Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive for accurics.azure.NS.161 when Security Groups Association and Subnets are defined indepently from VNet #391

Closed
RafaAguilar opened this issue Nov 17, 2020 · 2 comments
Closed

False Positive for accurics.azure.NS.161 when Security Groups Association and Subnets are defined indepently from VNet #391

RafaAguilar opened this issue Nov 17, 2020 · 2 comments
Assignees
@williepaul

Comments

@RafaAguilar
Copy link

  • terrascan version: v1.1.0
  • Operating System: Linux / Mac

Description

Declaring an Azure VNet with subnets declared independently does not detect the security groups associations when they are configured as a separate resource, raising a False Positive for accurics.azure.NS.161

What I Did

Full Network description

data "azurerm_resource_group" "main" {
  name = var.resource_group_name
}

resource "azurerm_network_security_group" "test-sg" {
  name                = "test-sg"
  location            = data.azurerm_resource_group.main.location
  resource_group_name = var.resource_group_name
}

resource "azurerm_subnet_network_security_group_association" "test-sg-resources" {
  subnet_id                 = azurerm_subnet.test-resources.id
  network_security_group_id = azurerm_network_security_group.test-sg.id
}

resource "azurerm_subnet_network_security_group_association" "test-sg-default" {
  subnet_id                 = azurerm_subnet.test-default.id
  network_security_group_id = azurerm_network_security_group.test-sg.id
}

resource "azurerm_virtual_network" "test-vnet" {
  name                = var.virtual_network_name
  location            = data.azurerm_resource_group.main.location
  resource_group_name = var.resource_group_name
  address_space       = "10.0.0/16"

  tags = var.tags
}

resource "azurerm_subnet" "test-resources" {
  name                 = "test-resources"
  virtual_network_name = azurerm_virtual_network.test-vnet.name
  resource_group_name  = var.resource_group_name
  address_prefixes     = "10.0.64.0/18"
}

resource "azurerm_subnet" "test-default" {
  name                 = "test-default"
  virtual_network_name = azurerm_virtual_network.test-vnet.name
  resource_group_name  = var.resource_group_name
  address_prefixes     = "10.0.0.0/25"
}

Running Terrascan:

$ terrascan scan -t azure
results:
  violations:
  - rule_name: reme_noSecurityGroupAssociated
    description: Ensure that Azure Virtual Network subnet is configured with a Network Security Group
    rule_id: accurics.azure.NS.161
    severity: MEDIUM
    category: Network Security
    resource_name: test-vnet
    resource_type: ...
    file: ../../modules/TEST/network.tf
    line: 17
  count:
    low: 0
    medium: 1
    high: 0
    total: 1

Expected behavior

It should not fail, i.e. it should detect the Security Group Association at azurerm_network_security_group.test-sg and azurerm_network_security_group.test-sg-resources.
@alex-3sr
Copy link

Hi,

Yes, just confirmed this point today, we have exactly same issue if using separate ressource vnet/subnet.
And we doesn't plan to reconciliate vnet/subnet ressources, cause we will lost many features and flexibility.

Regards
Alexandre

@harkirat22 harkirat22 mentioned this issue Feb 2, 2021
Merged
@cesar-rodriguez
Copy link
Contributor

Fixed by #526

@DAndrewShaw DAndrewShaw mentioned this issue Feb 17, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@williepaul williepaul

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@RafaAguilar @cesar-rodriguez @alex-3sr @williepaul