ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6380/terraform/rule.adoc
github-actions[bot] 4ec7f8ed07
Create rule S6380: add language AzureResourceManager (JSON) (#2274) 
Specification ticket:
[APPSEC-775](https://sonarsource.atlassian.net/browse/APPSEC-775)
Implementation ticket:
[SONARIAC-899](https://sonarsource.atlassian.net/browse/SONARIAC-899)
[RSPEC
Preview](https://sonarsource.github.io/rspec/#/rspec/S6378/azureresourcemanager)

Bicep PR for S6380: #2298 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)



[APPSEC-775]:
https://sonarsource.atlassian.net/browse/APPSEC-775?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
[SONARIAC-899]:
https://sonarsource.atlassian.net/browse/SONARIAC-899?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

---------

Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com>
Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
Co-authored-by: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com>
2023-07-03 18:04:53 +02:00

205 lines
6.2 KiB
Plaintext
Raw Permalink Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]:
[source,terraform,diff-id=1,diff-type=noncompliant]
----
resource "azurerm_function_app" "example" {
name = "example"
auth_settings {
enabled = false # Sensitive
}
auth_settings {
enabled = true
unauthenticated_client_action = "AllowAnonymous" # Sensitive
}
}
----
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
[source,terraform,diff-id=2,diff-type=noncompliant]
----
resource "azurerm_api_management_api" "example" { # Sensitive, the openid_authentication block is missing
name = "example-api"
}
resource "azurerm_api_management" "example" {
sign_in {
enabled = false # Sensitive
}
}
----
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services:
[source,terraform,diff-id=3,diff-type=noncompliant]
----
resource "azurerm_data_factory_linked_service_sftp" "example" {
authentication_type = "Anonymous"
}
----
For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]:
[source,terraform,diff-id=4,diff-type=noncompliant]
----
resource "azurerm_storage_account" "example" {
allow_blob_public_access = true # Sensitive
}
resource "azurerm_storage_container" "example" {
container_access_type = "blob" # Sensitive
}
----
For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]:
[source,terraform,diff-id=5,diff-type=noncompliant]
----
resource "azurerm_redis_cache" "example" {
name = "example-cache"
redis_configuration {
enable_authentication = false # Sensitive
}
}
----
== Compliant Solution
For https://azure.microsoft.com/en-us/services/app-service/[App Services and equivalent]:
[source,terraform,diff-id=1,diff-type=compliant]
----
resource "azurerm_function_app" "example" {
name = "example"
auth_settings {
enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
}
}
----
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
[source,terraform,diff-id=2,diff-type=compliant]
----
resource "azurerm_api_management_api" "example" {
name = "example-api"
openid_authentication {
openid_provider_name = azurerm_api_management_openid_connect_provider.example.name
}
}
resource "azurerm_api_management" "example" {
sign_in {
enabled = true
}
}
----
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory] Linked Services:
[source,terraform,diff-id=3,diff-type=compliant]
----
resource "azurerm_data_factory_linked_service_sftp" "example" {
authentication_type = "Basic"
username = local.creds.username
password = local.creds.password
}
resource "azurerm_data_factory_linked_service_odata" "example" {
basic_authentication {
username = local.creds.username
password = local.creds.password
}
}
----
For https://azure.microsoft.com/en-us/product-categories/storage/[Storage Accounts]:
[source,terraform,diff-id=4,diff-type=compliant]
----
resource "azurerm_storage_account" "example" {
allow_blob_public_access = true
}
resource "azurerm_storage_container" "example" {
container_access_type = "private"
}
----
For https://azure.microsoft.com/en-us/services/cache/[Redis Caches]:
[source,terraform,diff-id=5,diff-type=compliant]
----
resource "azurerm_redis_cache" "example" {
name = "example-cache"
redis_configuration {
enable_authentication = true
}
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* For App Service and equivalent resources:
** If ``auth_settings`` block is missing: Omitting ``auth_settings`` disables authentication. Make sure it is safe here.
** if ``auth_settings->enabled = false``: Make sure that disabling authentication is safe here.
** if ``auth_settings->unauthenticated_client_action = "AllowAnonymous"``: Make sure that authorizing anonymous access is safe here.
* For ``api_management_api``: Omitting ``openid_authentication`` disables authentication. Make sure it is safe here.
* For ``api_management`` resources:
** If ``sign_in`` block is missing: Omitting ``sign_in`` authorizes anonymous access. Make sure it is safe here.
** If ``sign_in->enabled = false``: Make sure that giving anonymous access without enforcing sign-in is safe here.
* For ``data_factory_linked_service_odata``: Omitting the ``basic_authentication`` block disables authentication. Make sure it is safe here.
* For ``data_factory_linked_service_sftp`` and ``data_factory_linked_service_web``: Make sure that authorizing anonymous access is safe here.
* For ``redis_cache``: Make sure that disabling authentication is safe here.
* For ``storage_account``: Make sure that authorizing potential anonymous access is safe here.
* For ``storage_container``: Make sure that authorizing potential anonymous access is safe here.
Note: App Service and equivalents resources:
* ``app_service``
* ``app_service_slot``
* ``function_app``
* ``function_app_slot``
* ``linux_web_app``
* ``windows_web_app``
=== Highlighting
* For App Service and equivalents:
** Highlight the resource if the ``auth_settings`` block is missing
** Highlight ``auth_settings->enabled = false`` regardless of ``auth_settings->unauthenticated_client_action``
** Highlight ``auth_settings->unauthenticated_client_action = "AllowAnonymous"``
* For ``api_management_api``: Highlight the resource if the ``openid_authentication`` block is missing
* For ``api_management``:
** Highlight the resource if the ``sign_in`` block is missing
** Highlight ``sign_in->enabled = false``
* For ``data_factory_linked_service_odata``: Highlight the resource if the ``basic_authentication`` block is missing
* For ``data_factory_linked_service_sftp`` and ``data_factory_linked_service_web``: Highlight ``authentication_type = "Anonymous"``
* For ``redis_cache``: Highlight ``redis_configuration->enable_authentication = false``
* For ``storage_account``: Highlight ``allow_blob_public_access = true``
* For ``storage_container``: Highlight ``container_access_type = "private"``
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink