terraform.azure.security.azure-containergroup-deployed-into-virtualnetwork.azure-containergroup-deployed-into-virtualnetwork

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure that Azure Container group is deployed into virtual network

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: azure-containergroup-deployed-into-virtualnetwork
    message: Ensure that Azure Container group is deployed into virtual network
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "azurerm_container_group" "..." {
          ...
          container {
            ...
          }
          network_profile_id = "..."  
          ...
          }
      - pattern-inside: |
          resource "azurerm_container_group" "..." {
          ...
          container {
            ...
          }
          ...
          }
    metadata:
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

azure-containergroup-deployed-into-virtualnetwork.tf

# fail
# ruleid: azure-containergroup-deployed-into-virtualnetwork
resource "azurerm_container_group" "example" {
    name                = "example-continst"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    ip_address_type     = "public"
    dns_name_label      = "aci-label"
    os_type             = "Linux"

    container {
    name   = "hello-world"
    image  = "microsoft/aci-helloworld:latest"
    cpu    = "0.5"
    memory = "1.5"

    ports {
        port     = 443
        protocol = "TCP"
    }
    }

    container {
    name   = "sidecar"
    image  = "microsoft/aci-tutorial-sidecar"
    cpu    = "0.5"
    memory = "1.5"
    }    
}

# pass
resource "azurerm_container_group" "example" {
    name                = "example-continst"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    ip_address_type     = "public"
    dns_name_label      = "aci-label"
    os_type             = "Linux"

    container {
    name   = "hello-world"
    image  = "microsoft/aci-helloworld:latest"
    cpu    = "0.5"
    memory = "1.5"

    ports {
        port     = 443
        protocol = "TCP"
    }
    }

    container {
    name   = "sidecar"
    image  = "microsoft/aci-tutorial-sidecar"
    cpu    = "0.5"
    memory = "1.5"
    }
    
    network_profile_id = "network_profile_id"    
}