terraform.azure.best-practice.azure-postgresql-threat-detection-enabled.azure-postgresql-threat-detection-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure that PostgreSQL server enables Threat detection policy

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: azure-postgresql-threat-detection-enabled
    message: Ensure that PostgreSQL server enables Threat detection policy
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "azurerm_postgresql_server" "..." {
          ...
          }
      - pattern-not-inside: |
          resource "azurerm_postgresql_server" "..." {
          ...
          threat_detection_policy {
              ...
              enabled = true
              ...
          }
          ...
          }
    metadata:
      category: best-practice
      technology:
        - terraform
        - azure
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

azure-postgresql-threat-detection-enabled.tf

# fail
# ruleid: azure-postgresql-threat-detection-enabled
resource "azurerm_postgresql_server" "example" {
    name                = "example-mysqlserver"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name

    administrator_login          = "mysqladminun"
    administrator_login_password = "H@Sh1CoR3!"

    sku_name   = "B_Gen5_2"
    storage_mb = 5120
    version    = "5.7"

    auto_grow_enabled                 = true
    backup_retention_days             = 7
    geo_redundant_backup_enabled      = true
    infrastructure_encryption_enabled = true
    public_network_access_enabled     = false
    ssl_enforcement_enabled           = false
    ssl_minimal_tls_version_enforced  = "TLS1_2"

    threat_detection_policy {
        enabled = false
    }
}

# fail
# ruleid: azure-postgresql-threat-detection-enabled
resource "azurerm_postgresql_server" "example" {
    name                = "example-mysqlserver"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name

    administrator_login          = "mysqladminun"
    administrator_login_password = "H@Sh1CoR3!"

    sku_name   = "B_Gen5_2"
    storage_mb = 5120
    version    = "5.7"

    auto_grow_enabled                 = true
    backup_retention_days             = 7
    geo_redundant_backup_enabled      = true
    infrastructure_encryption_enabled = true
    public_network_access_enabled     = false
    ssl_enforcement_enabled           = false
    ssl_minimal_tls_version_enforced  = "TLS1_2"
}

# pass
resource "azurerm_postgresql_server" "example" {
    name                = "example-mysqlserver"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name

    administrator_login          = "mysqladminun"
    administrator_login_password = "H@Sh1CoR3!"

    sku_name   = "B_Gen5_2"
    storage_mb = 5120
    version    = "5.7"

    auto_grow_enabled                 = true
    backup_retention_days             = 7
    geo_redundant_backup_enabled      = true
    infrastructure_encryption_enabled = true
    public_network_access_enabled     = false
    ssl_enforcement_enabled           = true
    ssl_minimal_tls_version_enforced  = "TLS1_2"
    threat_detection_policy {
        enabled = true
    }
}