rspec/rules/S6258/terraform/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://aws.amazon.com/s3/[Amazon S3 access requests]:

----
resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
  bucket = "mynoncompliantbucketname"
}
----

For https://aws.amazon.com/amazon-mq/[Amazon MQ]:

----
resource "aws_mq_broker" "broker" {
  logs {  # Sensitive
    audit = false
    general = false
  }
}
----

For https://aws.amazon.com/fr/documentdb/[Amazon DocumentDB]:

----
resource "aws_docdb_cluster" "docdb_omitting_logs" { # Sensitive
  cluster_identifier = "DB Cluster Without Logs"
}
----

For https://aws.amazon.com/redshift/[Amazon Redshift]:

----
resource "aws_redshift_cluster" "cluster" {
  cluster_identifier = "redshift-cluster"

  logging {
    enable = false # Sensitive
  }
}
----

For https://aws.amazon.com/global-accelerator/[Amazon Global Accelerator]:

----
resource "aws_globalaccelerator_accelerator" "accelerator" {
  attributes {
    flow_logs_enabled   = false  # Sensitive
    flow_logs_s3_bucket = "example-bucket"
    flow_logs_s3_prefix = "flow-logs/"
  }
}
----

For https://aws.amazon.com/opensearch-service/[Amazon OpenSearch] service, or Amazon Elasticsearch service:

----
resource "aws_elasticsearch_domain" "domain" {
  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:1234:log-group:es-audit-logs"
    log_type = "AUDIT_LOGS"
    enabled = false # Sensitive
  }
}
----

For https://aws.amazon.com/cloudfront/[Amazon CloudFront] distributions:

----
resource "aws_cloudfront_distribution" "cloudfront_distribution" { # Sensitive
  default_root_object = "index.html"
}
----

For both Amazon https://aws.amazon.com/elasticloadbalancing/classic-load-balancer/[Classic Load Balancing] and https://aws.amazon.com/elasticloadbalancing/application-load-balancer/[Application Load Balancing]:

----
resource "aws_lb" "load_balancer" {
  access_logs {
    enabled = false # Sensitive
    bucket = "mycompliantbucket"
    bucket_prefix = "log/lb-"
  }
}
----

== Compliant Solution

For https://aws.amazon.com/s3/[Amazon S3 access requests]:

----
resource "aws_s3_bucket" "myloggingbucket" { 
  bucket = "myloggingbucketname"
  acl    = "log-delivery-write"
}

resource "aws_s3_bucket" "mycompliantbucket" { # Compliant
  bucket = "mycompliantbucketname"

  logging {
      target_bucket = "myloggingbucketname"
      target_prefix = "log/mycompliantbucket"
  }
}
----


For https://aws.amazon.com/amazon-mq/[Amazon MQ] enable `audit` or `general`:

----
resource "aws_mq_broker" "broker" {
  logs {
    audit = true
    general = true
  }
}
----

For https://aws.amazon.com/fr/documentdb/[Amazon DocumentDB]:

----
resource "aws_docdb_cluster" "docdb_omitting_logs" {
  cluster_identifier = "DB Cluster With Logs"
  enabled_cloudwatch_logs_exports = ["audit"]
}
----

For https://aws.amazon.com/redshift/[Amazon Redshift]:

----
resource "aws_redshift_cluster" "cluster" {
  cluster_identifier = "compliant-redshift-cluster"
  logging {
    enable           = true
    bucket_name      = "infra_logs"
    s3_key_prefix    = "log/redshift-"
  }
}
----

For https://aws.amazon.com/global-accelerator/[Amazon Global Accelerator]:

----
resource "aws_globalaccelerator_accelerator" "accelerator" {
  attributes {
    flow_logs_enabled   = true
    flow_logs_s3_bucket = "example-bucket"
    flow_logs_s3_prefix = "flow-logs/"
  }
}
----

For https://aws.amazon.com/opensearch-service/[Amazon OpenSearch] service, or Amazon Elasticsearch service:

----
resource "aws_elasticsearch_domain" "domain" {
  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:1234:log-group:es-audit-logs"
    log_type = "AUDIT_LOGS"
    enabled = true
  }
}
----

For https://aws.amazon.com/cloudfront/[Amazon CloudFront] distributions:

----
resource "aws_cloudfront_distribution" "cloudfront_distribution" {
  default_root_object = "index.html"
  logging_config {
    bucket          = "mycompliantbucketname"
    prefix          = "log/cloudfront-"
  }
}
----

For both Amazon https://aws.amazon.com/elasticloadbalancing/classic-load-balancer/[Classic Load Balancing] and https://aws.amazon.com/elasticloadbalancing/application-load-balancer/[Application Load Balancing]:

----
resource "aws_lb" "load_balancer" {
  access_logs {
    enabled = true
    bucket = "mycompliantbucket"
    bucket_prefix = "log/lb-"
  }
}
----

include::../see.adoc[]
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

Modify rule S6258: Conversion from S3-specific to generic rule (#510) 2021-10-20 09:57:41 +02:00			`For https://aws.amazon.com/s3/[Amazon S3 access requests]:`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`----`
			`resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive`
			`bucket = "mynoncompliantbucketname"`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS MQ Broker (#527) * Add MQ * Fix URL Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:41:13 +01:00			`For https://aws.amazon.com/amazon-mq/[Amazon MQ]:`

			`----`
			`resource "aws_mq_broker" "broker" {`
			`logs { # Sensitive`
			`audit = false`
			`general = false`
			`}`
			`}`
			`----`
Create rule S6258[terraform]: Add AWS DocDB Clusters (#529) * Create rule S6258[terraform]: Add AWS DocDB Clusters * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:25:14 +01:00
			`For https://aws.amazon.com/fr/documentdb/[Amazon DocumentDB]:`

			`----`
			`resource "aws_docdb_cluster" "docdb_omitting_logs" { # Sensitive`
			`cluster_identifier = "DB Cluster Without Logs"`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS Redshift Clusters (#531) * Create rule S6258[terraform]: Add AWS Redshift Clusters * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:24:04 +01:00			`For https://aws.amazon.com/redshift/[Amazon Redshift]:`

			`----`
			`resource "aws_redshift_cluster" "cluster" {`
			`cluster_identifier = "redshift-cluster"`

			`logging {`
			`enable = false # Sensitive`
			`}`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS Accelerator (#532) Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:17:50 +01:00			`For https://aws.amazon.com/global-accelerator/[Amazon Global Accelerator]:`

			`----`
			`resource "aws_globalaccelerator_accelerator" "accelerator" {`
			`attributes {`
			`flow_logs_enabled = false # Sensitive`
			`flow_logs_s3_bucket = "example-bucket"`
			`flow_logs_s3_prefix = "flow-logs/"`
			`}`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS ElasticSearch Domains (#544) * Create rule S6258[terraform]: Add AWS ElasticSearch Domains * Fix log type confusion * fix "sensitive" location Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:16:04 +01:00			`For https://aws.amazon.com/opensearch-service/[Amazon OpenSearch] service, or Amazon Elasticsearch service:`

			`----`
			`resource "aws_elasticsearch_domain" "domain" {`
			`log_publishing_options {`
			`cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:1234:log-group:es-audit-logs"`
			`log_type = "AUDIT_LOGS"`
			`enabled = false # Sensitive`
			`}`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS CloudFront Distributions (#549) Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:14:39 +01:00			`For https://aws.amazon.com/cloudfront/[Amazon CloudFront] distributions:`

			`----`
			`resource "aws_cloudfront_distribution" "cloudfront_distribution" { # Sensitive`
			`default_root_object = "index.html"`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS Load Balancing (#553) 2021-11-10 10:12:33 +01:00			`For both Amazon https://aws.amazon.com/elasticloadbalancing/classic-load-balancer/[Classic Load Balancing] and https://aws.amazon.com/elasticloadbalancing/application-load-balancer/[Application Load Balancing]:`

			`----`
			`resource "aws_lb" "load_balancer" {`
			`access_logs {`
			`enabled = false # Sensitive`
			`bucket = "mycompliantbucket"`
			`bucket_prefix = "log/lb-"`
			`}`
			`}`
			`----`

Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`== Compliant Solution`

Modify rule S6258: Conversion from S3-specific to generic rule (#510) 2021-10-20 09:57:41 +02:00			`For https://aws.amazon.com/s3/[Amazon S3 access requests]:`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`----`
			`resource "aws_s3_bucket" "myloggingbucket" {`
			`bucket = "myloggingbucketname"`
			`acl = "log-delivery-write"`
			`}`

