-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[skip ci] Add IaaS module for Sonarqube instance #31
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bridgecrew has found errors in this PR ⬇️
byte_length = 8 | ||
} | ||
# Provision storage account for VM diagnostics | ||
resource "azurerm_storage_account" "myvmstorage" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure storage for critical data are encrypted with Customer Managed Key
Resource: azurerm_storage_account.myvmstorage | ID: BC_AZR_GENERAL_32
How to Fix
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "examplekv"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "client" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify"]
secret_permissions = ["get"]
}
resource "azurerm_key_vault_key" "example" {
name = "tfex-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
depends_on = [
azurerm_key_vault_access_policy.client
]
}
resource "azurerm_storage_account" "ok_storage_account" {
name = "examplestor"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_account_customer_managed_key" "ok_cmk" {
storage_account_id = azurerm_storage_account.ok_storage_account.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
}
Description
Enable sensitive data encryption at rest using Customer Managed Keys (CMKs) rather than Microsoft Managed keys. By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage this encryption key yourself, you can specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.Benchmarks
- CIS AZURE V1.3 3.9
tags = var.tags | ||
} | ||
#Create Network Security Groups | ||
resource "azurerm_network_security_group" "mynsg" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Azure HTTP (port 80) access from the internet is restricted
Resource: module.sonarqubeiaas.azurerm_network_security_group.mynsg | ID: BC_AZR_NETWORKING_57
How to Fix
resource "azurerm_cognitive_account" "example" {
}
byte_length = 8 | ||
} | ||
# Provision storage account for VM diagnostics | ||
resource "azurerm_storage_account" "myvmstorage" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Azure Storage Account default network access is set to Deny
Resource: module.sonarqubeiaas.azurerm_storage_account.myvmstorage | ID: BC_AZR_NETWORKING_15
How to Fix
resource "azurerm_storage_account_network_rules" "test" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
+ default_action = "Deny"
}
Description
Restricting default network access helps to provide an additional layer of security. By default, storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.We recommend you configure storage accounts to deny access to traffic from all networks, including internet traffic. At an appropriate time, access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges enabling connections from specific internet or on-premises clients. When network rules are configured only applications from allowed networks can access a storage account. When calling from an allowed network applications continue to require authorization, such as a valid access key or SAS token, to access the storage account.
Benchmarks
- CIS AZURE V1.1 3.7
- CIS AZURE V1.3 3.6
byte_length = 8 | ||
} | ||
# Provision storage account for VM diagnostics | ||
resource "azurerm_storage_account" "myvmstorage" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure storage logging for queue service has read, write, and delete requests enabled
Resource: module.sonarqubeiaas.azurerm_storage_account.myvmstorage | ID: BC_AZR_LOGGING_4
How to Fix
resource "azurerm_storage_account" "example" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
queue_properties {
+ logging {
delete = true
read = true
write = true
version = "1.0"
retention_policy_days = 10
}
}
}
Description
The **Azure Queue Storage** service stores messages that may be read by any client with access to the storage account. A queue may contain an unlimited number of messages, each of which can be up to 64KB in size when using version 2011-08-18 or newer.Storage Logging takes place server-side recording details in the storage account for both successful and failed requests. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: timing information, for example start time, end-to-end latency, server latency, authentication details, concurrency information, and the size of request and response messages.
Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.
Benchmarks
- CIS AZURE V1.1 3.3, 6.3
- CIS AZURE V1.3 3.3, 6.3
byte_length = 8 | ||
} | ||
# Provision storage account for VM diagnostics | ||
resource "azurerm_storage_account" "myvmstorage" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure storage account uses the latest version of TLS encryption
Resource: module.sonarqubeiaas.azurerm_storage_account.myvmstorage | ID: BC_AZR_STORAGE_2
How to Fix
resource "azurerm_storage_account" "test" {
...
+ min_tls_version = "TLS1_2"
...
}
Description
Communication between a client application and an Azure Storage account is encrypted using Transport Layer Security (TLS). TLS is a standard cryptographic protocol that ensures privacy and data integrity between clients and services over the Internet.Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
To follow security best practices and the latest PCI compliance standards, Microsoft recommends enabling the latest version of TLS protocol (TLS 1.2) for all your Microsoft Azure App Service web applications. PCI DSS information security standard requires that all websites accepting credit card payments uses TLS 1.2 after June 30, 2018.
