feat(terraform): handle public_network_access_enabled for AVD-AZU-0012

[nikpivkin]

We need to check if public access to the storage is enabled. By default, storage accounts accept connections from clients on any network. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#change-the-default-network-access-rule

Discussed in #6458

^{Originally posted by coin-op April 4, 2024}

IDs

avd-azu-0012

Description

When deploying a storage account with public_network_access_enabled = true, trivy config scan on the raw files and the plan do not pick up that this should not be set.

If you then update the storage account and do a trivy scan of the plan the issue is picked up due to the json plan now having the default action of Allow on the network_rules.

Reproduction Steps

1. Create a plan to deploy a storage account with public access enabled
2. Scan the plan and config using trivy (should pass)
3. Deploy the storage account
4. Update the terraform storage account code slightly (e.g. toggle shared_access_key_enabled) and create a new plan 
5. Scan the plan and config using trivy, now it fails with avd-azu-0012

Target

Filesystem

Scanner

Misconfiguration

Target OS

Ubuntu 22.04

Debug Output

2024-04-04T16:10:16.5342789Z ##[section]Starting: Trivy Scan Plan
2024-04-04T16:10:16.5346328Z ==============================================================================
2024-04-04T16:10:16.5346437Z Task         : Command line
2024-04-04T16:10:16.5346500Z Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
2024-04-04T16:10:16.5346611Z Version      : 2.237.1
2024-04-04T16:10:16.5346668Z Author       : Microsoft Corporation
2024-04-04T16:10:16.5346737Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
2024-04-04T16:10:16.5346840Z ==============================================================================
2024-04-04T16:10:16.6985856Z Generating script.
2024-04-04T16:10:16.6998467Z Script contents:
2024-04-04T16:10:16.6999008Z trivy --debug config --trace --exit-code 1 --format template --template "@/usr/local/share/trivy/templates/junit.tpl" -o junit-report-plan.xml  /home/vsts/work/1/s/tfplan_168452_1.tf.json
2024-04-04T16:10:16.6999313Z ========================== Starting Command Output ===========================
2024-04-04T16:10:16.7027186Z [command]/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/c7f3b164-6b0c-4172-bda1-fd09803eabe8.sh
2024-04-04T16:10:17.5038414Z 2024-04-04T16:10:17.502Z	�[35mDEBUG�[0m	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-04T16:10:17.5039015Z 2024-04-04T16:10:17.503Z	�[35mDEBUG�[0m	cache dir:  /home/vsts/.cache/trivy
2024-04-04T16:10:17.5039420Z 2024-04-04T16:10:17.503Z	�[34mINFO�[0m	Misconfiguration scanning is enabled
2024-04-04T16:10:17.5039803Z 2024-04-04T16:10:17.503Z	�[35mDEBUG�[0m	Policies successfully loaded from disk
2024-04-04T16:10:17.5040332Z 2024-04-04T16:10:17.503Z	�[35mDEBUG�[0m	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-04T16:10:17.5223820Z 2024-04-04T16:10:17.521Z	�[35mDEBUG�[0m	The nuget packages directory couldn't be found. License search disabled
2024-04-04T16:10:17.5315210Z 2024-04-04T16:10:17.531Z	�[35mDEBUG�[0m	Walk the file tree rooted at '/home/vsts/work/1/s/tfplan_168452_1.tf.json' in series
2024-04-04T16:10:17.5366672Z 2024-04-04T16:10:17.536Z	�[35mDEBUG�[0m	Scanning Terraform Plan JSON files for misconfigurations...
2024-04-04T16:10:17.5371235Z 2024-04-04T16:10:17.536Z	�[35mDEBUG�[0m	[misconf] 10:17.536962000 tfplan.scanner                   Scanning file tfplan_168452_1.tf.json
2024-04-04T16:10:17.5420800Z 2024-04-04T16:10:17.541Z	�[35mDEBUG�[0m	[misconf] 10:17.541867984 terraform.scanner                Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13941968082179809108 829025709 0xcc430a0} 2147484096 <nil>} map[] map[main.tf:0xc00328d380]})}] at '.'...
2024-04-04T16:10:17.5451104Z 2024-04-04T16:10:17.544Z	�[35mDEBUG�[0m	[misconf] 10:17.544962875 terraform.scanner.rego           Overriding filesystem for policies!
2024-04-04T16:10:17.6126753Z 2024-04-04T16:10:17.612Z	�[35mDEBUG�[0m	[misconf] 10:17.612349764 terraform.scanner.rego           Loaded 190 policies from disk.
2024-04-04T16:10:17.6133338Z 2024-04-04T16:10:17.613Z	�[35mDEBUG�[0m	[misconf] 10:17.613204661 terraform.scanner.rego           Overriding filesystem for data!
2024-04-04T16:10:18.2297457Z 2024-04-04T16:10:18.229Z	�[35mDEBUG�[0m	[misconf] 10:18.229293035 terraform.parser.<root>          Setting project/module root to '.'
2024-04-04T16:10:18.2298353Z 2024-04-04T16:10:18.229Z	�[35mDEBUG�[0m	[misconf] 10:18.229460734 terraform.parser.<root>          Parsing FS from '.'
2024-04-04T16:10:18.2298991Z 2024-04-04T16:10:18.229Z	�[35mDEBUG�[0m	[misconf] 10:18.229476934 terraform.parser.<root>          Parsing 'main.tf'...
2024-04-04T16:10:18.2357802Z 2024-04-04T16:10:18.235Z	�[35mDEBUG�[0m	[misconf] 10:18.235500615 terraform.parser.<root>          Added file main.tf.
2024-04-04T16:10:18.2378567Z 2024-04-04T16:10:18.237Z	�[35mDEBUG�[0m	[misconf] 10:18.237655608 terraform.scanner                Scanning root module '.'...
2024-04-04T16:10:18.2379026Z 2024-04-04T16:10:18.237Z	�[35mDEBUG�[0m	[misconf] 10:18.237678308 terraform.parser.<root>          Setting project/module root to '.'
2024-04-04T16:10:18.2379780Z 2024-04-04T16:10:18.237Z	�[35mDEBUG�[0m	[misconf] 10:18.237684308 terraform.parser.<root>          Parsing FS from '.'
2024-04-04T16:10:18.2380220Z 2024-04-04T16:10:18.237Z	�[35mDEBUG�[0m	[misconf] 10:18.237692408 terraform.parser.<root>          Parsing 'main.tf'...
2024-04-04T16:10:18.2432690Z 2024-04-04T16:10:18.243Z	�[35mDEBUG�[0m	[misconf] 10:18.243107391 terraform.parser.<root>          Added file main.tf.
2024-04-04T16:10:18.2433130Z 2024-04-04T16:10:18.243Z	�[35mDEBUG�[0m	[misconf] 10:18.243128191 terraform.parser.<root>          Evaluating module...
2024-04-04T16:10:18.2454974Z 2024-04-04T16:10:18.245Z	�[35mDEBUG�[0m	[misconf] 10:18.245179085 terraform.parser.<root>          Read 20 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-04-04T16:10:18.2455743Z 2024-04-04T16:10:18.245Z	�[35mDEBUG�[0m	[misconf] 10:18.245221285 terraform.parser.<root>          Added 0 variables from tfvars.
2024-04-04T16:10:18.2456591Z 2024-04-04T16:10:18.245Z	�[35mDEBUG�[0m	[misconf] 10:18.245232585 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-04-04T16:10:18.2457126Z 2024-04-04T16:10:18.245Z	�[35mDEBUG�[0m	[misconf] 10:18.245253685 terraform.parser.<root>          Working directory for module evaluation is '/home/vsts/work/1/s'
2024-04-04T16:10:18.2457655Z 2024-04-04T16:10:18.245Z	�[35mDEBUG�[0m	[misconf] 10:18.245317184 terraform.parser.<root>.evaluator Filesystem key is '7f04da4b288ceace43721b31c72af4a5df9e498c7323899dda469ba8af1bc1b0'
2024-04-04T16:10:18.2458124Z 2024-04-04T16:10:18.245Z	�[35mDEBUG�[0m	[misconf] 10:18.245323684 terraform.parser.<root>.evaluator Starting module evaluation...
2024-04-04T16:10:18.2480762Z 2024-04-04T16:10:18.247Z	�[35mDEBUG�[0m	[misconf] 10:18.247904276 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-04-04T16:10:18.2481233Z 2024-04-04T16:10:18.247Z	�[35mDEBUG�[0m	[misconf] 10:18.247923876 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-04-04T16:10:18.2481900Z 2024-04-04T16:10:18.247Z	�[35mDEBUG�[0m	[misconf] 10:18.247930276 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-04-04T16:10:18.2500077Z 2024-04-04T16:10:18.249Z	�[35mDEBUG�[0m	[misconf] 10:18.249843270 terraform.parser.<root>.evaluator Module evaluation complete.
2024-04-04T16:10:18.2500759Z 2024-04-04T16:10:18.249Z	�[35mDEBUG�[0m	[misconf] 10:18.249870470 terraform.parser.<root>          Finished parsing module 'root'.
2024-04-04T16:10:18.2503491Z 2024-04-04T16:10:18.249Z	�[35mDEBUG�[0m	[misconf] 10:18.249879570 terraform.executor               Adapting modules...
2024-04-04T16:10:18.2506973Z 2024-04-04T16:10:18.249Z	�[35mDEBUG�[0m	[misconf] 10:18.249991770 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-04-04T16:10:18.2507621Z 2024-04-04T16:10:18.250Z	�[35mDEBUG�[0m	[misconf] 10:18.250003070 terraform.executor               Using max routines of 1
