ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6258/terraform/rule.adoc
Fred Tingaud 51369b610e
Make sure that includes are always surrounded by empty lines (#2270) 
When an include is not surrounded by empty lines, its content is inlined
on the same line as the adjacent content. That can lead to broken tags
and other display issues.
This PR fixes all such includes and introduces a validation step that
forbids introducing the same problem again.
2023-06-22 10:38:01 +02:00

290 lines
6.9 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket[S3 access requests]:
[source,terraform]
----
resource "aws_s3_bucket" "example" { # Sensitive
bucket = "example"
}
----
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage[API Gateway stages]:
[source,terraform]
----
resource "aws_api_gateway_stage" "example" { # Sensitive
xray_tracing_enabled = false # Sensitive
}
----
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster[MSK Broker logs]:
[source,terraform]
----
resource "aws_msk_cluster" "example" {
cluster_name = "example"
kafka_version = "2.7.1"
number_of_broker_nodes = 3
logging_info {
broker_logs { # Sensitive
firehose {
enabled = false
}
s3 {
enabled = false
}
}
}
}
----
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker[MQ Brokers]:
[source,terraform]
----
resource "aws_mq_broker" "example" {
logs { # Sensitive
audit = false
general = false
}
}
----
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster[Amazon DocumentDB]:
[source,terraform]
----
resource "aws_docdb_cluster" "example" { # Sensitive
cluster_identifier = "example"
}
----
For Azure https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service[App Services]:
[source,terraform]
----
resource "azurerm_app_service" "example" {
logs {
application_logs {
file_system_level = "Off" # Sensitive
azure_blob_storage {
level = "Off" # Sensitive
}
}
}
}
----
For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork/[VPC Subnetwork]:
[source,terraform]
----
resource "google_compute_subnetwork" "example" { # Sensitive
name = "example"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.example.id
}
----
For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance/[SQL Database Instance]:
[source,terraform]
----
resource "google_sql_database_instance" "example" {
name = "example"
settings { # Sensitive
tier = "db-f1-micro"
ip_configuration {
require_ssl = true
ipv4_enabled = true
}
}
}
----
For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster/[Kubernetes Engine (GKE) cluster]:
[source,terraform]
----
resource "google_container_cluster" "example" {
name = "example"
logging_service = "none" # Sensitive
}
----
== Compliant Solution
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket[S3 access requests]:
[source,terraform]
----
resource "aws_s3_bucket" "example-logs" {
bucket = "example_logstorage"
acl = "log-delivery-write"
}
resource "aws_s3_bucket" "example" {
bucket = "example"
logging { # AWS provider <= 3
target_bucket = aws_s3_bucket.example-logs.id
target_prefix = "log/example"
}
}
resource "aws_s3_bucket_logging" "example" { # AWS provider >= 4
bucket = aws_s3_bucket.example.id
target_bucket = aws_s3_bucket.example-logs.id
target_prefix = "log/example"
}
----
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage[API Gateway stages]:
[source,terraform]
----
resource "aws_api_gateway_stage" "example" {
xray_tracing_enabled = true
access_log_settings {
destination_arn = "arn:aws:logs:eu-west-1:123456789:example"
format = "..."
}
}
----
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster[MSK Broker logs]:
[source,terraform]
----
resource "aws_msk_cluster" "example" {
cluster_name = "example"
kafka_version = "2.7.1"
number_of_broker_nodes = 3
logging_info {
broker_logs {
firehose {
enabled = false
}
s3 {
enabled = true
bucket = "example"
prefix = "log/msk-"
}
}
}
}
----
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker[MQ Brokers], enable `audit` or `general`:
[source,terraform]
----
resource "aws_mq_broker" "example" {
logs {
audit = true
general = true
}
}
----
For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster[Amazon DocumentDB]:
[source,terraform]
----
resource "aws_docdb_cluster" "example" {
cluster_identifier = "example"
enabled_cloudwatch_logs_exports = ["audit"]
}
----
For Azure https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service[App Services]:
[source,terraform]
----
resource "azurerm_app_service" "example" {
logs {
http_logs {
file_system {
retention_in_days = 90
retention_in_mb = 100
}
}
application_logs {
file_system_level = "Error"
azure_blob_storage {
retention_in_days = 90
level = "Error"
}
}
}
}
----
For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork/[VPC Subnetwork]:
[source,terraform]
----
resource "google_compute_subnetwork" "example" {
name = "example"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.example.id
log_config {
aggregation_interval = "INTERVAL_10_MIN"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
----
For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance/[SQL Database Instance]:
[source,terraform]
----
resource "google_sql_database_instance" "example" {
name = "example"
settings {
ip_configuration {
require_ssl = true
ipv4_enabled = true
}
database_flags {
name = "log_connections"
value = "on"
}
database_flags {
name = "log_disconnections"
value = "on"
}
database_flags {
name = "log_checkpoints"
value = "on"
}
database_flags {
name = "log_lock_waits"
value = "on"
}
}
}
----
For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster/[Kubernetes Engine (GKE) cluster]:
[source,terraform]
----
resource "google_container_cluster" "example" {
name = "example"
logging_service = "logging.googleapis.com/kubernetes"
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink