Skip to content

Add Terraform configurations for Azure resources and update CI/CD workflows #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 22, 2025
Merged

Add Terraform configurations for Azure resources and update CI/CD workflows #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dff44b7
Add Terraform configurations for Azure resources and update CI/CD wor…
CalinL Apr 21, 2025
8a28140
Update allowed licenses in dependency review workflow to include GPL-3.0
CalinL Apr 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions .github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@

permissions:
contents: read
issues: write # to create issues for alerts
#issues: write # to create issues for alerts

jobs:
zap_scan:
Expand All @@ -49,5 +49,14 @@
uses: zaproxy/action-full-scan@v0.12.0
id: zap
with:
allow_issue_writing: true
allow_issue_writing: false
target: "${{ env.ZAP_TARGET }}"
# - name: ZAP Scan
# uses: zaproxy/action-baseline@v0.4.0
# with:
# target: "${{ env.ZAP_TARGET }}"
- uses: SvanBoxel/zaproxy-to-ghas@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'DAST - Zed Attack Proxy (ZAP) Full Scan' step
Uses Step
Loading
uses 'SvanBoxel/zaproxy-to-ghas' with ref 'main', not a pinned commit hash
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
36 changes: 36 additions & 0 deletions .github/workflows/IACS-AquaSecurity-tfsec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# https://github.com/aquasecurity/tfsec
# https://github.com/aquasecurity/tfsec-sarif-action

name: IaC Scanning (Terraform) with Aqua Security tfsec

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '15 03 * * 5'

permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

jobs:
tfsec-scan:
name: Run tfsec sarif report
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Run tfsec
uses: aquasecurity/tfsec-sarif-action@v0.1.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'IaC Scanning (Terraform) with Aqua Security tfsec' step
Uses Step
Loading
uses 'aquasecurity/tfsec-sarif-action' with ref 'v0.1.0', not a pinned commit hash
with:
sarif_file: tfsec.sarif

- name: Upload SARIF file to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: tfsec.sarif
56 changes: 56 additions & 0 deletions .github/workflows/IACS-Checkmarx-kics.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# https://github.com/Checkmarx/kics
# https://github.com/Checkmarx/kics/blob/master/docs/integrations_ghactions.md
# https://github.com/Checkmarx/kics-github-action

name: IaC Scanning with Checkmarx KICS

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '15 03 * * 5'

permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

jobs:
kics-scan:
name: Run KICS scan
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Mkdir results-dir
# make sure results dir is created
run: mkdir -p results-dir

- name: Run kics Scan
uses: checkmarx/kics-github-action@v2.1.7

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'IaC Scanning with Checkmarx KICS' step
Uses Step
Loading
uses 'checkmarx/kics-github-action' with ref 'v2.1.7', not a pinned commit hash
with:
path: 'terraform'
# when provided with a directory on output_path
# it will generate the specified reports file named 'results.{extension}'
# in this example it will generate:
# - results-dir/results.json
# - results-dir/results.sarif
ignore_on_exit: results
output_path: results-dir
platform_type: terraform
output_formats: 'json,sarif'
enable_comments: true

- name: Show results
run: |
cat results-dir/results.sarif
cat results-dir/results.json

- name: Upload SARIF file to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results-dir/results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/SCA-GitHubAdvancedSecurity-DependencyReview.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,5 @@ jobs:
with:
comment-summary-in-pr: always
fail-on-severity: 'moderate'
allow-licenses: MIT, Apache-2.0
allow-licenses: MIT, Apache-2.0, GPL-3.0

2 changes: 1 addition & 1 deletion .github/workflows/cicd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ jobs:
container-build-publish:
name: Build and Publish Container Image
needs: []
uses: advanced-security/reusable-workflows/.github/workflows/container.yml@v0.2.0
uses: githubabcs-devops/devsecops-reusable-workflows/.github/workflows/container.yml@v0.2.0
with:
# This is used for tagging the container image
version: v1.0.0
Expand Down
25 changes: 25 additions & 0 deletions terraform/azure/aks.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
resource azurerm_kubernetes_cluster "k8s_cluster" {

Check warning on line 1 in terraform/azure/aks.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[MEDIUM] AKS Private Cluster Disabled 

Azure Kubernetes Service (AKS) API should not be exposed to the internet

Check warning

Code scanning / KICS

AKS Private Cluster Disabled Warning

'azurerm_kubernetes_cluster[k8s_cluster].private_cluster_enabled' is undefined

Check notice

Code scanning / KICS

AKS Disk Encryption Set ID Undefined Note

'azurerm_kubernetes_cluster[k8s_cluster].disk_encryption_set_id' is undefined or null