			`resource "aws_s3_bucket" "mycompliantbucket" { # Compliant`
			`bucket = "mycompliantbucketname"`

			`logging {`
			`target_bucket = "myloggingbucketname"`
			`target_prefix = "log/mycompliantbucket"`
			`}`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS Redshift Clusters (#531) * Create rule S6258[terraform]: Add AWS Redshift Clusters * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:24:04 +01:00
Create rule S6258[terraform]: Add AWS MQ Broker (#527) * Add MQ * Fix URL Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:41:13 +01:00			For https://aws.amazon.com/amazon-mq/[Amazon MQ] enable `audit` or `general`:

			`----`
			`resource "aws_mq_broker" "broker" {`
			`logs {`
			`audit = true`
			`general = true`
			`}`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS DocDB Clusters (#529) * Create rule S6258[terraform]: Add AWS DocDB Clusters * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:25:14 +01:00			`For https://aws.amazon.com/fr/documentdb/[Amazon DocumentDB]:`

			`----`
			`resource "aws_docdb_cluster" "docdb_omitting_logs" {`
			`cluster_identifier = "DB Cluster With Logs"`
			`enabled_cloudwatch_logs_exports = ["audit"]`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS Redshift Clusters (#531) * Create rule S6258[terraform]: Add AWS Redshift Clusters * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6258/terraform/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:24:04 +01:00			`For https://aws.amazon.com/redshift/[Amazon Redshift]:`

			`----`
			`resource "aws_redshift_cluster" "cluster" {`
			`cluster_identifier = "compliant-redshift-cluster"`
			`logging {`
			`enable = true`
			`bucket_name = "infra_logs"`
			`s3_key_prefix = "log/redshift-"`
			`}`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS Accelerator (#532) Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:17:50 +01:00			`For https://aws.amazon.com/global-accelerator/[Amazon Global Accelerator]:`

			`----`
			`resource "aws_globalaccelerator_accelerator" "accelerator" {`
			`attributes {`
			`flow_logs_enabled = true`
			`flow_logs_s3_bucket = "example-bucket"`
			`flow_logs_s3_prefix = "flow-logs/"`
			`}`
			`}`
Create rule S6258[terraform]: Add AWS MQ Broker (#527) * Add MQ * Fix URL Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:41:13 +01:00			`----`
Create rule S6258[terraform]: Add AWS Accelerator (#532) Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:17:50 +01:00
Create rule S6258[terraform]: Add AWS ElasticSearch Domains (#544) * Create rule S6258[terraform]: Add AWS ElasticSearch Domains * Fix log type confusion * fix "sensitive" location Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:16:04 +01:00			`For https://aws.amazon.com/opensearch-service/[Amazon OpenSearch] service, or Amazon Elasticsearch service:`

			`----`
			`resource "aws_elasticsearch_domain" "domain" {`
			`log_publishing_options {`
			`cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:1234:log-group:es-audit-logs"`
			`log_type = "AUDIT_LOGS"`
			`enabled = true`
			`}`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS CloudFront Distributions (#549) Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-11-10 10:14:39 +01:00			`For https://aws.amazon.com/cloudfront/[Amazon CloudFront] distributions:`

			`----`
			`resource "aws_cloudfront_distribution" "cloudfront_distribution" {`
			`default_root_object = "index.html"`
			`logging_config {`
			`bucket = "mycompliantbucketname"`
			`prefix = "log/cloudfront-"`
			`}`
			`}`
			`----`

Create rule S6258[terraform]: Add AWS Load Balancing (#553) 2021-11-10 10:12:33 +01:00			`For both Amazon https://aws.amazon.com/elasticloadbalancing/classic-load-balancer/[Classic Load Balancing] and https://aws.amazon.com/elasticloadbalancing/application-load-balancer/[Application Load Balancing]:`

			`----`
			`resource "aws_lb" "load_balancer" {`
			`access_logs {`
			`enabled = true`
			`bucket = "mycompliantbucket"`
			`bucket_prefix = "log/lb-"`
			`}`
			`}`
			`----`

Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`include::../see.adoc[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`