16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
155 lines
4.3 KiB
Plaintext
155 lines
4.3 KiB
Plaintext
include::../common/description.adoc[]
|
|
|
|
include::../common/ask-yourself.adoc[]
|
|
|
|
include::../common/recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
|
|
|
|
[source,terraform,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
resource "azurerm_app_service" "example" {
|
|
client_cert_enabled = false # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]:
|
|
|
|
[source,terraform,diff-id=2,diff-type=noncompliant]
|
|
----
|
|
resource "azurerm_function_app" "example" {
|
|
client_cert_mode = "Optional" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory Linked Services]:
|
|
|
|
[source,terraform,diff-id=3,diff-type=noncompliant]
|
|
----
|
|
resource "azurerm_data_factory_linked_service_web" "example" {
|
|
authentication_type = "Basic" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
|
|
|
|
[source,terraform,diff-id=4,diff-type=noncompliant]
|
|
----
|
|
resource "azurerm_api_management" "example" {
|
|
sku_name = "Consumption_1"
|
|
client_certificate_mode = "Optional" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/app-service/containers/[Linux and Windows Web Apps]:
|
|
|
|
[source,terraform,diff-id=5,diff-type=noncompliant]
|
|
----
|
|
resource "azurerm_linux_web_app" "example" {
|
|
client_cert_enabled = false # Sensitive
|
|
}
|
|
resource "azurerm_linux_web_app" "exemple2" {
|
|
client_cert_enabled = true
|
|
client_cert_mode = "Optional" # Sensitive
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
|
|
|
|
[source,terraform,diff-id=1,diff-type=compliant]
|
|
----
|
|
resource "azurerm_app_service" "example" {
|
|
client_cert_enabled = true
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]:
|
|
|
|
[source,terraform,diff-id=2,diff-type=compliant]
|
|
----
|
|
resource "azurerm_function_app" "example" {
|
|
client_cert_mode = "Required"
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory Linked Services]:
|
|
|
|
[source,terraform,diff-id=3,diff-type=compliant]
|
|
----
|
|
resource "azurerm_data_factory_linked_service_web" "example" {
|
|
authentication_type = "ClientCertificate"
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
|
|
|
|
[source,terraform,diff-id=4,diff-type=compliant]
|
|
----
|
|
resource "azurerm_api_management" "example" {
|
|
sku_name = "Consumption_1"
|
|
client_certificate_mode = "Required"
|
|
}
|
|
----
|
|
|
|
For https://azure.microsoft.com/en-us/services/app-service/containers/[Linux and Windows Web Apps]:
|
|
|
|
[source,terraform,diff-id=5,diff-type=compliant]
|
|
----
|
|
resource "azurerm_linux_web_app" "exemple" {
|
|
client_cert_enabled = true
|
|
client_cert_mode = "Required"
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
include::../common/resources/docs.adoc[]
|
|
include::../common/resources/articles.adoc[]
|
|
include::../common/resources/presentations.adoc[]
|
|
include::../common/resources/standards.adoc[]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
For these resources:
|
|
|
|
* `api_management`:
|
|
* `app_service`
|
|
* `data_factory_linked_service_sftp`
|
|
* `data_factory_linked_service_web`
|
|
* `linux_web_app`
|
|
* `windows_web_app` (if both parameters are non-compliant, flag `client_cert_enabled` first)
|
|
|
|
These messages apply:
|
|
|
|
* If an assignment is missing: Omitting {property_name} disables certificate-based authentication. Make sure it is safe here.
|
|
* If the assignment is security-sensitive: Make sure that disabling certificate-based authentication is safe here.
|
|
|
|
* For `function_app` and `logic_app_standard`:
|
|
** Omitting `client_cert_mode` makes certificate-based authentication optional. Make sure it is safe here.
|
|
** Make sure that setting certificate-based authentication as optional is safe here.
|
|
|
|
Make sure that disabling certificate-based authentication is safe here.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
* If one (out of one) assignment is missing: Highlight the resource
|
|
* If an assignment is security-sensitive: Highlight the assignment
|
|
* For `linux_web_app` and `windows_web_app`:
|
|
** If both assignments are present and security-sensitive: Highlight `client_cert_enabled = false`
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|