From c6b764fe49822a28dc01d413bc1133667c312ab6 Mon Sep 17 00:00:00 2001 From: Preben Huybrechts Date: Tue, 5 Nov 2024 13:20:03 +0100 Subject: [PATCH 1/3] feat: sql server rules --- docs/README.md | 14 +++ main.go | 4 + ...azurerm_mssql_firewall_rule_all_allowed.go | 96 +++++++++++++++ ...rm_mssql_firewall_rule_all_allowed_test.go | 66 ++++++++++ ...ssql_server_azuread_authentication_only.go | 105 ++++++++++++++++ ...server_azuread_authentication_only_test.go | 115 ++++++++++++++++++ ...ql_server_public_network_access_enabled.go | 84 +++++++++++++ ...rver_public_network_access_enabled_test.go | 74 +++++++++++ rules/azurerm_mssql_server_tls_version.go | 90 ++++++++++++++ .../azurerm_mssql_server_tls_version_test.go | 57 +++++++++ 10 files changed, 705 insertions(+) create mode 100644 rules/azurerm_mssql_firewall_rule_all_allowed.go create mode 100644 rules/azurerm_mssql_firewall_rule_all_allowed_test.go create mode 100644 rules/azurerm_mssql_server_azuread_authentication_only.go create mode 100644 rules/azurerm_mssql_server_azuread_authentication_only_test.go create mode 100644 rules/azurerm_mssql_server_public_network_access_enabled.go create mode 100644 rules/azurerm_mssql_server_public_network_access_enabled_test.go create mode 100644 rules/azurerm_mssql_server_tls_version.go create mode 100644 rules/azurerm_mssql_server_tls_version_test.go diff --git a/docs/README.md b/docs/README.md index 7729197..3c375d5 100644 --- a/docs/README.md +++ b/docs/README.md @@ -30,6 +30,20 @@ | --- | --- | --- | --- | --- | |azurerm_mssql_database_transparent_data_encryption_enabled|Enforce transparant data encryption|WARNING|✔|| +## azurerm_mssql_server +|Name|Description|Severity|Enabled|Link| +| --- | --- | --- | --- | --- | +|azurerm_mssql_server_azuread_authentication_only |Only user Azure AD authentication to SQL |WARNING|✔|| +|azurerm_mssql_server_public_network_access_enabled|Consider disabling public network access on SQL servers. |NOTICE|✔|| +|azurerm_mssql_server_minimum_tls_version|Enforce TLS 1.2 on event hubs |WARNING|✔|| + +## azurerm_mssql_firewall_rule + +|Name|Description|Severity|Enabled|Link| +| --- | --- | --- | --- | --- | +|azurerm_mssql_firewall_rule_all_allowed|Remove a firewall rule that allows the any ip.|ERROR|✔|| + + ## azurerm_storage_account |Name|Description|Severity|Enabled|Link| | --- | --- | --- | --- | --- | diff --git a/main.go b/main.go index b3a689f..17b703d 100644 --- a/main.go +++ b/main.go @@ -22,6 +22,10 @@ func createRuleSet() *tflint.BuiltinRuleSet { rules.NewAzurermLinuxWebAppHTTPSOnly(), rules.NewAzurermLinuxWebAppMinimumTLSVersion(), rules.NewAzurermMssqlDatabaseEncryption(), + rules.NewAzurermMsSqlFirewallRuleAllAllowed(), + rules.NewAzurermMsSqlServerAdAuthOnly(), + rules.NewAzurermMsSqlServerPublicNetworkAccessEnabled(), + rules.NewAzurermMsSqlServerUnsecureTLS(), rules.NewAzurermStorageAccountPublicNetworkAccessEnabled(), rules.NewAzurermStorageAccountUnsecureTLS(), rules.NewAzurermWindowsFunctionAppFtpsState(), diff --git a/rules/azurerm_mssql_firewall_rule_all_allowed.go b/rules/azurerm_mssql_firewall_rule_all_allowed.go new file mode 100644 index 0000000..d78a73d --- /dev/null +++ b/rules/azurerm_mssql_firewall_rule_all_allowed.go @@ -0,0 +1,96 @@ +package rules + +import ( + "github.com/terraform-linters/tflint-plugin-sdk/hclext" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AzurermMsSqlFirewallRuleAllAllowed checks if the firewall rule allows all IP addresses +type AzurermMsSqlFirewallRuleAllAllowed struct { + tflint.DefaultRule + + resourceType string + startIPAttr string + endIPAttr string +} + +// NewAzurermMsSqlFirewallRuleAllAllowed returns a new rule instance +func NewAzurermMsSqlFirewallRuleAllAllowed() *AzurermMsSqlFirewallRuleAllAllowed { + return &AzurermMsSqlFirewallRuleAllAllowed{ + resourceType: "azurerm_mssql_firewall_rule", + startIPAttr: "start_ip_address", + endIPAttr: "end_ip_address", + } +} + +// Name returns the rule name +func (r *AzurermMsSqlFirewallRuleAllAllowed) Name() string { + return "azurerm_mssql_firewall_rule_all_allowed" +} + +// Enabled returns whether the rule is enabled by default +func (r *AzurermMsSqlFirewallRuleAllAllowed) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AzurermMsSqlFirewallRuleAllAllowed) Severity() tflint.Severity { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AzurermMsSqlFirewallRuleAllAllowed) Link() string { + return "" +} + +// Check checks if the firewall