avd-azu-0012 not being picked up on Azure Storage Account until after deployment #6458
Replies: 4 comments 4 replies
-
|
cc @nikpivkin |
Beta Was this translation helpful? Give feedback.
-
|
Hi, @coin-op ! Can you provide an example of your |
Beta Was this translation helpful? Give feedback.
-
|
Hi @nikpivkin The terraform resource for the storage account resource "azurerm_storage_account" "resource" {
name = "someuniquename"
resource_group_name = "someexistingresourcegroup"
location = "westeurope"
account_kind = "StorageV2"
account_tier = "Standard"
account_replication_type = "LRS"
cross_tenant_replication_enabled = false
access_tier = "Hot"
enable_https_traffic_only = true
min_tls_version = "TLS1_2"
allow_nested_items_to_be_public = true
shared_access_key_enabled = true
**public_network_access_enabled = true**
default_to_oauth_authentication = false
is_hns_enabled = false
nfsv3_enabled = false
large_file_share_enabled = false
infrastructure_encryption_enabled = true
blob_properties {
versioning_enabled = true
delete_retention_policy {
days = 7
}
container_delete_retention_policy {
days = 7
}
}
routing {
publish_internet_endpoints = false
publish_microsoft_endpoints = true
choice = "MicrosoftRouting"
}
}I have just extracted the terraforrm plan (json) section for the storage account. This is it prior to the deployment with {
"address": "module.TEST_MODULE.azurerm_storage_account.resource",
"mode": "managed",
"type": "azurerm_storage_account",
"name": "resource",
"provider_config_key": "azurerm",
"expressions": {
"access_tier": { "constant_value": "Hot" },
"account_kind": { "constant_value": "StorageV2" },
"account_replication_type": { "constant_value": "LRS" },
"account_tier": { "constant_value": "Standard" },
"allow_nested_items_to_be_public": { "constant_value": true },
"blob_properties": [
{
"container_delete_retention_policy": [
{ "days": { "constant_value": 7 } }
],
"delete_retention_policy": [
{ "days": { "constant_value": 7 } }
],
"versioning_enabled": { "constant_value": true }
}
],
"cross_tenant_replication_enabled": { "constant_value": false },
"default_to_oauth_authentication": { "constant_value": false },
"enable_https_traffic_only": { "constant_value": true },
"infrastructure_encryption_enabled": { "constant_value": true },
"is_hns_enabled": { "constant_value": false },
"large_file_share_enabled": { "constant_value": false },
"location": {
"references": ["local.config.location", "local.config"]
},
"min_tls_version": { "constant_value": "TLS1_2" },
"name": {
"references": [
"azurecaf_name.generator_storage_account.result",
"azurecaf_name.generator_storage_account"
]
},
"nfsv3_enabled": { "constant_value": false },
"**public_network_access_enabled**": { "constant_value": **true** },
"resource_group_name": {
"references": [
"module.TEST_MODULE.name",
"module.TEST_MODULE"
]
},
"routing": [
{
"choice": { "constant_value": "MicrosoftRouting" },
"publish_internet_endpoints": { "constant_value": false },
"publish_microsoft_endpoints": { "constant_value": true }
}
],
"shared_access_key_enabled": { "constant_value": true },
"tags": {
"references": [
"module.TEST_MODULE.default_tags",
"module.TEST_MODULE"
]
}
},
"schema_version": 4
}Once that has been deployed a minor tweak will produce the terraform plan (json) below, again I have just extracted the storage account block. Here as terraform is getting the current state of the resource, the azure platform has added the {
"address": "module.TEST_MODULE.azurerm_storage_account.resource",