2024-04-04T16:10:18.2508358Z 2024-04-04T16:10:18.250Z	�[35mDEBUG�[0m	[misconf] 10:18.250008270 terraform.executor               Applying state modifier functions...
2024-04-04T16:10:18.2508839Z 2024-04-04T16:10:18.250Z	�[35mDEBUG�[0m	[misconf] 10:18.250212269 terraform.executor               Initialized 486 rule(s).
2024-04-04T16:10:18.2509254Z 2024-04-04T16:10:18.250Z	�[35mDEBUG�[0m	[misconf] 10:18.250218669 terraform.executor               Created pool with 1 worker(s) to apply rules.
2024-04-04T16:10:18.2509670Z 2024-04-04T16:10:18.250Z	�[35mDEBUG�[0m	[misconf] 10:18.250523668 terraform.scanner.rego           Scanning 1 inputs...
2024-04-04T16:10:18.2628454Z 2024-04-04T16:10:18.262Z	�[35mDEBUG�[0m	[misconf] 10:18.262672430 terraform.executor               Finished applying rules.
2024-04-04T16:10:18.2629141Z 2024-04-04T16:10:18.262Z	�[35mDEBUG�[0m	[misconf] 10:18.262694530 terraform.executor               Applying ignores...
2024-04-04T16:10:18.3070813Z 2024-04-04T16:10:18.306Z	�[35mDEBUG�[0m	Scanning Terraform files for misconfigurations...
2024-04-04T16:10:18.3071831Z 2024-04-04T16:10:18.306Z	�[35mDEBUG�[0m	[misconf] 10:18.306768292 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13941968083020669032 1596143809 0xcc430a0} <nil>} {{{0 0} {[] {} 0xc000f59c50} map[tfplan_168452_1.tf.json:0xc001e46008] 0}}}) /home/vsts/work/1/s/}] at '.'...
2024-04-04T16:10:18.3103776Z 2024-04-04T16:10:18.310Z	�[35mDEBUG�[0m	[misconf] 10:18.310035082 terraform.scanner.rego           Overriding filesystem for policies!
2024-04-04T16:10:18.3724850Z 2024-04-04T16:10:18.372Z	�[35mDEBUG�[0m	[misconf] 10:18.372147188 terraform.scanner.rego           Loaded 190 policies from disk.
2024-04-04T16:10:18.3726721Z 2024-04-04T16:10:18.372Z	�[35mDEBUG�[0m	[misconf] 10:18.372556687 terraform.scanner.rego           Overriding filesystem for data!
2024-04-04T16:10:18.9881689Z 2024-04-04T16:10:18.987Z	�[35mDEBUG�[0m	[misconf] 10:18.987711750 terraform.parser.<root>          Setting project/module root to '.'
2024-04-04T16:10:18.9882446Z 2024-04-04T16:10:18.987Z	�[35mDEBUG�[0m	[misconf] 10:18.987756950 terraform.parser.<root>          Parsing FS from '.'
2024-04-04T16:10:18.9882975Z 2024-04-04T16:10:18.987Z	�[35mDEBUG�[0m	[misconf] 10:18.987783950 terraform.parser.<root>          Parsing 'tfplan_168452_1.tf.json'...
2024-04-04T16:10:19.0146141Z 2024-04-04T16:10:19.014Z	�[35mDEBUG�[0m	[misconf] 10:19.014174971 terraform.parser.<root>          Added file tfplan_168452_1.tf.json.
2024-04-04T16:10:19.0147965Z 2024-04-04T16:10:19.014Z	�[35mDEBUG�[0m	[misconf] 10:19.014482470 terraform.parser.<root>          Encountered HCL parse error: tfplan_168452_1.tf.json:1,2-18: Extraneous JSON object property; No argument or block type is named "format_version"., and 10 other diagnostic(s)
2024-04-04T16:10:19.0148615Z 2024-04-04T16:10:19.014Z	�[35mDEBUG�[0m	[misconf] 10:19.014503570 terraform.scanner                Scanning root module '.'...
2024-04-04T16:10:19.0149125Z 2024-04-04T16:10:19.014Z	�[35mDEBUG�[0m	[misconf] 10:19.014513270 terraform.parser.<root>          Setting project/module root to '.'
2024-04-04T16:10:19.0149926Z 2024-04-04T16:10:19.014Z	�[35mDEBUG�[0m	[misconf] 10:19.014518470 terraform.parser.<root>          Parsing FS from '.'
2024-04-04T16:10:19.0150424Z 2024-04-04T16:10:19.014Z	�[35mDEBUG�[0m	[misconf] 10:19.014539370 terraform.parser.<root>          Parsing 'tfplan_168452_1.tf.json'...
2024-04-04T16:10:19.0316865Z 2024-04-04T16:10:19.031Z	�[35mDEBUG�[0m	[misconf] 10:19.031489820 terraform.parser.<root>          Added file tfplan_168452_1.tf.json.
2024-04-04T16:10:19.0319221Z 2024-04-04T16:10:19.031Z	�[35mDEBUG�[0m	[misconf] 10:19.031803919 terraform.parser.<root>          Evaluating module...
