[skip ci] Add IaaS module for Sonarqube instance

[albertinisg]

IaaS module for Sonarqube instance

• You've read the Contributor Guide and Code of Conduct.
• You've included unit or integration tests for your change, where applicable.
• You've included inline docs for your change, where applicable.
• There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Summary of the changes (Less than 80 chars)

Description

This adds a functional (but not secure) version of a Sonarqube instance that can be installed on an VM in Azure.

[bridgecrew]

Bridgecrew has found errors in this PR ⬇️

[bridgecrew]

  Ensure storage for critical data are encrypted with Customer Managed Key
    Resource: azurerm_storage_account.myvmstorage | ID: BC_AZR_GENERAL_32

How to Fix

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                = "examplekv"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  purge_protection_enabled = true
}

resource "azurerm_key_vault_access_policy" "client" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.object_id

  key_permissions    = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify"]
  secret_permissions = ["get"]
}

resource "azurerm_key_vault_key" "example" {
  name         = "tfex-key"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]

  depends_on = [
    azurerm_key_vault_access_policy.client
  ]
}


resource "azurerm_storage_account" "ok_storage_account" {
  name                     = "examplestor"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  identity {
    type = "SystemAssigned"
  }
}


resource "azurerm_storage_account_customer_managed_key" "ok_cmk" {
  storage_account_id = azurerm_storage_account.ok_storage_account.id
  key_vault_id       = azurerm_key_vault.example.id
  key_name           = azurerm_key_vault_key.example.name
}

Description

Enable sensitive data encryption at rest using Customer Managed Keys (CMKs) rather than Microsoft Managed keys. By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage this encryption key yourself, you can specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.

Benchmarks

• CIS AZURE V1.3 3.9

[bridgecrew]

  Ensure Azure HTTP (port 80) access from the internet is restricted
    Resource: module.sonarqubeiaas.azurerm_network_security_group.mynsg | ID: BC_AZR_NETWORKING_57

How to Fix

resource "azurerm_cognitive_account" "example" {

}

[bridgecrew]

  Ensure Azure Storage Account default network access is set to Deny
    Resource: module.sonarqubeiaas.azurerm_storage_account.myvmstorage | ID: BC_AZR_NETWORKING_15

How to Fix

resource "azurerm_storage_account_network_rules" "test" {
    resource_group_name  = azurerm_resource_group.test.name
    storage_account_name = azurerm_storage_account.test.name

+   default_action             = "Deny"
}

Description

Restricting default network access helps to provide an additional layer of security. By default, storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

We recommend you configure storage accounts to deny access to traffic from all networks, including internet traffic. At an appropriate time, access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges enabling connections from specific internet or on-premises clients. When network rules are configured only applications from allowed networks can access a storage account. When calling from an allowed network applications continue to require authorization, such as a valid access key or SAS token, to access the storage account.

Benchmarks

• CIS AZURE V1.1 3.7
• CIS AZURE V1.3 3.6

[bridgecrew]

  Ensure storage logging for queue service has read, write, and delete requests enabled
    Resource: module.sonarqubeiaas.azurerm_storage_account.myvmstorage | ID: BC_AZR_LOGGING_4

How to Fix

resource "azurerm_storage_account" "example" {
    name                     = "example"
    resource_group_name      = data.azurerm_resource_group.example.name
    location                 = data.azurerm_resource_group.example.location
    account_tier             = "Standard"
    account_replication_type = "GRS"
    queue_properties  {
+   logging {
        delete                = true
        read                  = true
        write                 = true
        version               = "1.0"
        retention_policy_days = 10
    }
  }
}

Description

The **Azure Queue Storage** service stores messages that may be read by any client with access to the storage account. A queue may contain an unlimited number of messages, each of which can be up to 64KB in size when using version 2011-08-18 or newer.

Storage Logging takes place server-side recording details in the storage account for both successful and failed requests. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: timing information, for example start time, end-to-end latency, server latency, authentication details, concurrency information, and the size of request and response messages.

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.

