terraform.azure.security.azure-service-fabric-cluster-protection-level.azure-service-fabric-cluster-protection-level

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure that Service Fabric use three levels of protection available

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: azure-service-fabric-cluster-protection-level
    message: Ensure that Service Fabric use three levels of protection available
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "azurerm_service_fabric_cluster" "..." {
          ...
          }
      - pattern-not-inside: |
          resource "azurerm_service_fabric_cluster" "..." {
          ...
          fabric_settings {
            name = "Security"
            parameters = {
              ...
              name = "ClusterProtectionLevel"
              value = "EncryptAndSign"
              ...
            }
            ...
          }
          ...
          }
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
      cwe:
        - "CWE-320: CWE CATEGORY: Key Management Errors"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

Examples

azure-service-fabric-cluster-protection-level.tf

# fail
# ruleid: azure-service-fabric-cluster-protection-level
resource "azurerm_service_fabric_cluster" "example" {
    name = "example-servicefabric"
    resource_group_name = azurerm_resource_group.example.name
    location = azurerm_resource_group.example.location
    reliability_level = "Bronze"
    upgrade_mode = "Manual"
    cluster_code_version = "7.1.456.959"
    vm_image = "Windows"
    management_endpoint = "https://example:80"
    node_type {
      name = "first"
      instance_count = 3
      is_primary = true
      client_endpoint_port = 2020
      http_endpoint_port = 80
    }
}

# pass
resource "azurerm_service_fabric_cluster" "example" {
  name = "example-servicefabric"
  resource_group_name = azurerm_resource_group.example.name
  location = azurerm_resource_group.example.location
  reliability_level = "Bronze"
  upgrade_mode = "Manual"
  cluster_code_version = "7.1.456.959"
  vm_image = "Windows"
  management_endpoint = "https://example:80"
  fabric_settings {
    name = "Security"
    parameters = {
      name = "ClusterProtectionLevel"
      value = "EncryptAndSign"
    }
  }
  node_type {
    name = "first"
    instance_count = 3
    is_primary = true
    client_endpoint_port = 2020
    http_endpoint_port = 80
  }
}