terraform.azure.best-practice.azure-vmscale-sets-auto-os-image-patching-enabled.azure-vmscale-sets-auto-os-image-patching-enabled
semgrepAuthor
unknown
Download Count*
License
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets
Run Locally
Run in CI
Defintion
rules:
- id: azure-vmscale-sets-auto-os-image-patching-enabled
message: Ensure that automatic OS image patching is enabled for Virtual Machine
Scale Sets
patterns:
- pattern: resource
- pattern-inside: |
resource "azurerm_virtual_machine_scale_set" "..." {
...
}
- pattern-not-inside: |
resource "azurerm_virtual_machine_scale_set" "..." {
...
automatic_os_upgrade = true
os_profile_windows_config {
...
enable_automatic_upgrades = true
...
}
...
}
metadata:
category: best-practice
technology:
- terraform
- azure
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- hcl
severity: WARNING
Examples
azure-vmscale-sets-auto-os-image-patching-enabled.tf
# fail
# ruleid: azure-vmscale-sets-auto-os-image-patching-enabled
resource "azurerm_virtual_machine_scale_set" "example" {
name = "mytestscaleset-1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
# automatic rolling upgrade
upgrade_policy_mode = "Rolling"
rolling_upgrade_policy {
max_batch_instance_percent = 20
max_unhealthy_instance_percent = 20
max_unhealthy_upgraded_instance_percent = 5
pause_time_between_batches = "PT0S"
}
# required when using rolling upgrade policy
health_probe_id = azurerm_lb_probe.example.id
sku {
name = "Standard_F2"
tier = "Standard"
capacity = 2
}
storage_profile_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_profile_os_disk {
name = ""
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
storage_profile_data_disk {
lun = 0
caching = "ReadWrite"
create_option = "Empty"
disk_size_gb = 10
}
os_profile {
computer_name_prefix = "testvm"
admin_username = "myadmin"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys {
path = "/home/myadmin/.ssh/authorized_keys"
key_data = file("~/.ssh/demo_key.pub")
}
}
network_profile {
name = "terraformnetworkprofile"
primary = true
ip_configuration {
name = "TestIPConfiguration"
primary = true
subnet_id = azurerm_subnet.example.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.bpepool.id]
load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool.id]
}
}
tags = {
environment = "staging"
}
}
# fail
# ruleid: azure-vmscale-sets-auto-os-image-patching-enabled
resource "azurerm_virtual_machine_scale_set" "example" {
name = "mytestscaleset-1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
# automatic rolling upgrade
automatic_os_upgrade = false
upgrade_policy_mode = "Rolling"
rolling_upgrade_policy {
max_batch_instance_percent = 20
max_unhealthy_instance_percent = 20
max_unhealthy_upgraded_instance_percent = 5
pause_time_between_batches = "PT0S"
}
# required when using rolling upgrade policy
health_probe_id = azurerm_lb_probe.example.id
sku {
name = "Standard_F2"
tier = "Standard"
capacity = 2
}
storage_profile_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_profile_os_disk {
name = ""
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
storage_profile_data_disk {
lun = 0
caching = "ReadWrite"
create_option = "Empty"
disk_size_gb = 10
}
os_profile {
computer_name_prefix = "testvm"
admin_username = "myadmin"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys {
path = "/home/myadmin/.ssh/authorized_keys"
key_data = file("~/.ssh/demo_key.pub")
}
}
network_profile {
name = "terraformnetworkprofile"
primary = true
ip_configuration {
name = "TestIPConfiguration"
primary = true
subnet_id = azurerm_subnet.example.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.bpepool.id]
load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool.id]
}
}
tags = {
environment = "staging"
}
}
# fail
# ruleid: azure-vmscale-sets-auto-os-image-patching-enabled
resource "azurerm_virtual_machine_scale_set" "example" {
name = "mytestscaleset-1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
# automatic rolling upgrade
automatic_os_upgrade = true
upgrade_policy_mode = "Rolling"
rolling_upgrade_policy {
max_batch_instance_percent = 20
max_unhealthy_instance_percent = 20
max_unhealthy_upgraded_instance_percent = 5
pause_time_between_batches = "PT0S"
}
# required when using rolling upgrade policy
health_probe_id = azurerm_lb_probe.example.id
sku {
name = "Standard_F2"
tier = "Standard"
capacity = 2
}
storage_profile_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_profile_os_disk {
name = ""
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
storage_profile_data_disk {
lun = 0
caching = "ReadWrite"
create_option = "Empty"
disk_size_gb = 10
}
os_profile {
computer_name_prefix = "testvm"
admin_username = "myadmin"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys {
path = "/home/myadmin/.ssh/authorized_keys"