Check notice

Code scanning / KICS

AKS Network Policy Misconfigured Note

'azurerm_kubernetes_cluster[k8s_cluster].network_profile' is undefined
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
resource_group_name = azurerm_resource_group.example.name
identity {
type = "SystemAssigned"
}
default_node_pool {
name = "default"
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {

Check notice

Code scanning / KICS

AKS Uses Azure Policies Add-On Disabled Note

'azurerm_kubernetes_cluster[k8s_cluster].addon_profile.azure_policy' is undefined or null
oms_agent {
enabled = false

Check warning

Code scanning / defsec

Ensure AKS logging to Azure Monitoring is Configured Warning

Cluster does not have logging enabled via OMS Agent.
}
kube_dashboard {
enabled = true

Check notice

Code scanning / KICS

Dashboard Is Enabled Note

'azurerm_kubernetes_cluster[k8s_cluster].addon_profile.kube_dashboard.enabled' is true
}
}
role_based_access_control {
enabled = false

Check warning on line 23 in terraform/azure/aks.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[MEDIUM] AKS RBAC Disabled 

Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled

Check failure

Code scanning / defsec

Ensure RBAC is enabled on AKS clusters Error

Cluster has RBAC disabled

Check warning

Code scanning / KICS

AKS RBAC Disabled Warning

'azurerm_kubernetes_cluster[k8s_cluster].role_based_access_control.enabled' is not set to true
}
}

Check failure

Code scanning / defsec

Ensure AKS cluster has Network Policy configured Error

Kubernetes cluster does not have a network policy set.

Check failure

Code scanning / defsec

Ensure AKS has an API Server Authorized IP Ranges enabled Error

Cluster does not limit API access to specific IP addresses.

Check notice

Code scanning / checkov

Ensure AKS has an API Server Authorized IP Ranges enabled Note

Ensure AKS has an API Server Authorized IP Ranges enabled

Check notice

Code scanning / checkov

Ensure Kubernetes Dashboard is disabled Note

Ensure Kubernetes Dashboard is disabled

Check notice

Code scanning / checkov

Ensure that AKS enables private clusters Note

Ensure that AKS enables private clusters

Check failure

Code scanning / checkov

Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources Error

Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources

Check failure

Code scanning / checkov

Ensure ephemeral disks are used for OS disks Error

Ensure ephemeral disks are used for OS disks

Check notice

Code scanning / checkov

Ensure that AKS use the Paid Sku for its SLA Note

Ensure that AKS use the Paid Sku for its SLA

Check notice

Code scanning / checkov

Ensure AKS local admin account is disabled Note

Ensure AKS local admin account is disabled

Check failure

Code scanning / checkov

Ensure AKS logging to Azure Monitoring is Configured Error

Ensure AKS logging to Azure Monitoring is Configured

Check notice

Code scanning / checkov

Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. Note

Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.

Check notice

Code scanning / checkov

Ensure AKS cluster has Network Policy configured Note

Ensure AKS cluster has Network Policy configured

Check failure

Code scanning / checkov

Ensure that only critical system pods run on system nodes Error

Ensure that only critical system pods run on system nodes

Check failure

Code scanning / checkov

Ensure RBAC is enabled on AKS clusters Error

Ensure RBAC is enabled on AKS clusters

Check failure

Code scanning / checkov

Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters Error

Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters

Check notice

Code scanning / checkov

Ensure AKS cluster upgrade channel is chosen Note

Ensure AKS cluster upgrade channel is chosen

Check notice

Code scanning / checkov

Ensure that AKS uses Azure Policies Add-on Note

Ensure that AKS uses Azure Policies Add-on

Check notice

Code scanning / checkov

Ensure that AKS uses disk encryption set Note

Ensure that AKS uses disk encryption set

Check failure

Code scanning / checkov

Ensure AKS cluster has Azure CNI networking enabled Error

Ensure AKS cluster has Azure CNI networking enabled
34 changes: 34 additions & 0 deletions terraform/azure/app_service.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
resource azurerm_app_service_plan "example" {
name = "terragoat-app-service-plan-${var.environment}"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name

sku {
tier = "Dynamic"
size = "S1"
}
}

resource azurerm_app_service "app-service1" {

Check warning

Code scanning / KICS

App Service Authentication Disabled Warning

'azurerm_app_service[app-service1].auth_settings' is undefined

Check warning

Code scanning / KICS

Azure App Service Client Certificate Disabled Warning

'azurerm_app_service[app-service1].client_cert_enabeld' is undefined

Check notice

Code scanning / KICS

App Service Managed Identity Disabled Note

'azurerm_app_service[app-service1].identity' is undefined or null

Check notice

Code scanning / KICS

Name Is Not Snake Case

'app-service1' is not in snake case
app_service_plan_id = azurerm_app_service_plan.example.id
location = var.location
name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
resource_group_name = azurerm_resource_group.example.name
https_only = false

