the resource if the ``auth_settings`` block is missing
** Highlight ``auth_settings->enabled = false`` regardless of ``auth_settings->unauthenticated_client_action``
** Highlight ``auth_settings->unauthenticated_client_action = "AllowAnonymous"``
* For ``api_management_api``: Highlight the resource if the ``openid_authentication`` block is missing
* For ``api_management``:
** Highlight the resource if the ``sign_in`` block is missing
** Highlight ``sign_in->enabled = false``
* For ``data_factory_linked_service_odata``: Highlight the resource if the ``basic_authentication`` block is missing
* For ``data_factory_linked_service_sftp`` and ``data_factory_linked_service_web``: Highlight ``authentication_type = "Anonymous"``
* For ``redis_cache``: Highlight ``redis_configuration->enable_authentication = false``
* For ``storage_account``: Highlight ``allow_blob_public_access = true``
* For ``storage_container``: Highlight ``container_access_type = "private"``

endif::env-github,rspecator-view[]