Modify rule S4423: Add "How to fix" sections for all Azure resources (APPSEC-383) (#2676)

Co-authored-by: sebastien-andrivet-sonarsource <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> Co-authored-by: Peter Trifanov <peter.trifanov@sonarsource.com>
2024-05-22 16:35:51 +02:00 · 2024-05-22 16:35:51 +02:00 · da58171bf4
commit da58171bf4
parent a8089d8b96
5 changed files with 105 additions and 33 deletions
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@ -124,7 +124,8 @@
 // Terraform
 * AWS API Gateway
 * AWS OpenSearch
-* Azure MSSQL
+* Azure Databases
+* Azure Storage Accounts
 * GCP Load Balancers
 * AWS Identity and Access Management
 // CDK
--- a/rules/S4423/terraform/how-to-fix-it/azure-databases.adoc
+++ b/rules/S4423/terraform/how-to-fix-it/azure-databases.adoc
@ -0,0 +1,73 @@
+== How to fix it in Azure Databases
+
+=== Code examples
+
+==== Noncompliant code example
+
+For https://azure.microsoft.com/en-gb/products/azure-sql/database[Azure SQL Database]:
+
+[source,terraform,diff-id=31,diff-type=noncompliant]
+----
+resource "azurerm_mssql_server" "example" {
+  name = "example"
+  version = "12.0"
+
+  minimum_tls_version = "1.0" # Noncompliant
+}
+----
+
+For https://azure.microsoft.com/en-gb/products/mysql[Azure Database for MySQL]:
+
+[source,terraform,diff-id=32,diff-type=noncompliant]
+----
+resource "azurerm_mysql_server" "example" {
+  ssl_minimal_tls_version_enforced = "TLS1_0" # Noncompliant
+}
+----
+
+For https://azure.microsoft.com/en-gb/products/postgresql[Azure Database for PostgreSQL]:
+
+[source,terraform,diff-id=33,diff-type=noncompliant]
+----
+resource "azurerm_postgresql_server" "example" {
+  ssl_minimal_tls_version_enforced = "TLS1_0" # Noncompliant
+}
+----
+
+==== Compliant solution
+
+For https://azure.microsoft.com/en-gb/products/azure-sql/database[Azure SQL Database]:
+
+[source,terraform,diff-id=31,diff-type=compliant]
+----
+resource "azurerm_mssql_server" "example" {
+  name = "example"
+  version = "12.0"
+
+  minimum_tls_version = "1.2"
+}
+----
+
+For https://azure.microsoft.com/en-gb/products/mysql[Azure Database for MySQL]:
+
+[source,terraform,diff-id=32,diff-type=compliant]
+----
+resource "azurerm_mysql_server" "example" {
+  ssl_minimal_tls_version_enforced = "TLS1_2"
+}
+----
+
+For https://azure.microsoft.com/en-gb/products/postgresql[Azure Database for PostgreSQL]:
+
+[source,terraform,diff-id=33,diff-type=compliant]
+----
+resource "azurerm_postgresql_server" "example" {
+  ssl_minimal_tls_version_enforced = "TLS1_2"
+}
+----
+
+Starting from AzureRM Provider 3.0, `ssl_minimal_tls_version_enforced` is also equal to `TLS1_2` by default for `azurerm_mysql_server` and `azurerm_postgresql_server`.
+
+=== How does this work?
+
+include::../../common/fix/fix.adoc[]
--- a/rules/S4423/terraform/how-to-fix-it/azure-mssql.adoc
+++ b/rules/S4423/terraform/how-to-fix-it/azure-mssql.adoc
@ -1,31 +0,0 @@
-== How to fix it in Azure MSSQL
-
-=== Code examples
-
-==== Noncompliant code example
-
-[source,terraform,diff-id=31,diff-type=noncompliant]
----
-resource "azurerm_mssql_server" "example" {
-  name = "example"
-  version = "12.0"
-
-  minimum_tls_version = "1.0" # Noncompliant
-}
----
-
-==== Compliant solution
-
-[source,terraform,diff-id=31,diff-type=compliant]
----
-resource "azurerm_mssql_server" "example" {
-  name = "example"
-  version = "12.0"
-
-  minimum_tls_version = "1.2"
-}
----
-
-=== How does this work?
-
-include::../../common/fix/fix.adoc[]
--- a/rules/S4423/terraform/how-to-fix-it/azure-storage-account.adoc
+++ b/rules/S4423/terraform/how-to-fix-it/azure-storage-account.adoc
@ -0,0 +1,27 @@
+== How to fix it in Azure Storage Accounts
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,terraform,diff-id=51,diff-type=noncompliant]
+----
+resource "azurerm_storage_account" "example" {
+  min_tls_version = "TLS1_0" # Noncompliant
+}
+----
+
+==== Compliant solution
+
+Starting from AzureRM Provider 3.0, `min_tls_version` also defaults to `TLS1_2`.
+
+[source,terraform,diff-id=51,diff-type=compliant]
+----
+resource "azurerm_storage_account" "example" {
+  min_tls_version = "TLS1_2"
+}
+----
+
+=== How does this work?
+
+include::../../common/fix/fix.adoc[]
--- a/rules/S4423/terraform/rule.adoc
+++ b/rules/S4423/terraform/rule.adoc
@ -12,7 +12,9 @@ include::how-to-fix-it/aws-api-gateway.adoc[]

 include::how-to-fix-it/aws-opensearch.adoc[]

-include::how-to-fix-it/azure-mssql.adoc[]
+include::how-to-fix-it/azure-databases.adoc[]
+
+include::how-to-fix-it/azure-storage-account.adoc[]

 include::how-to-fix-it/gcp-lb.adoc[]