"mode": "managed",
"type": "azurerm_storage_account",
"name": "resource",
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"schema_version": 4,
"values": {
"access_tier": "Hot",
"account_kind": "StorageV2",
"account_replication_type": "LRS",
"account_tier": "Standard",
"allow_nested_items_to_be_public": true,
"allowed_copy_scope": "",
"azure_files_authentication": [],
"blob_properties": [
{
"change_feed_enabled": false,
"change_feed_retention_in_days": 0,
"container_delete_retention_policy": [{ "days": 7 }],
"cors_rule": [],
"default_service_version": "",
"delete_retention_policy": [{ "days": 7 }],
"last_access_time_enabled": false,
"restore_policy": [],
"versioning_enabled": true
}
],
"cross_tenant_replication_enabled": false,
"custom_domain": [],
"customer_managed_key": [],
"default_to_oauth_authentication": false,
"dns_endpoint_type": "Standard",
"edge_zone": "",
"enable_https_traffic_only": true,
"id": "DEPRECATED",
"identity": [],
"immutability_policy": [],
"infrastructure_encryption_enabled": true,
"is_hns_enabled": false,
"large_file_share_enabled": false,
"local_user_enabled": true,
"location": "westeurope",
"min_tls_version": "TLS1_2",
"name": "DEPRECATED",
"network_rules": [
{
"bypass": ["AzureServices"],
**"default_action": "Allow",**
"ip_rules": [],
"private_link_access": [
{
"endpoint_resource_id": "DEPRECATED",
"endpoint_tenant_id": "DEPRECATED"
}
],
"virtual_network_subnet_ids": []
}
],
"nfsv3_enabled": false,
"primary_access_key": "DEPRECATED",
"primary_blob_connection_string": "DEPRECATED",
"primary_blob_endpoint": "DEPRECATED",
"primary_blob_host": "DEPRECATED",
"primary_blob_internet_endpoint": "",
"primary_blob_internet_host": "",
"primary_blob_microsoft_endpoint": "DEPRECATED",
"primary_blob_microsoft_host": "DEPRECATED",
"primary_connection_string": "DEPRECATED",
"primary_dfs_endpoint": "DEPRECATED",
"primary_dfs_host": "DEPRECATED",
"primary_dfs_internet_endpoint": "",
"primary_dfs_internet_host": "",
"primary_dfs_microsoft_endpoint": "DEPRECATED",
"primary_dfs_microsoft_host": "DEPRECATED",
"primary_file_endpoint": "DEPRECATED",
"primary_file_host": "DEPRECATED",
"primary_file_internet_endpoint": "",
"primary_file_internet_host": "",
"primary_file_microsoft_endpoint": "DEPRECATED",
"primary_file_microsoft_host": "DEPRECATED",
"primary_location": "westeurope",
"primary_queue_endpoint": "DEPRECATED",
"primary_queue_host": "DEPRECATED",
"primary_queue_microsoft_endpoint": "DEPRECATED",
"primary_queue_microsoft_host": "DEPRECATED",
"primary_table_endpoint": "DEPRECATED",
"primary_table_host":"DEPRECATED",
"primary_table_microsoft_endpoint": "DEPRECATED",
"primary_table_microsoft_host": "DEPRECATED",
"primary_web_endpoint":"DEPRECATED",
"primary_web_host": "DEPRECATED",
"primary_web_internet_endpoint": "",
"primary_web_internet_host": "",
"primary_web_microsoft_endpoint": "DEPRECATED",
"primary_web_microsoft_host": "DEPRECATED",
"**public_network_access_enabled**": **true**,
"queue_encryption_key_type": "Service",
"queue_properties": [
{
"cors_rule": [],
"hour_metrics": [
{
"enabled": true,
"include_apis": true,
"retention_policy_days": 7,
"version": "1.0"
}
],
"logging": [
{
"delete": false,
"read": false,
"retention_policy_days": 0,
"version": "1.0",
"write": false
}
],
"minute_metrics": [
{
"enabled": false,
"include_apis": false,
"retention_policy_days": 0,
"version": "1.0"
}
]
}
],
"resource_group_name": "DEPRECATED",
"routing": [
{
"choice": "MicrosoftRouting",
"publish_internet_endpoints": false,
