terraform.azure.security.azure-customrole-definition-subscription-owner.azure-customrole-definition-subscription-owner

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure that no custom subscription owner roles are created

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: azure-customrole-definition-subscription-owner
    message: Ensure that no custom subscription owner roles are created
    patterns:
      - pattern: |
          ["*"]
      - pattern-inside: |
          resource "azurerm_role_definition" "..." {
            permissions {
              ...
            }
          }
      - pattern-inside: actions = ...
    metadata:
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

azure-customrole-definition-subscription-owner.tf

# fail
resource "azurerm_role_definition" "example" {
    name        = "my-custom-role"
    scope       = data.azurerm_subscription.primary.id
    description = "This is a custom role created via Terraform"

    permissions {
    # ruleid: azure-customrole-definition-subscription-owner
    actions     = ["*"]
    not_actions = []
    }

    assignable_scopes = [
    data.azurerm_subscription.primary.id
    ]
}

# fail
resource "azurerm_role_definition" "example" {
    name        = "my-custom-role"
    scope       = data.azurerm_subscription.primary.id
    description = "This is a custom role created via Terraform"

    permissions {
    # ruleid: azure-customrole-definition-subscription-owner
    actions     = ["*"]
    not_actions = []
    }

    assignable_scopes = [
    "/"
    ]
}

# fail
resource "azurerm_role_definition" "example" {
    name        = "my-custom-role"
    scope       = data.azurerm_subscription.primary.id
    description = "This is a custom role created via Terraform"

    permissions {
    # ruleid: azure-customrole-definition-subscription-owner
    actions     = ["*"]
    not_actions = []
    }
}

# pass
resource "azurerm_role_definition" "example" {
    name        = "my-custom-role"
    scope       = data.azurerm_subscription.primary.id
    description = "This is a custom role created via Terraform"

    permissions {
    actions     = [
    "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
        ]
    not_actions = []
    }

    assignable_scopes = [
    data.azurerm_subscription.primary.id
    ]
}