Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix AC_AZURE_0185 policy #858

Merged
merged 1 commit into from
Jun 14, 2021
Merged

Fix AC_AZURE_0185 policy #858

merged 1 commit into from
Jun 14, 2021

Conversation

maxgio92
Copy link
Contributor

@maxgio92 maxgio92 commented Jun 11, 2021
edited
Loading

This PR should fix the rego policy for Azure Container Registry which ensure the presence of a Azure Management Lock on that resource (AC_AZURE_0185).

In particular it adds a case that should be also accepted.

This Rego expression is evaluated to true when the azurerm_management_lock resource has the correct scope field value.
In particular this is relevant for the validation of the HCL code.

The scope value can be a Terraform attribute reference expression that references the id attribute of the azurerm_container_registry resource to be locked.

So, for example:

resource "azurerm_container_registry" "foo" {
  name = "foo"
  # ...
}

resource "azurerm_management_lock" "bar" {
  name = "bar"
  scope      = azurerm_container_registry.foo.id
  lock_level = "CanNotDelete"
}

Without this new Rego expression the only accepted HCL code is when the azurerm_managament_lock resource name field is equal to a string composed like this: ""<resource_to_lock_type>.<resource_to_lock_name>". For example:

resource "azurerm_container_registry" "foo" {
  name = "foo"
  # [...]
}

resource "azurerm_management_lock" "bar" {
  name       = "azurerm_container_registry.foo" # Only accepted value
  scope      = azurerm_container_registry.foo.id
  lock_level = "CanNotDelete"
}

This shouldn't add regression as when the scope value has always to match the resource name of the registry from the Rego input.

Furthermore, this is pretty similar to what is declared for Resource Group locking.

What do you think?

@maxgio92
fix(pkg/policies/opa/rego/azure/azurerm_container_registry/containerr…
9725339 
…egistryresourcelock.rego): check correct fields

check that the azurerm_management_lock has the correct scope by
checking that is scoped to the correct terraform resource id.

Signed-off-by: maxgio92 <[email protected]>
@sonarcloud
Copy link

sonarcloud bot commented Jun 11, 2021

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@codecov
Copy link

codecov bot commented Jun 11, 2021

Codecov Report

Merging #858 (9725339) into master (617ef74) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #858   +/-   ##
=======================================
  Coverage   78.29%   78.29%           
=======================================
  Files         164      164           
  Lines        4359     4359           
=======================================
  Hits         3413     3413           
  Misses        730      730           
  Partials      216      216

harkirat22
harkirat22 approved these changes Jun 14, 2021
View reviewed changes
Copy link
Contributor

@harkirat22 harkirat22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @maxgio92 for you contribution. These changes LGTM

@harkirat22 harkirat22 merged commit 2ca5eb1 into tenable:master Jun 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@harkirat22 harkirat22 harkirat22 approved these changes

@gaurav-gogia gaurav-gogia Awaiting requested review from gaurav-gogia

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maxgio92 @harkirat22