16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
139 lines
2.5 KiB
Plaintext
139 lines
2.5 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For AWS:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_instance" "example" {
|
|
associate_public_ip_address = true # Sensitive
|
|
}
|
|
----
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_dms_replication_instance" "example" {
|
|
publicly_accessible = true # Sensitive
|
|
}
|
|
----
|
|
|
|
For Azure:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_postgresql_server" "example" {
|
|
public_network_access_enabled = true # Sensitive
|
|
}
|
|
----
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_postgresql_server" "example" {
|
|
public_network_access_enabled = true # Sensitive
|
|
}
|
|
----
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_kubernetes_cluster" "production" {
|
|
api_server_authorized_ip_ranges = ["176.0.0.0/4"] # Sensitive
|
|
default_node_pool {
|
|
enable_node_public_ip = true # Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
For GCP:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_instance" "example" {
|
|
network_interface {
|
|
network = "default"
|
|
|
|
access_config { # Sensitive
|
|
# Ephemeral public IP
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For AWS:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_instance" "example" {
|
|
associate_public_ip_address = false
|
|
}
|
|
----
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_dms_replication_instance" "example" {
|
|
publicly_accessible = false
|
|
}
|
|
----
|
|
|
|
For Azure:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_postgresql_server" "example" {
|
|
public_network_access_enabled = false
|
|
}
|
|
----
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "azurerm_kubernetes_cluster" "production" {
|
|
api_server_authorized_ip_ranges = ["192.168.0.0/16"]
|
|
default_node_pool {
|
|
enable_node_public_ip = false
|
|
}
|
|
}
|
|
----
|
|
|
|
For GCP:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_instance" "example" {
|
|
network_interface {
|
|
network = "default"
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Omitting "{parameter}" allows network access from the Internet. Make sure it is safe here.
|
|
* Make sure allowing public network access is safe here.
|
|
|
|
* For the application_gateway and network_interface resources:
|
|
** Make sure it is safe to use this public IP address.
|
|
* For the kubernetes_cluster {api_server_authorized_ip_ranges} parameter and all firewall_rule resources:
|
|
** Make sure that allowing public IP addresses is safe here.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
* If {parameter} is missing, highlight the resource.
|
|
* If the assignment is non-compliant, highlight the entire assignment
|
|
|
|
endif::env-github,rspecator-view[]
|