terraform.azure.best-practice.azure-postgresql-threat-detection-enabled.azure-postgresql-threat-detection-enabled
semgrep
Author
unknown
Download Count*
License
Ensure that PostgreSQL server enables Threat detection policy
Run Locally
Run in CI
Defintion
rules:
- id: azure-postgresql-threat-detection-enabled
message: Ensure that PostgreSQL server enables Threat detection policy
patterns:
- pattern: resource
- pattern-inside: |
resource "azurerm_postgresql_server" "..." {
...
}
- pattern-not-inside: |
resource "azurerm_postgresql_server" "..." {
...
threat_detection_policy {
...
enabled = true
...
}
...
}
metadata:
category: best-practice
technology:
- terraform
- azure
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- hcl
severity: WARNING
Examples
azure-postgresql-threat-detection-enabled.tf
# fail
# ruleid: azure-postgresql-threat-detection-enabled
resource "azurerm_postgresql_server" "example" {
name = "example-mysqlserver"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
administrator_login = "mysqladminun"
administrator_login_password = "H@Sh1CoR3!"
sku_name = "B_Gen5_2"
storage_mb = 5120
version = "5.7"
auto_grow_enabled = true
backup_retention_days = 7
geo_redundant_backup_enabled = true
infrastructure_encryption_enabled = true
public_network_access_enabled = false
ssl_enforcement_enabled = false
ssl_minimal_tls_version_enforced = "TLS1_2"
threat_detection_policy {
enabled = false
}
}
# fail
# ruleid: azure-postgresql-threat-detection-enabled
resource "azurerm_postgresql_server" "example" {
name = "example-mysqlserver"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
administrator_login = "mysqladminun"
administrator_login_password = "H@Sh1CoR3!"
sku_name = "B_Gen5_2"
storage_mb = 5120
version = "5.7"
auto_grow_enabled = true
backup_retention_days = 7
geo_redundant_backup_enabled = true
infrastructure_encryption_enabled = true
public_network_access_enabled = false
ssl_enforcement_enabled = false
ssl_minimal_tls_version_enforced = "TLS1_2"
}
# pass
resource "azurerm_postgresql_server" "example" {
name = "example-mysqlserver"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
administrator_login = "mysqladminun"
administrator_login_password = "H@Sh1CoR3!"
sku_name = "B_Gen5_2"
storage_mb = 5120
version = "5.7"
auto_grow_enabled = true
backup_retention_days = 7
geo_redundant_backup_enabled = true
infrastructure_encryption_enabled = true
public_network_access_enabled = false
ssl_enforcement_enabled = true
ssl_minimal_tls_version_enforced = "TLS1_2"
threat_detection_policy {
enabled = true
}
}
Short Link: https://sg.run/gN1J