terraform.azure.security.azure-network-watcher-flowlog-period.azure-network-watcher-flowlog-period

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure that Network Security Group Flow Log retention period is 90 days or greater

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: azure-network-watcher-flowlog-period
    message: Ensure that Network Security Group Flow Log retention period is 90 days
      or greater
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "azurerm_network_watcher_flow_log" "..." {
          ...
          retention_policy {
          ...
          enabled = true
          days = $DAYS
          ...
          }
          ...
          }
      - pattern-not-inside: |
          resource "azurerm_network_watcher_flow_log" "..." {
          ...
          retention_policy {
          ...
          enabled = true
          days = 0
          ...
          }
          ...
          }
      - metavariable-comparison:
          metavariable: $DAYS
          comparison: $DAYS < 90
    metadata:
      category: best-practice
      technology:
        - terraform
        - azure
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

azure-network-watcher-flowlog-period.tf

# fail
# ruleid: azure-network-watcher-flowlog-period
resource "azurerm_network_watcher_flow_log" "test" {
  network_watcher_name = azurerm_network_watcher.test.name
  resource_group_name  = azurerm_resource_group.test.name
  network_security_group_id = azurerm_network_security_group.test.id
  storage_account_id        = azurerm_storage_account.test.id
  enabled                   = true

  retention_policy {
    enabled = true
    days    = 7
  }
}

# pass
resource "azurerm_network_watcher_flow_log" "test" {
  network_watcher_name = azurerm_network_watcher.test.name
  resource_group_name  = azurerm_resource_group.test.name
  network_security_group_id = azurerm_network_security_group.test.id
  storage_account_id        = azurerm_storage_account.test.id
  enabled                   = true

  retention_policy {
    enabled = true
    days    = 90
  }
}

# pass
resource "azurerm_network_watcher_flow_log" "test" {
  network_watcher_name = azurerm_network_watcher.test.name
  resource_group_name  = azurerm_resource_group.test.name
  network_security_group_id = azurerm_network_security_group.test.id
  storage_account_id        = azurerm_storage_account.test.id
  enabled                   = true

  retention_policy {
    enabled = true
    days    = 0
  }
}

# pass
resource "azurerm_network_watcher_flow_log" "test" {
  network_watcher_name = azurerm_network_watcher.test.name
  resource_group_name  = azurerm_resource_group.test.name
  network_security_group_id = azurerm_network_security_group.test.id
  storage_account_id        = azurerm_storage_account.test.id
  enabled                   = true

  retention_policy {
    enabled = true
    days    = "100"
  }
}