ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6379/terraform/rule.adoc
github-actions[bot] 3d7b200c37
Create rule S6379: Add language AzureResourceManager (APPSEC-776) (#2242) 
[Specification
ticket](https://sonarsource.atlassian.net/browse/APPSEC-776)
[Implementation
ticket](https://sonarsource.atlassian.net/browse/SONARIAC-885)
[RSPEC
Preview](https://sonarsource.github.io/rspec/#/rspec/S6379/azureresourcemanager)

PR for adding Bicep code examples
https://github.com/SonarSource/rspec/pull/2244

## Review

A dedicated reviewer checked the rule description successfully for:

- [x] logical errors and incorrect information
- [x] information gaps and missing content
- [x] text style and tone
- [x] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com>
Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com>
Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2023-08-02 15:18:05 +02:00

84 lines
1.7 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For https://docs.microsoft.com/en-us/azure/batch/nodes-and-pools#pools[Azure Batch Pools]:
[source,terraform,diff-id=1,diff-type=noncompliant]
----
resource "azurerm_batch_pool" "example" {
name = "sensitive"
start_task {
user_identity {
auto_user {
elevation_level = "Admin" # Sensitive
scope = "Task"
}
}
}
}
----
For https://azure.microsoft.com/en-us/services/container-registry/[Azure Container Registries]:
[source,terraform,diff-id=2,diff-type=noncompliant]
----
resource "azurerm_container_registry" "example" {
name = "example"
admin_enabled = true # Sensitive
}
----
== Compliant Solution
For https://docs.microsoft.com/en-us/azure/batch/nodes-and-pools#pools[Azure Batch Pools]:
[source,terraform,diff-id=1,diff-type=compliant]
----
resource "azurerm_batch_pool" "example" {
name = "example"
start_task {
user_identity {
auto_user {
elevation_level = "NonAdmin"
scope = "Task"
}
}
}
}
----
For https://azure.microsoft.com/en-us/services/container-registry/[Azure Container Registries]:
[source,terraform,diff-id=2,diff-type=compliant]
----
resource "azurerm_container_registry" "exemple" {
name = "example"
admin_enabled = false
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
=== Highlighting
* For ``azurerm_batch_pool``, highlight ``elevation_level = "Admin"``.
* For ``azurerm_container_registry``, highlight ``admin_enabled = true``.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink