f4696dbf01
* Remove AWS specific words * Add Azure code samples * Add Azure link * Add missing tags * Add samples * Update rules/S6321/metadata.json Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update rules/S6321/terraform/metadata.json Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove AWS tag * Make description more generic * Update rules/S6321/description.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove GCP tag * Update rules/S6321/see.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove Azure tag Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
128 lines
3.0 KiB
Plaintext
128 lines
3.0 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
An ingress rule allowing all inbound SSH traffic for AWS:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_security_group" "noncompliant" {
|
|
name = "allow_ssh_noncompliant"
|
|
description = "allow_ssh_noncompliant"
|
|
vpc_id = aws_vpc.main.id
|
|
|
|
ingress {
|
|
description = "SSH rule"
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"] # Noncompliant
|
|
}
|
|
}
|
|
----
|
|
|
|
A security rule allowing all inbound SSH traffic for Azure:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_network_security_rule" "noncompliant" {
|
|
priority = 100
|
|
direction = "Inbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_range = "22"
|
|
source_address_prefix = "*" # Noncompliant
|
|
destination_address_prefix = "*"
|
|
}
|
|
----
|
|
|
|
A firewall rule allowing all inbound SSH traffic for GCP:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_firewall" "noncompliant" {
|
|
network = google_compute_network.default.name
|
|
|
|
allow {
|
|
protocol = "tcp"
|
|
ports = ["22"]
|
|
}
|
|
|
|
source_ranges = ["0.0.0.0/0"] # Noncompliant
|
|
}
|
|
----
|
|
|
|
A security rule allowing all inbound SSH traffic for Azure:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_network_security_rule" "noncompliant" {
|
|
priority = 100
|
|
direction = "Inbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_range = "22"
|
|
source_address_prefix = "*" # Noncompliant
|
|
destination_address_prefix = "*"
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
An ingress rule allowing inbound SSH traffic from specific IP addresses for AWS:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_security_group" "compliant" {
|
|
name = "allow_ssh_compliant"
|
|
description = "allow_ssh_compliant"
|
|
vpc_id = aws_vpc.main.id
|
|
|
|
ingress {
|
|
description = "SSH rule"
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
cidr_blocks = ["1.2.3.0/24"]
|
|
}
|
|
}
|
|
----
|
|
|
|
A security rule allowing inbound SSH traffic from specific IP addresses for Azure:
|
|
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_network_security_rule" "compliant" {
|
|
priority = 100
|
|
direction = "Inbound"
|
|
access = "Allow"
|
|
protocol = "Tcp"
|
|
source_port_range = "*"
|
|
destination_port_range = "22"
|
|
source_address_prefix = "1.2.3.0"
|
|
destination_address_prefix = "*"
|
|
}
|
|
----
|
|
|
|
A firewall rule allowing inbound SSH traffic from specific IP addresses for GCP:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_firewall" "compliant" {
|
|
network = google_compute_network.default.name
|
|
|
|
allow {
|
|
protocol = "tcp"
|
|
ports = ["22"]
|
|
}
|
|
|
|
source_ranges = ["10.0.0.1/32"]
|
|
}
|
|
----
|
|
include::../see.adoc[]
|