Check warning

Code scanning / KICS

Web App Accepting Traffic Other Than HTTPS Warning

'azurerm_app_service[app-service1].https_only' is not set to true
site_config {

Check warning

Code scanning / KICS

App Service HTTP2 Disabled Warning

'azurerm_app_service[app-service1].site_config.http2_enabled' is undefined or null
min_tls_version = "1.1"

Check failure

Code scanning / defsec

Web App uses latest TLS version Error

App service does not require a secure TLS version.

Check warning

Code scanning / KICS

App Service Not Using Latest TLS Encryption Version Warning

'azurerm_app_service[app-service1].site_config.min_tls_version' is not set to '1.3'
}

Check notice

Code scanning / defsec

Web App uses the latest HTTP version Note

App service does not have HTTP/2 enabled.
}

Check notice

Code scanning / defsec

Web App has registration with AD enabled Note

App service does not have an identity type.

Check warning

Code scanning / defsec

App Service authentication is activated Warning

App service does not have authentication enabled.

Check notice

Code scanning / defsec

Web App accepts incoming client certificate Note

App service does not have client certificates enabled.

Check failure

Code scanning / checkov

Ensure App Service Authentication is set on Azure App Service Error

Ensure App Service Authentication is set on Azure App Service

Check failure

Code scanning / checkov

Ensure the web app has 'Client Certificates (Incoming client certificates)' set Error

Ensure the web app has 'Client Certificates (Incoming client certificates)' set

Check notice

Code scanning / checkov

Ensure that App service enables detailed error messages Note

Ensure that App service enables detailed error messages

Check notice

Code scanning / checkov

Ensure that App service enables failed request tracing Note

Ensure that App service enables failed request tracing

Check failure

Code scanning / checkov

Ensure FTP deployments are disabled Error

Ensure FTP deployments are disabled

Check notice

Code scanning / checkov

Ensure that App service enables HTTP logging Note

Ensure that App service enables HTTP logging

Check failure

Code scanning / checkov

Ensure that 'HTTP Version' is the latest if used to run the web app Error

Ensure that 'HTTP Version' is the latest if used to run the web app

Check failure

Code scanning / checkov

Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Error

Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service

Check failure

Code scanning / checkov

Ensure that Register with Azure Active Directory is enabled on App Service Error

Ensure that Register with Azure Active Directory is enabled on App Service

Check notice

Code scanning / checkov

Ensure that Managed identity provider is enabled for app services Note

Ensure that Managed identity provider is enabled for app services

Check failure

Code scanning / checkov

Ensure web app is using the latest version of TLS encryption Error

Ensure web app is using the latest version of TLS encryption

Check failure

Code scanning / checkov

Ensure that App Service configures health check Error

Ensure that App Service configures health check

Check notice

Code scanning / checkov

Ensure that app services use Azure Files Note

Ensure that app services use Azure Files

resource azurerm_app_service "app-service2" {

Check warning

Code scanning / KICS

App Service HTTP2 Disabled Warning

'azurerm_app_service[app-service2].site_config' is undefined or null

Check warning

Code scanning / KICS

Azure App Service Client Certificate Disabled Warning

'azurerm_app_service[app-service2].client_cert_enabeld' is undefined

Check notice

Code scanning / KICS

App Service Managed Identity Disabled Note

'azurerm_app_service[app-service2].identity' is undefined or null

Check notice

Code scanning / KICS

Name Is Not Snake Case

'app-service2' is not in snake case
app_service_plan_id = azurerm_app_service_plan.example.id
location = var.location
name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
resource_group_name = azurerm_resource_group.example.name
https_only = true

auth_settings {
enabled = false

Check warning on line 31 in terraform/azure/app_service.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[MEDIUM] App Service Authentication Disabled 

Azure App Service authentication settings should be enabled

Check warning

Code scanning / defsec

App Service authentication is activated Warning

App service does not have authentication enabled.

Check warning

Code scanning / KICS

App Service Authentication Disabled Warning

'azurerm_app_service[app-service2].auth_settings.enabled' is false
}
}

Check notice

Code scanning / defsec

Web App has registration with AD enabled Note

App service does not have an identity type.

Check notice

Code scanning / defsec

Web App uses the latest HTTP version Note

App service does not have HTTP/2 enabled.

Check notice

Code scanning / defsec

Web App accepts incoming client certificate Note

App service does not have client certificates enabled.

Check failure

Code scanning / checkov

Ensure App Service Authentication is set on Azure App Service Error

Ensure App Service Authentication is set on Azure App Service

Check failure

Code scanning / checkov

Ensure the web app has 'Client Certificates (Incoming client certificates)' set Error

Ensure the web app has 'Client Certificates (Incoming client certificates)' set

Check notice

Code scanning / checkov

Ensure that App service enables detailed error messages Note

Ensure that App service enables detailed error messages

Check notice

Code scanning / checkov

Ensure that App service enables failed request tracing Note

Ensure that App service enables failed request tracing

Check failure

Code scanning / checkov

Ensure FTP deployments are disabled Error

Ensure FTP deployments are disabled

Check notice

Code scanning / checkov

Ensure that App service enables HTTP logging Note

Ensure that App service enables HTTP logging

Check failure

Code scanning / checkov

Ensure that 'HTTP Version' is the latest if used to run the web app Error

Ensure that 'HTTP Version' is the latest if used to run the web app

Check failure

Code scanning / checkov

Ensure that Register with Azure Active Directory is enabled on App Service Error

Ensure that Register with Azure Active Directory is enabled on App Service

Check notice

Code scanning / checkov

Ensure that Managed identity provider is enabled for app services Note

Ensure that Managed identity provider is enabled for app services

Check failure

Code scanning / checkov

Ensure that App Service configures health check Error

Ensure that App Service configures health check

Check notice

Code scanning / checkov

Ensure that app services use Azure Files Note

Ensure that app services use Azure Files

59 changes: 59 additions & 0 deletions terraform/azure/instance.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
resource random_string "password" {
length = 16
special = false
min_lower = 1
min_numeric = 1
min_upper = 1
}

resource azurerm_linux_virtual_machine "linux_machine" {

Check warning

Code scanning / KICS

Azure Instance Using Basic Authentication Warning

'azurerm_linux_virtual_machine[linux_machine]' is using username and password for authentication
admin_username = "terragoat-linux"
admin_password = random_string.password.result

Check warning on line 11 in terraform/azure/instance.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[HIGH] Passwords And Secrets - Generic Password 

Query to find passwords and secrets in infrastructure code.

Check failure

Code scanning / KICS

Passwords And Secrets - Generic Password Error

Hardcoded secret key appears in source
location = var.location
name = "terragoat-linux"
network_interface_ids = [azurerm_network_interface.ni_linux.id]
resource_group_name = azurerm_resource_group.example.name
size = "Standard_F2"
disable_password_authentication = false

Check failure

Code scanning / defsec

Password authentication should be disabled on Azure virtual machines Error

Linux virtual machine allows password authentication.
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}

tags = {
terragoat = true
environment = var.environment
}
}

Check failure

Code scanning / checkov

Ensure Virtual Machine Extensions are not Installed Error

Ensure Virtual Machine Extensions are not Installed

Check notice

Code scanning / checkov

Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) Note

Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)

Check failure

Code scanning / checkov

Ensure linux VM enables SSH with keys for secure communication Error

Ensure linux VM enables SSH with keys for secure communication

Check notice

Code scanning / checkov

Ensure that Virtual machine does not enable password authentication Note

Ensure that Virtual machine does not enable password authentication

resource azurerm_windows_virtual_machine "windows_machine" {
admin_password = random_string.password.result

Check warning on line 36 in terraform/azure/instance.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[HIGH] Passwords And Secrets - Generic Password 

Query to find passwords and secrets in infrastructure code.