"publish_microsoft_endpoints": true
}
],
"sas_policy": [],
"secondary_access_key": "DEPRECATED",
"secondary_blob_connection_string": "",
"secondary_blob_endpoint": null,
"secondary_blob_host": null,
"secondary_blob_internet_endpoint": null,
"secondary_blob_internet_host": null,
"secondary_blob_microsoft_endpoint": null,
"secondary_blob_microsoft_host": null,
"secondary_connection_string": "DEPRECATED",
"secondary_dfs_endpoint": null,
"secondary_dfs_host": null,
"secondary_dfs_internet_endpoint": null,
"secondary_dfs_internet_host": null,
"secondary_dfs_microsoft_endpoint": null,
"secondary_dfs_microsoft_host": null,
"secondary_file_endpoint": null,
"secondary_file_host": null,
"secondary_file_internet_endpoint": null,
"secondary_file_internet_host": null,
"secondary_file_microsoft_endpoint": null,
"secondary_file_microsoft_host": null,
"secondary_location": "",
"secondary_queue_endpoint": null,
"secondary_queue_host": null,
"secondary_queue_microsoft_endpoint": null,
"secondary_queue_microsoft_host": null,
"secondary_table_endpoint": null,
"secondary_table_host": null,
"secondary_table_microsoft_endpoint": null,
"secondary_table_microsoft_host": null,
"secondary_web_endpoint": null,
"secondary_web_host": null,
"secondary_web_internet_endpoint": null,
"secondary_web_internet_host": null,
"secondary_web_microsoft_endpoint": null,
"secondary_web_microsoft_host": null,
"sftp_enabled": false,
"share_properties": [
{
"cors_rule": [],
"retention_policy": [{ "days": 7 }],
"smb": []
}
],
"shared_access_key_enabled": true,
"static_website": [],
"table_encryption_key_type": "Service",
"tags": {
"ManagedBy": "Terraform"
},
"timeouts": null
},
"sensitive_values": {
"azure_files_authentication": [],
"blob_properties": [
{
"container_delete_retention_policy": [{}],
"cors_rule": [],
"delete_retention_policy": [{}],
"restore_policy": []
}
],
"custom_domain": [],
"customer_managed_key": [],
"identity": [],
"immutability_policy": [],
"network_rules": [
{
"bypass": [false],
"ip_rules": [],
"private_link_access": [{}],
"virtual_network_subnet_ids": []
}
],
"queue_properties": [
{
"cors_rule": [],
"hour_metrics": [{}],
"logging": [{}],
"minute_metrics": [{}]
}
],
"routing": [{}],
"sas_policy": [],
"share_properties": [
{ "cors_rule": [], "retention_policy": [{}], "smb": [] }
],
"static_website": [],
"tags": {}
}
} |
Beta Was this translation helpful? Give feedback.
-
|
This is quite complex as there are a couple of ways to add the network rules storage_account_network_rules. If you set |
Beta Was this translation helpful? Give feedback.
-
|
You have |
Beta Was this translation helpful? Give feedback.
-
|
When But then on the second time around the plan has all the properties and thus fails. |
Beta Was this translation helpful? Give feedback.
-
|
@coin-op Okay thanks, then we should improve this rule. |
Beta Was this translation helpful? Give feedback.
-
|
Track #6459 |
Beta Was this translation helpful? Give feedback.
-
IDs
avd-azu-0012
Description
When deploying a storage account with public_network_access_enabled = true, trivy config scan on the raw files and the plan do not pick up that this should not be set.
If you then update the storage account and do a trivy scan of the plan the issue is picked up due to the json plan now having the default action of Allow on the network_rules.
Reproduction Steps
Target
Filesystem
Scanner
Misconfiguration
Target OS
Ubuntu 22.04
Debug Output
Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions