terraform.azure.security.azure-network-watcher-flowlog-period.azure-network-watcher-flowlog-period
semgrep
Author
unknown
Download Count*
License
Ensure that Network Security Group Flow Log retention period is 90 days or greater
Run Locally
Run in CI
Defintion
rules:
- id: azure-network-watcher-flowlog-period
message: Ensure that Network Security Group Flow Log retention period is 90 days
or greater
patterns:
- pattern: resource
- pattern-inside: |
resource "azurerm_network_watcher_flow_log" "..." {
...
retention_policy {
...
enabled = true
days = $DAYS
...
}
...
}
- pattern-not-inside: |
resource "azurerm_network_watcher_flow_log" "..." {
...
retention_policy {
...
enabled = true
days = 0
...
}
...
}
- metavariable-comparison:
metavariable: $DAYS
comparison: $DAYS < 90
metadata:
category: best-practice
technology:
- terraform
- azure
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- hcl
severity: WARNING
Examples
azure-network-watcher-flowlog-period.tf
# fail
# ruleid: azure-network-watcher-flowlog-period
resource "azurerm_network_watcher_flow_log" "test" {
network_watcher_name = azurerm_network_watcher.test.name
resource_group_name = azurerm_resource_group.test.name
network_security_group_id = azurerm_network_security_group.test.id
storage_account_id = azurerm_storage_account.test.id
enabled = true
retention_policy {
enabled = true
days = 7
}
}
# pass
resource "azurerm_network_watcher_flow_log" "test" {
network_watcher_name = azurerm_network_watcher.test.name
resource_group_name = azurerm_resource_group.test.name
network_security_group_id = azurerm_network_security_group.test.id
storage_account_id = azurerm_storage_account.test.id
enabled = true
retention_policy {
enabled = true
days = 90
}
}
# pass
resource "azurerm_network_watcher_flow_log" "test" {
network_watcher_name = azurerm_network_watcher.test.name
resource_group_name = azurerm_resource_group.test.name
network_security_group_id = azurerm_network_security_group.test.id
storage_account_id = azurerm_storage_account.test.id
enabled = true
retention_policy {
enabled = true
days = 0
}
}
# pass
resource "azurerm_network_watcher_flow_log" "test" {
network_watcher_name = azurerm_network_watcher.test.name
resource_group_name = azurerm_resource_group.test.name
network_security_group_id = azurerm_network_security_group.test.id
storage_account_id = azurerm_storage_account.test.id
enabled = true
retention_policy {
enabled = true
days = "100"
}
}
Short Link: https://sg.run/Kev7