include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]: [source,terraform,diff-id=1,diff-type=noncompliant] ---- resource "azurerm_function_app" "example" { name = "example" auth_settings { enabled = false # Sensitive } auth_settings { enabled = true unauthenticated_client_action = "AllowAnonymous" # Sensitive } } ---- For https://azure.microsoft.com/en-us/services/api-management/[API Management]: [source,terraform,diff-id=2,diff-type=noncompliant] ---- resource "azurerm_api_management_api" "example" { # Sensitive, the openid_authentication block is missing name = "example-api" } resource "azurerm_api_management" "example" { sign_in { enabled = false # Sensitive } } ---- For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services: [source,terraform,diff-id=3,diff-type=noncompliant] ---- resource "azurerm_data_factory_linked_service_sftp" "example" { authentication_type = "Anonymous" } ---- For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]: [source,terraform,diff-id=4,diff-type=noncompliant] ---- resource "azurerm_storage_account" "example" { allow_blob_public_access = true # Sensitive } resource "azurerm_storage_container" "example" { container_access_type = "blob" # Sensitive } ---- For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]: [source,terraform,diff-id=5,diff-type=noncompliant] ---- resource "azurerm_redis_cache" "example" { name = "example-cache" redis_configuration { enable_authentication = false # Sensitive } } ---- == Compliant Solution For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]: [source,terraform,diff-id=1,diff-type=compliant] ---- resource "azurerm_function_app" "example" { name = "example" auth_settings { enabled = true unauthenticated_client_action = "RedirectToLoginPage" } } ---- For https://azure.microsoft.com/en-us/services/api-management/[API Management]: [source,terraform,diff-id=2,diff-type=compliant] ---- resource "azurerm_api_management_api" "example" { name = "example-api" openid_authentication { openid_provider_name = azurerm_api_management_openid_connect_provider.example.name } } resource "azurerm_api_management" "example" { sign_in { enabled = true } } ---- For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services: [source,terraform,diff-id=3,diff-type=compliant] ---- resource "azurerm_data_factory_linked_service_sftp" "example" { authentication_type = "Basic" username = local.creds.username password = local.creds.password } resource "azurerm_data_factory_linked_service_odata" "example" { basic_authentication { username = local.creds.username password = local.creds.password } } ---- For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]: [source,terraform,diff-id=4,diff-type=compliant] ---- resource "azurerm_storage_account" "example" { allow_blob_public_access = true } resource "azurerm_storage_container" "example" { container_access_type = "private" } ---- For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]: [source,terraform,diff-id=5,diff-type=compliant] ---- resource "azurerm_redis_cache" "example" { name = "example-cache" redis_configuration { enable_authentication = true } } ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * For App Service and equivalent resources: ** If ``auth_settings`` block is missing: Omitting ``auth_settings`` disables authentication. Make sure it is safe here. ** if ``auth_settings->enabled = false``: Make sure that disabling authentication is safe here. ** if ``auth_settings->unauthenticated_client_action = "AllowAnonymous"``: Make sure that authorizing anonymous access is safe here. * For ``api_management_api``: Omitting ``openid_authentication`` disables authentication. Make sure it is safe here. * For ``api_management`` resources: ** If ``sign_in`` block is missing: Omitting ``sign_in`` authorizes anonymous access. Make sure it is safe here. ** If ``sign_in->enabled = false``: Make sure that giving anonymous access without enforcing sign-in is safe here. * For ``data_factory_linked_service_odata``: Omitting the ``basic_authentication`` block disables authentication. Make sure it is safe here. * For ``data_factory_linked_service_sftp`` and ``data_factory_linked_service_web``: Make sure that authorizing anonymous access is safe here. * For ``redis_cache``: Make sure that disabling authentication is safe here. * For ``storage_account``: Make sure that authorizing potential anonymous access is safe here. * For ``storage_container``: Make sure that authorizing potential anonymous access is safe here. Note: App Service and equivalents resources: * ``app_service`` * ``app_service_slot`` * ``function_app`` * ``function_app_slot`` * ``linux_web_app`` * ``windows_web_app`` === Highlighting * For App Service and equivalents: ** Highlight the resource if the ``auth_settings`` block is missing ** Highlight ``auth_settings->enabled = false`` regardless of ``auth_settings->unauthenticated_client_action`` ** Highlight ``auth_settings->unauthenticated_client_action = "AllowAnonymous"`` * For ``api_management_api``: Highlight the resource if the ``openid_authentication`` block is missing * For ``api_management``: ** Highlight the resource if the ``sign_in`` block is missing ** Highlight ``sign_in->enabled = false`` * For ``data_factory_linked_service_odata``: Highlight the resource if the ``basic_authentication`` block is missing * For ``data_factory_linked_service_sftp`` and ``data_factory_linked_service_web``: Highlight ``authentication_type = "Anonymous"`` * For ``redis_cache``: Highlight ``redis_configuration->enable_authentication = false`` * For ``storage_account``: Highlight ``allow_blob_public_access = true`` * For ``storage_container``: Highlight ``container_access_type = "private"`` endif::env-github,rspecator-view[]