key_data = file("~/.ssh/demo_key.pub")
}
}
network_profile {
name = "terraformnetworkprofile"
primary = true
ip_configuration {
name = "TestIPConfiguration"
primary = true
subnet_id = azurerm_subnet.example.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.bpepool.id]
load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool.id]
}
}
tags = {
environment = "staging"
}
}
# fail
# ruleid: azure-vmscale-sets-auto-os-image-patching-enabled
resource "azurerm_virtual_machine_scale_set" "example" {
name = "mytestscaleset-1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
# automatic rolling upgrade
automatic_os_upgrade = true
upgrade_policy_mode = "Rolling"
os_profile_windows_config {
enable_automatic_upgrades = false
}
rolling_upgrade_policy {
max_batch_instance_percent = 20
max_unhealthy_instance_percent = 20
max_unhealthy_upgraded_instance_percent = 5
pause_time_between_batches = "PT0S"
}
# required when using rolling upgrade policy
health_probe_id = azurerm_lb_probe.example.id
sku {
name = "Standard_F2"
tier = "Standard"
capacity = 2
}
storage_profile_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_profile_os_disk {
name = ""
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
storage_profile_data_disk {
lun = 0
caching = "ReadWrite"
create_option = "Empty"
disk_size_gb = 10
}
os_profile {
computer_name_prefix = "testvm"
admin_username = "myadmin"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys {
path = "/home/myadmin/.ssh/authorized_keys"
key_data = file("~/.ssh/demo_key.pub")
}
}
network_profile {
name = "terraformnetworkprofile"
primary = true
ip_configuration {
name = "TestIPConfiguration"
primary = true
subnet_id = azurerm_subnet.example.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.bpepool.id]
load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool.id]
}
}
tags = {
environment = "staging"
}
}
# fail
# ruleid: azure-vmscale-sets-auto-os-image-patching-enabled
resource "azurerm_virtual_machine_scale_set" "example" {
name = "mytestscaleset-1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
# automatic rolling upgrade
upgrade_policy_mode = "Rolling"
os_profile_windows_config {
enable_automatic_upgrades = false
}
rolling_upgrade_policy {
max_batch_instance_percent = 20
max_unhealthy_instance_percent = 20
max_unhealthy_upgraded_instance_percent = 5
pause_time_between_batches = "PT0S"
}
# required when using rolling upgrade policy
health_probe_id = azurerm_lb_probe.example.id
sku {
name = "Standard_F2"
tier = "Standard"
capacity = 2
}
storage_profile_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_profile_os_disk {
name = ""
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
storage_profile_data_disk {
lun = 0
caching = "ReadWrite"
create_option = "Empty"
disk_size_gb = 10
}
os_profile {
computer_name_prefix = "testvm"
admin_username = "myadmin"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys {
path = "/home/myadmin/.ssh/authorized_keys"
key_data = file("~/.ssh/demo_key.pub")
}
}
network_profile {
name = "terraformnetworkprofile"
primary = true
ip_configuration {
name = "TestIPConfiguration"
primary = true
subnet_id = azurerm_subnet.example.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.bpepool.id]
load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool.id]
}
}
tags = {
environment = "staging"
}
}
# pass
resource "azurerm_virtual_machine_scale_set" "example" {
name = "mytestscaleset-1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
# automatic rolling upgrade
automatic_os_upgrade = true
upgrade_policy_mode = "Rolling"
os_profile_windows_config {
enable_automatic_upgrades = true
}
rolling_upgrade_policy {
max_batch_instance_percent = 20
max_unhealthy_instance_percent = 20
max_unhealthy_upgraded_instance_percent = 5
pause_time_between_batches = "PT0S"
}
# required when using rolling upgrade policy
health_probe_id = azurerm_lb_probe.example.id
sku {
name = "Standard_F2"
tier = "Standard"
capacity = 2
}
storage_profile_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_profile_os_disk {
name = ""
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
storage_profile_data_disk {
lun = 0
caching = "ReadWrite"
create_option = "Empty"
disk_size_gb = 10
}
os_profile {
computer_name_prefix = "testvm"
admin_username = "myadmin"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys {
path = "/home/myadmin/.ssh/authorized_keys"
key_data = file("~/.ssh/demo_key.pub")
}
}
network_profile {
name = "terraformnetworkprofile"
primary = true
ip_configuration {
name = "TestIPConfiguration"
primary = true
subnet_id = azurerm_subnet.example.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.bpepool.id]
load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool.id]
}
}
tags = {
environment = "staging"
}
}Short Link: https://sg.run/02Zv