Check failure

Code scanning / KICS

Passwords And Secrets - Generic Password Error

Hardcoded secret key appears in source
admin_username = "tg-${var.environment}"
location = var.location
name = "tg-win"
network_interface_ids = [azurerm_network_interface.ni_win.id]
resource_group_name = azurerm_resource_group.example.name
size = "Standard_F2"
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}

source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}

tags = {
terragoat = true
environment = var.environment
}
}

Check failure

Code scanning / checkov

Ensure Virtual Machine Extensions are not Installed Error

Ensure Virtual Machine Extensions are not Installed

Check notice

Code scanning / checkov

Ensure Windows VM enables encryption Note

Ensure Windows VM enables encryption
43 changes: 43 additions & 0 deletions terraform/azure/key_vault.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
resource "azurerm_key_vault" "example" {

Check warning

Code scanning / KICS

Vault Auditing Disabled Warning

'azurerm_key_vault' is not associated with 'azurerm_monitor_diagnostic_setting'
name = "terragoat-key-${var.environment}${random_integer.rnd_int.result}"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
]
secret_permissions = [
"set",
]
}
tags = {
environment = var.environment
terragoat = true
}
}

Check warning

Code scanning / defsec

Key vault should have purge protection enabled Warning

Vault does not have purge protection enabled.

Check failure

Code scanning / defsec

Key vault should have the network acl block specified Error

Vault network ACL does not block access by default.

Check failure

Code scanning / checkov

Ensure that Azure Key Vault disables public network access Error

Ensure that Azure Key Vault disables public network access

Check failure

Code scanning / checkov

Ensure that key vault allows firewall rules settings Error

Ensure that key vault allows firewall rules settings

Check failure

Code scanning / checkov

Ensure that key vault enables purge protection Error

Ensure that key vault enables purge protection

Check failure

Code scanning / checkov

Ensure the key vault is recoverable Error

Ensure the key vault is recoverable

Check failure

Code scanning / checkov

Ensure private endpoint is configured to key vault Error

Ensure private endpoint is configured to key vault

resource "azurerm_key_vault_key" "generated" {

Check warning

Code scanning / KICS

Key Expiration Not Set Warning

'expiration_date' is missing
name = "terragoat-generated-certificate-${var.environment}"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}

Check warning

Code scanning / defsec

Ensure that the expiration date is set on all keys Warning

Key should have an expiry date specified.

Check notice

Code scanning / checkov

Ensure that key vault key is backed by HSM Note

Ensure that key vault key is backed by HSM

Check failure

Code scanning / checkov

Ensure that the expiration date is set on all keys Error

Ensure that the expiration date is set on all keys

resource "azurerm_key_vault_secret" "secret" {

Check warning

Code scanning / KICS

Key Vault Secrets Content Type Undefined Warning

'azurerm_key_vault_secret[secret].content_type' is undefined or null

Check warning

Code scanning / KICS

Secret Expiration Not Set Warning

'expiration_date' is missing
key_vault_id = azurerm_key_vault.example.id
name = "terragoat-secret-${var.environment}"
value = random_string.password.result
}

Check notice

Code scanning / defsec

Key vault Secret should have a content type set Note

Secret does not have a content-type specified.

Check notice

Code scanning / defsec

Key Vault Secret should have an expiration date set Note

Secret should have an expiry date specified.

Check notice

Code scanning / checkov

Ensure that key vault secrets have "content_type" set Note

Ensure that key vault secrets have "content_type" set

Check failure

Code scanning / checkov

Ensure that the expiration date is set on all secrets Error

Ensure that the expiration date is set on all secrets
10 changes: 10 additions & 0 deletions terraform/azure/logging.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
resource azurerm_monitor_log_profile "logging_profile" {
storage_account_id = azurerm_storage_account.example.id
categories = ["Action"]
locations = [var.location]
name = "terragoat-${var.environment}"
retention_policy {
enabled = true
days = 30

Check warning

Code scanning / defsec

Ensure the activity retention log is set to at least a year Warning

Profile has a log retention policy of less than 1 year.

Check notice

Code scanning / KICS

Small Activity Log Retention Period Note

'azurerm_monitor_log_profile[logging_profile].retention_policy.days' is less than 365 days or different than 0 (indefinitely)
}
}

Check warning

Code scanning / defsec

Ensure log profile captures all activities Warning

Log profile does not require the 'Write' category.

Check warning

Code scanning / defsec

Ensure log profile captures all activities Warning

Log profile does not require the 'Delete' category.

Check warning

Code scanning / defsec

Ensure activitys are captured for all locations Warning

Log profile does not log to all regions (68 regions missing).

Check notice

Code scanning / checkov

Ensure audit profile captures all the activities Note

Ensure audit profile captures all the activities

Check failure

Code scanning / checkov

Ensure that Activity Log Retention is set 365 days or greater Error

Ensure that Activity Log Retention is set 365 days or greater
Loading
Loading