2024-04-04T16:10:19.0324532Z 2024-04-04T16:10:19.032Z	�[35mDEBUG�[0m	[misconf] 10:19.032274417 terraform.parser.<root>          Encountered HCL parse error: tfplan_168452_1.tf.json:1,2-18: Extraneous JSON object property; No argument or block type is named "format_version"., and 10 other diagnostic(s)
2024-04-04T16:10:19.0326931Z 2024-04-04T16:10:19.032Z	�[35mDEBUG�[0m	[misconf] 10:19.032576916 terraform.parser.<root>          Read 0 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-04-04T16:10:19.0329291Z 2024-04-04T16:10:19.032Z	�[35mDEBUG�[0m	[misconf] 10:19.032823116 terraform.parser.<root>          Added 0 variables from tfvars.
2024-04-04T16:10:19.0331494Z 2024-04-04T16:10:19.033Z	�[35mDEBUG�[0m	[misconf] 10:19.033036015 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-04-04T16:10:19.0333772Z 2024-04-04T16:10:19.033Z	�[35mDEBUG�[0m	[misconf] 10:19.033267314 terraform.parser.<root>          Working directory for module evaluation is '/home/vsts/work/1/s'
2024-04-04T16:10:19.0336764Z 2024-04-04T16:10:19.033Z	�[35mDEBUG�[0m	[misconf] 10:19.033549313 terraform.parser.<root>.evaluator Filesystem key is 'b90d3f837e496248ec76cfb52389133f59104fdda4345737f60c3f60444f4b36'
2024-04-04T16:10:19.0338906Z 2024-04-04T16:10:19.033Z	�[35mDEBUG�[0m	[misconf] 10:19.033786513 terraform.parser.<root>.evaluator Starting module evaluation...
2024-04-04T16:10:19.0350990Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034211111 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-04-04T16:10:19.0352156Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034328311 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-04-04T16:10:19.0352831Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034378011 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-04-04T16:10:19.0353472Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034431411 terraform.parser.<root>.evaluator Module evaluation complete.
2024-04-04T16:10:19.0354068Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034468811 terraform.parser.<root>          Finished parsing module 'root'.
2024-04-04T16:10:19.0354567Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034505811 terraform.executor               Adapting modules...
2024-04-04T16:10:19.0355103Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034595910 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-04-04T16:10:19.0355597Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034640110 terraform.executor               Using max routines of 1
2024-04-04T16:10:19.0356746Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034678810 terraform.executor               Applying state modifier functions...
2024-04-04T16:10:19.0357252Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034854310 terraform.executor               Initialized 486 rule(s).
2024-04-04T16:10:19.0357766Z 2024-04-04T16:10:19.034Z	�[35mDEBUG�[0m	[misconf] 10:19.034898409 terraform.executor               Created pool with 1 worker(s) to apply rules.
2024-04-04T16:10:19.0358289Z 2024-04-04T16:10:19.035Z	�[35mDEBUG�[0m	[misconf] 10:19.035560907 terraform.scanner.rego           Scanning 1 inputs...
2024-04-04T16:10:19.0506192Z 2024-04-04T16:10:19.050Z	�[35mDEBUG�[0m	[misconf] 10:19.050421263 terraform.executor               Finished applying rules.
2024-04-04T16:10:19.0508580Z 2024-04-04T16:10:19.050Z	�[35mDEBUG�[0m	[misconf] 10:19.050728262 terraform.executor               Applying ignores...
2024-04-04T16:10:19.0610440Z 2024-04-04T16:10:19.060Z	�[35mDEBUG�[0m	OS is not detected.
2024-04-04T16:10:19.0612685Z 2024-04-04T16:10:19.061Z	�[34mINFO�[0m	Detected config files: 2
2024-04-04T16:10:19.0614627Z 2024-04-04T16:10:19.061Z	�[35mDEBUG�[0m	Scanned config file: .
2024-04-04T16:10:19.0616629Z 2024-04-04T16:10:19.061Z	�[35mDEBUG�[0m	Scanned config file: main.tf
2024-04-04T16:10:19.0681358Z 
2024-04-04T16:10:19.0731394Z ##[section]Finishing: Trivy Scan Plan

Version

0.50.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

@nikpivkin could you add the action items needed to be performed to close this issue in the description?

[nikpivkin]

@simar7 Done