Benchmarks

• CIS AZURE V1.1 3.3, 6.3
• CIS AZURE V1.3 3.3, 6.3

[bridgecrew]

  Ensure storage account uses the latest version of TLS encryption
    Resource: module.sonarqubeiaas.azurerm_storage_account.myvmstorage | ID: BC_AZR_STORAGE_2

How to Fix

resource "azurerm_storage_account" "test" {
  ...
+  min_tls_version      = "TLS1_2"
  ...
}

Description

Communication between a client application and an Azure Storage account is encrypted using Transport Layer Security (TLS). TLS is a standard cryptographic protocol that ensures privacy and data integrity between clients and services over the Internet.

Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.

To follow security best practices and the latest PCI compliance standards, Microsoft recommends enabling the latest version of TLS protocol (TLS 1.2) for all your Microsoft Azure App Service web applications. PCI DSS information security standard requires that all websites accepting credit card payments uses TLS 1.2 after June 30, 2018.

[bridgecrew]

  Ensure Azure storage account encryption CMKs are enabled
    Resource: azurerm_storage_account.myvmstorage | ID: BC_AZR_GENERAL_38

How to Fix

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "example" {
  name                = "examplekv"
  location            = "location"
  resource_group_name = "group"
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  purge_protection_enabled = true
}

resource "azurerm_key_vault_key" "example" {
  name         = "tfex-key"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}


resource "azurerm_storage_account" "storage_account_good_1" {
  name                     = "examplestor"
  resource_group_name      = "group"
  location                 = "location"
  account_tier             = "Standard"
  account_replication_type = "GRS"

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_storage_account_customer_managed_key" "managed_key_good" {
  storage_account_id = azurerm_storage_account.storage_account_good_1.id
  key_vault_id       = azurerm_key_vault.example.id
  key_name           = azurerm_key_vault_key.example.name
  key_version = "1"
}

Description

By default all data at rest in Azure Storage account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Storage accounts for better control on Storage account data.

[bridgecrew]

  Ensure SSH Internet access is restricted
    Resource: module.sonarqubeiaas.azurerm_network_security_group.mynsg | ID: BC_AZR_NETWORKING_3

How to Fix

resource "azurerm_network_security_rule" "example" {
-    access                      = "Allow"
-    protocol                    = "TCP"
-    destination_port_range      = ["22" / <port range including 22>]]
-    source_address_prefix       = "*" / "0.0.0.0" / "<nw>/0" / "/0" / "internet" / "any"
}

Description

A potential security problem using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network. The attackers could also access and attack networked devices outside of Azure.

We recommend you disable SSH access over the internet to Network Security Groups.

Benchmarks

• CIS AZURE V1.1 6.2
• CIS AZURE V1.3 6.2

[bridgecrew]

  Ensure network interfaces do not use public IPs
    Resource: azurerm_network_interface.mynic | ID: BC_AZR_NETWORKING_36

How to Fix

                resource "azurerm_network_interface" "example" {
                  name                = "example-nic"
                  location            = azurerm_resource_group.example.location
                  resource_group_name = azurerm_resource_group.example.name
                
                  ip_configuration {
                    name                          = "internal"
                    subnet_id                     = azurerm_subnet.example.id
                    private_ip_address_allocation = "Dynamic"
                  }       
                    ip_configuration {
                    name                          = "internal2"
                    subnet_id                     = azurerm_subnet.example.id2
                    private_ip_address_allocation = "Dynamic"
                  }
                  enable_ip_forwarding = false
                }

Description

TBA

[bridgecrew]

Suggested change

	}
	allow_extension_operations = false
	}

  Ensure Virtual Machine extensions are not installed
    Resource: module.sonarqubeiaas.azurerm_linux_virtual_machine.myvm | ID: BC_AZR_GENERAL_14

Description

Ensure that your Microsoft Azure virtual machines (VMs) does not have extensions installed in order to follow your organization's security and compliance requirements. Azure virtual machine extensions are small cloud applications that provide post-deployment configuration and automation tasks for virtual machines. These extensions run with administrative privileges and could potentially access any configuration file or piece of data on a virtual machine.

[bridgecrew]

  Ensure the storage container storing activity logs is not publicly accessible
    Resource: azurerm_storage_account.myvmstorage | ID: BC_AZR_LOGGING_12

How to Fix

resource "azurerm_storage_container" "ok_container" {
  name                  = "vhds"
  storage_account_name  = azurerm_storage_account.ok_account.name
+ container_access_type = "private"
}

resource "azurerm_storage_account" "ok_account" {
  name                     = "examplesa"
  resource_group_name      = azurerm_resource_group.main.name
  location                 = azurerm_resource_group.main.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
}

resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert" {
  name                = "example-activitylogalert"
  resource_group_name = azurerm_resource_group.main.name
  scopes              = [azurerm_resource_group.main.id]
  description         = "This alert will monitor a specific storage account updates."

  criteria {
    resource_id    = azurerm_storage_account.ok_account.id
    operation_name = "Microsoft.Storage/storageAccounts/write"
    category       = "Recommendation"
  }


  action {
    action_group_id = azurerm_monitor_action_group.main.id

    webhook_properties = {
      from = "terraform"
    }
  }
}

Description

The storage account container containing the activity log export should not be publicly accessible. Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration. Configuring container Access policy to* private* will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users.

Benchmarks

• CIS AZURE V1.3 5.1.3

🎉   Fixed by commit 836bf7f - [skip_ci] 📝 Add Sonarqube IaaS docs

[github-actions]

💰 Infracost estimate: monthly cost will increase by €45.82 (+7%) 📈

Project	Previous	New	Diff
ERNI-Academy/asset-iac-terrafor...re/samples/sonarqubeiaassample	€0	€45.82	+€45.82
ERNI-Academy/asset-iac-terraform-azure/samples/sonarqubesample	€27.51	€0	-€27.51
ERNI-Academy/asset-iac-terrafor...re/samples/sonarqubespaasample	€0	€27.51	+€27.51
All projects	€698	€744	+€45.82 (+7%)

11 projects have no cost estimate changes.

Infracost output

──────────────────────────────────
Project: ERNI-Academy/asset-iac-terraform-azure/samples/sonarqubeiaassample
Module path: sonarqubeiaassample

+ module.sonarqubeiaas.azurerm_linux_virtual_machine.myvm
  +€42.77

    + Instance usage (pay as you go, Standard_B2s)
      +€36.69

    + os_disk
    
        + Storage (P4)
          +€6.08

+ module.sonarqubeiaas.azurerm_public_ip.myip
  +€3.06

    + IP address (dynamic)
      +€3.06

+ module.sonarqubeiaas.azurerm_storage_account.myvmstorage
  Monthly cost depends on usage

    + Capacity
      Monthly cost depends on usage
        +€0.0205208472 per GB

    + List and create container operations
      Monthly cost depends on usage
        +€0.056537028 per 10k operations

    + Read operations
      Monthly cost depends on usage
        +€0.0045020226 per 10k operations

    + All other operations
      Monthly cost depends on usage
        +€0.0045020226 per 10k operations

    + Blob index
      Monthly cost depends on usage
        +€0.040832298 per 10k tags

Monthly cost change for ERNI-Academy/asset-iac-terraform-azure/samples/sonarqubeiaassample (Module path: sonarqubeiaassample)
Amount:  +€45.82 (EUR) (€0.00 → €45.82)

──────────────────────────────────
Project: ERNI-Academy/asset-iac-terraform-azure/samples/sonarqubesample
Module path: sonarqubesample

- module.sonarqube.azurerm_app_service_plan.plan
  -€27.51

    - Instance usage (B2)
      -€27.51

- module.sonarqube.module.account.azurerm_storage_account.account
  Monthly cost depends on usage

    - Capacity
      Monthly cost depends on usage
        -€0.0205208472 per GB

    - List and create container operations
      Monthly cost depends on usage
        -€0.056537028 per 10k operations

    - Read operations
      Monthly cost depends on usage
        -€0.0045020226 per 10k operations

    - All other operations
      Monthly cost depends on usage
        -€0.0045020226 per 10k operations

    - Blob index
      Monthly cost depends on usage
        -€0.040832298 per 10k tags

- module.sonarqube.module.sonarqube_instances["sonarqube-for-organization-a"].azurerm_sql_database.db
  €0.00

    - Compute (S0)
      €0.00

- module.sonarqube.module.sonarqube_instances["sonarqube-for-organization-b"].azurerm_sql_database.db
  €0.00

    - Compute (S0)
      €0.00

Monthly cost change for ERNI-Academy/asset-iac-terraform-azure/samples/sonarqubesample (Module path: sonarqubesample)
Amount:  -€27.51 (EUR) (€27.51 → €0.00)

──────────────────────────────────
Project: ERNI-Academy/asset-iac-terraform-azure/samples/sonarqubespaasample
Module path: sonarqubespaasample

+ module.sonarqubepaas.azurerm_app_service_plan.plan
  +€27.51

    + Instance usage (B2)
      +€27.51

+ module.sonarqubepaas.module.account.azurerm_storage_account.account
  Monthly cost depends on usage

    + Capacity
      Monthly cost depends on usage
        +€0.0205208472 per GB

    + List and create container operations
      Monthly cost depends on usage
        +€0.056537028 per 10k operations

    + Read operations
      Monthly cost depends on usage
        +€0.0045020226 per 10k operations

    + All other operations
      Monthly cost depends on usage
        +€0.0045020226 per 10k operations

    + Blob index
      Monthly cost depends on usage
        +€0.040832298 per 10k tags

+ module.sonarqubepaas.module.sonarqube_instances["sonarqube-for-organization-a"].azurerm_sql_database.db
  €0.00

    + Compute (S0)
      €0.00

    + Extra data storage
      Monthly cost depends on usage
        €0.00 per GB

    + Long-term retention
      Monthly cost depends on usage
        €0.00 per GB

+ module.sonarqubepaas.module.sonarqube_instances["sonarqube-for-organization-b"].azurerm_sql_database.db
  €0.00

    + Compute (S0)
      €0.00

    + Extra data storage
      Monthly cost depends on usage
        €0.00 per GB

    + Long-term retention
      Monthly cost depends on usage
        €0.00 per GB

Monthly cost change for ERNI-Academy/asset-iac-terraform-azure/samples/sonarqubespaasample (Module path: sonarqubespaasample)
Amount:  +€27.51 (EUR) (€0.00 → €27.51)

──────────────────────────────────

The following projects have no cost estimate changes: ERNI-Academy/asset-iac-terraform-azure/samples/aks (Module path: aks), ERNI-Academy/asset-iac-terraform-azure/samples/aks_with_container_registry (Module path: aks_with_container_registry), ERNI-Academy/asset-iac-terraform-azure/samples/container_registry (Module path: container_registry), ERNI-Academy/asset-iac-terraform-azure/samples/functionsample (Module path: functionsample), ERNI-Academy/asset-iac-terraform-azure/samples/linuxwebappsample (Module path: linuxwebappsample), ERNI-Academy/asset-iac-terraform-azure/samples/servicebussample (Module path: servicebussample), ERNI-Academy/asset-iac-terraform-azure/samples/storage/account (Module path: storage/account), ERNI-Academy/asset-iac-terraform-azure/samples/storage/container (Module path: storage/container), ERNI-Academy/asset-iac-terraform-azure/samples/storage/queue (Module path: storage/queue), ERNI-Academy/asset-iac-terraform-azure/samples/storage/table (Module path: storage/table), ERNI-Academy/asset-iac-terraform-azure/samples/windowswebappsample (Module path: windowswebappsample)
Run the following command to see their breakdown: infracost breakdown --path=/path/to/code

──────────────────────────────────
Key: ~ changed, + added, - removed

24 cloud resources were detected:
∙ 24 were estimated, 21 of which include usage-based costs, see https://infracost.io/usage-file

This comment will be updated when the cost estimate changes.

_{Is this comment useful? Yes, No, Other}

[sonarcloud]

SonarCloud Quality Gate failed.   

0 Bugs
2 Vulnerabilities
9 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication