116 lines
3.2 KiB
Plaintext
116 lines
3.2 KiB
Plaintext
include::../summary.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../rationale.adoc[]
|
|
|
|
include::../impact.adoc[]
|
|
|
|
// How to fix it section
|
|
|
|
include::how-to-fix-it/aws-api-gateway.adoc[]
|
|
|
|
include::how-to-fix-it/aws-opensearch.adoc[]
|
|
|
|
include::how-to-fix-it/azure-databases.adoc[]
|
|
|
|
include::how-to-fix-it/azure-storage-account.adoc[]
|
|
|
|
include::how-to-fix-it/gcp-lb.adoc[]
|
|
|
|
|
|
== Resources
|
|
|
|
include::../common/resources/docs.adoc[]
|
|
|
|
include::../common/resources/articles.adoc[]
|
|
|
|
include::../common/resources/presentations.adoc[]
|
|
|
|
include::../common/resources/standards-iac.adoc[]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
==== AWS
|
|
|
|
For `aws_elasticsearch_domain`:
|
|
|
|
* If `tls_security_policy` is specified but has the wrong value
|
|
** Change this code to disable support of older TLS versions.
|
|
* If `domain_endpoint_options` is specified but does not contain `tls_security_policy`
|
|
** Set "tls_security_policy" to disable support of older TLS versions.
|
|
* If resource if `domain_endpoint_options` is not specified at all
|
|
** Set "domain_endpoint_options.tls_security_policy" to disable support of older TLS versions.
|
|
|
|
For `aws_api_gateway_domain_name`:
|
|
|
|
* If `security_policy` is specified but has the wrong value
|
|
** Change this code to disable support of older TLS versions.
|
|
* If resource if `security_policy` is not specified at all
|
|
** Set "security_policy" to disable support of older TLS versions.
|
|
|
|
For `aws_apigatewayv2_domain_name`:
|
|
|
|
* If `security_policy` is specified but has the wrong value
|
|
** Change this code to disable support of older TLS versions.
|
|
* If `domain_name_configuration` is specified but does not contain `security_policy`
|
|
** Set "security_policy" to disable support of older TLS versions.
|
|
* If resource if `domain_name_configuration` is not specified at all
|
|
** Set "domain_name_configuration.security_policy" to disable support of older TLS versions.
|
|
|
|
==== GCP
|
|
|
|
For `google_compute_ssl_policy`:
|
|
|
|
* If `min_tls_version` is specified but has the wrong value
|
|
** Change this code to disable support of older TLS versions.
|
|
|
|
* If `min_tls_version` is not specified at all
|
|
** Set "min_tls_version" to disable support of older TLS versions.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
==== AWS
|
|
|
|
For `aws_elasticsearch_domain`:
|
|
|
|
* Highlight `tls_security_policy` if it is specified but has the wrong value
|
|
* Highlight `domain_endpoint_options` if it is specified but does not contain `tls_security_policy`
|
|
* Highlight resource if `domain_endpoint_options` is not specified at all
|
|
|
|
For `aws_api_gateway_domain_name`:
|
|
|
|
* Highlight `security_policy` if it is specified but has the wrong value
|
|
* Highlight resource if `security_policy` is not specified at all
|
|
|
|
For `aws_apigatewayv2_domain_name`:
|
|
|
|
* Highlight `security_policy` if it is specified but has the wrong value
|
|
* Highlight `domain_name_configuration` if it is specified but does not contain `security_policy`
|
|
* Highlight resource if `domain_name_configuration` is not specified at all
|
|
|
|
==== GCP
|
|
|
|
For `google_compute_ssl_policy`:
|
|
|
|
* Highlight `min_tls_version` if it is specified but has the wrong value
|
|
* Highlight resource if `min_tls_version` is not specified at all
|
|
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|