byte_length = 8 | ||
} | ||
# Provision storage account for VM diagnostics | ||
resource "azurerm_storage_account" "myvmstorage" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Azure storage account encryption CMKs are enabled
Resource: azurerm_storage_account.myvmstorage | ID: BC_AZR_GENERAL_38
How to Fix
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "examplekv"
location = "location"
resource_group_name = "group"
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}
resource "azurerm_key_vault_key" "example" {
name = "tfex-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}
resource "azurerm_storage_account" "storage_account_good_1" {
name = "examplestor"
resource_group_name = "group"
location = "location"
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_account_customer_managed_key" "managed_key_good" {
storage_account_id = azurerm_storage_account.storage_account_good_1.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
key_version = "1"
}
Description
By default all data at rest in Azure Storage account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Storage accounts for better control on Storage account data.tags = var.tags | ||
} | ||
#Create Network Security Groups | ||
resource "azurerm_network_security_group" "mynsg" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure SSH Internet access is restricted
Resource: module.sonarqubeiaas.azurerm_network_security_group.mynsg | ID: BC_AZR_NETWORKING_3
How to Fix
resource "azurerm_network_security_rule" "example" {
- access = "Allow"
- protocol = "TCP"
- destination_port_range = ["22" / <port range including 22>]]
- source_address_prefix = "*" / "0.0.0.0" / "<nw>/0" / "/0" / "internet" / "any"
}
Description
A potential security problem using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network. The attackers could also access and attack networked devices outside of Azure.We recommend you disable SSH access over the internet to Network Security Groups.
Benchmarks
- CIS AZURE V1.1 6.2
- CIS AZURE V1.3 6.2
tags = var.tags | ||
} | ||
#Create NIC | ||
resource "azurerm_network_interface" "mynic" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure network interfaces do not use public IPs
Resource: azurerm_network_interface.mynic | ID: BC_AZR_NETWORKING_36
How to Fix
resource "azurerm_network_interface" "example" {
name = "example-nic"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.example.id
private_ip_address_allocation = "Dynamic"
}
ip_configuration {
name = "internal2"
subnet_id = azurerm_subnet.example.id2
private_ip_address_allocation = "Dynamic"
}
enable_ip_forwarding = false
}
Description
TBA} | ||
|
||
tags = var.tags | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} | |
allow_extension_operations = false | |
} |
Ensure Virtual Machine extensions are not installed
Resource: module.sonarqubeiaas.azurerm_linux_virtual_machine.myvm | ID: BC_AZR_GENERAL_14
Description
Ensure that your Microsoft Azure virtual machines (VMs) does not have extensions installed in order to follow your organization's security and compliance requirements. Azure virtual machine extensions are small cloud applications that provide post-deployment configuration and automation tasks for virtual machines. These extensions run with administrative privileges and could potentially access any configuration file or piece of data on a virtual machine.byte_length = 8 | ||
} | ||
# Provision storage account for VM diagnostics | ||
resource "azurerm_storage_account" "myvmstorage" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure the storage container storing activity logs is not publicly accessible
Resource: azurerm_storage_account.myvmstorage | ID: BC_AZR_LOGGING_12
How to Fix
resource "azurerm_storage_container" "ok_container" {
name = "vhds"
storage_account_name = azurerm_storage_account.ok_account.name
+ container_access_type = "private"
}
resource "azurerm_storage_account" "ok_account" {
name = "examplesa"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
account_tier = "Standard"
account_replication_type = "GRS"
}
resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert" {
name = "example-activitylogalert"
resource_group_name = azurerm_resource_group.main.name
scopes = [azurerm_resource_group.main.id]
description = "This alert will monitor a specific storage account updates."
criteria {
resource_id = azurerm_storage_account.ok_account.id
operation_name = "Microsoft.Storage/storageAccounts/write"
category = "Recommendation"
}
action {
action_group_id = azurerm_monitor_action_group.main.id
webhook_properties = {
from = "terraform"
}
}
}
Description
The storage account container containing the activity log export should not be publicly accessible. Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration. Configuring container Access policy to* private* will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.Benchmarks
- CIS AZURE V1.3 5.1.3
🎉 Fixed by commit 836bf7f - [skip_ci] 📝 Add Sonarqube IaaS docs
💰 Infracost estimate: monthly cost will increase by €45.82 (+7%) 📈
11 projects have no cost estimate changes. Infracost output
This comment will be updated when the cost estimate changes. Is this comment useful? Yes, No, Other |
byte_length = 8 | ||
} | ||
# Provision storage account for VM diagnostics | ||
resource "azurerm_storage_account" "myvmstorage" { |
Check failure
Code scanning / SonarCloud
Weak SSL/TLS protocols should not be used
protocol = "Tcp" | ||
source_port_range = "*" | ||
destination_port_range = "22" | ||
source_address_prefix = "*" |
Check notice
Code scanning / SonarCloud
Administration services access should be restricted to specific IP addresses
a381666
to
b57909f
Compare
SonarCloud Quality Gate failed. 0 Bugs No Coverage information |
IaaS module for Sonarqube instance
Summary of the changes (Less than 80 chars)
Description
This adds a functional (but not secure) version of a Sonarqube instance that can be installed on an VM in Azure.