rule allows all IP addresses +func (r *AzurermMsSqlFirewallRuleAllAllowed) Check(runner tflint.Runner) error { + resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ + Attributes: []hclext.AttributeSchema{ + {Name: r.startIPAttr}, + {Name: r.endIPAttr}, + }, + }, nil) + if err != nil { + return err + } + + for _, resource := range resources.Blocks { + startIP, exists := resource.Body.Attributes[r.startIPAttr] + if !exists { + continue + } + + endIP, exists := resource.Body.Attributes[r.endIPAttr] + if !exists { + continue + } + + var startIPValue, endIPValue string + err := runner.EvaluateExpr(startIP.Expr, func(val string) error { + startIPValue = val + return nil + }, nil) + if err != nil { + return err + } + + err = runner.EvaluateExpr(endIP.Expr, func(val string) error { + endIPValue = val + return nil + }, nil) + if err != nil { + return err + } + + if startIPValue == "0.0.0.0" && endIPValue == "255.255.255.255" { + runner.EmitIssue( + r, + "Firewall rule allows access from all IP addresses (0.0.0.0-255.255.255.255). Consider restricting the IP range for better security.", + resource.DefRange, + ) + } + } + + return nil +} \ No newline at end of file diff --git a/rules/azurerm_mssql_firewall_rule_all_allowed_test.go b/rules/azurerm_mssql_firewall_rule_all_allowed_test.go new file mode 100644 index 0000000..94cffd6 --- /dev/null +++ b/rules/azurerm_mssql_firewall_rule_all_allowed_test.go @@ -0,0 +1,66 @@ +package rules + +import ( + "testing" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/helper" +) + +func Test_AzurermMsSqlFirewallRuleAllAllowed(t *testing.T) { + tests := []struct { + Name string + Content string + Expected helper.Issues + }{ + { + Name: "all IPs allowed", + Content: ` +resource "azurerm_mssql_firewall_rule" "example" { + start_ip_address = "0.0.0.0" + end_ip_address = "255.255.255.255" +}`, + Expected: helper.Issues{ + { + Rule: NewAzurermMsSqlFirewallRuleAllAllowed(), + Message: "Firewall rule allows access from all IP addresses (0.0.0.0-255.255.255.255). Consider restricting the IP range for better security.", + Range: hcl.Range{ + Filename: "resource.tf", + Start: hcl.Pos{Line: 2, Column: 1}, + End: hcl.Pos{Line: 2, Column: 49}, + }, + }, + }, + }, + { + Name: "specific IP range", + Content: ` +resource "azurerm_mssql_firewall_rule" "example" { + start_ip_address = "10.0.0.0" + end_ip_address = "10.0.0.255" +}`, + Expected: helper.Issues{}, + }, + { + Name: "missing IP addresses", + Content: ` +resource "azurerm_mssql_firewall_rule" "example" { +}`, + Expected: helper.Issues{}, + }, + } + + rule := NewAzurermMsSqlFirewallRuleAllAllowed() + + for _, test := range tests { + t.Run(test.Name, func(t *testing.T) { + runner := helper.TestRunner(t, map[string]string{"resource.tf": test.Content}) + + if err := rule.Check(runner); err != nil { + t.Fatalf("Unexpected error occurred: %s", err) + } + + helper.AssertIssues(t, test.Expected, runner.Issues) + }) + } +} \ No newline at end of file diff --git a/rules/azurerm_mssql_server_azuread_authentication_only.go b/rules/azurerm_mssql_server_azuread_authentication_only.go new file mode 100644 index 0000000..3cd8f73 --- /dev/null +++ b/rules/azurerm_mssql_server_azuread_authentication_only.go @@ -0,0 +1,105 @@ +package rules + +import ( + "fmt" + "strings" + + "github.com/terraform-linters/tflint-plugin-sdk/hclext" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AzurermMsSqlServerAdAuthOnly checks that azuread_authentication_only is set to true +type AzurermMsSqlServerAdAuthOnly struct { + tflint.DefaultRule + + resourceType string + attributePath []string + expectedValue string +} + +// NewAzurermMsSqlServerAdAuthOnly returns a new rule instance +func NewAzurermMsSqlServerAdAuthOnly() *AzurermMsSqlServerAdAuthOnly { + return &AzurermMsSqlServerAdAuthOnly{ + resourceType: "azurerm_mssql_server", + attributePath: []string{"azuread_administrator", "azuread_authentication_only"}, + expectedValue: "true", + } +} + +// Name returns the rule name +func (r *AzurermMsSqlServerAdAuthOnly) Name() string { + return "azurerm_mssql_server_azuread_authentication_only" +} + +// Enabled returns whether the rule is enabled by default +func (r *AzurermMsSqlServerAdAuthOnly) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AzurermMsSqlServerAdAuthOnly) Severity() tflint.Severity { + return tflint.WARNING +} + +// Link returns the rule reference link +func (r *AzurermMsSqlServerAdAuthOnly) Link() string { + return "" +} + +// Check verifies that azuread_authentication_only is set to "Disabled" +func (r *AzurermMsSqlServerAdAuthOnly) Check(runner tflint.Runner) error { + resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ + Blocks: []hclext.BlockSchema{ + { + Type: "azuread_administrator", + Body: &hclext.BodySchema{ + Attributes: []hclext.AttributeSchema{ + {Name: "azuread_authentication_only"}, + }, + }, + }, + }, + }, nil) + if err != nil { + return err + } + + for _, resource := range resources.Blocks { + siteConfigBlocks := resource.Body.Blocks.OfType("azuread_administrator") + if len(siteConfigBlocks) == 0 { + runner.EmitIssue( + r, + "azuread_administrator block is missing, azuread_authentication_only should be set to true", + resource.DefRange, + ) + continue + } + + siteConfig := siteConfigBlocks[0] + attribute, exists := siteConfig.Body.Attributes["azuread_authentication_only"] + if !exists { + runner.EmitIssue( + r, + "azuread_authentication_only is missing in azuread_administrator, should be set to true", + siteConfig.DefRange, + ) + continue + } + + err := runner.EvaluateExpr(attribute.Expr, func(val string) error { + if !strings.EqualFold(val, r.expectedValue) { + runner.EmitIssue( + r, + fmt.Sprintf("azuread_authentication_only is set to %s, should be set to true", val), + attribute.Expr.Range(), + ) + } + return nil + }, nil) + if err != nil { + return err + } + } + + return nil +} \ No newline at end of file diff --git a/rules/azurerm_mssql_server_azuread_authentication_only_test.go b/rules/azurerm_mssql_server_azuread_authentication_only_test.go new file mode 100644 index 0000000..81b05c9 --- /dev/null +++ b/rules/azurerm_mssql_server_azuread_authentication_only_test.go @@ -0,0 +1,115 @@ +package rules + +import ( + "testing" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/helper" +) + +func Test_AzurermMsSqlServerAdAuthOnly(t *testing.T) { + tests := []struct { + Name string + Content string + Expected helper.Issues + }{ + { + Name: "azuread_authentication_only set to false", + Content: ` +resource "azurerm_mssql_server" "example" { + azuread_administrator { + azuread_authentication_only = false + } +}`, + Expected: helper.Issues{ + { + Rule: NewAzurermMsSqlServerAdAuthOnly(), + Message: "azuread_authentication_only is set to false, should be set to true", + Range: hcl.Range{ + Filename: "resource.tf", + Start: hcl.Pos{ + Line: 4, + Column: 39, + }, + End: hcl.Pos{ + Line: 4, + Column: 44, + }, + }, + }, + }, + }, + { + Name: "azuread_authentication_only set to true", + Content: ` +resource "azurerm_mssql_server" "example" { + azuread_administrator { + azuread_authentication_only = true + } +}`, + Expected: helper.Issues{}, + }, + { + Name: "azuread_authentication_only attribute missing", + Content: ` +resource "azurerm_mssql_server" "example" { + azuread_administrator { + } +}`, + Expected: helper.Issues{ + { + Rule: NewAzurermMsSqlServerAdAuthOnly(), + Message: "azuread_authentication_only is missing in azuread_administrator, should be set to true", + Range: hcl.Range{ + Filename: "resource.tf", + Start: hcl.Pos{ + Line: 3, + Column: 5, + }, + End: hcl.Pos{ + Line: 3, + Column: 26, + }, + }, + }, + }, + }, + { + Name: "azuread_administrator block missing", + Content: ` +resource "azurerm_mssql_server" "example" { +}`, + Expected: helper.Issues{ + { + Rule: NewAzurermMsSqlServerAdAuthOnly(), + Message: "azuread_administrator block is missing, azuread_authentication_only should be set to true", + Range: hcl.Range{ + Filename: "resource.tf", + Start: hcl.Pos{ + Line: 2, + Column: 1, + }, + End: hcl.Pos{ + Line: 2, + Column: 42, + }, + }, + }, + }, + }, + } + + rule := NewAzurermMsSqlServerAdAuthOnly() + + for _, test := range tests { + t.Run(test.Name, func(t *testing.T) { + runner := helper.TestRunner(t, map[string]string{"resource.tf": test.Content}) + + if err := rule.Check(runner); err != nil { + t.Fatalf("Unexpected error occurred: %s", err) + } + + helper.AssertIssues(t, test.Expected, runner.Issues) + }) + } +} \ No newline at end of file diff --git a/rules/azurerm_mssql_server_public_network_access_enabled.go b/rules/azurerm_mssql_server_public_network_access_enabled.go new file mode 100644 index 0000000..dc9512a --- /dev/null +++ b/rules/azurerm_mssql_server_public_network_access_enabled.go @@ -0,0 +1,84 @@ +package rules + +import ( + "github.com/terraform-linters/tflint-plugin-sdk/hclext" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AzurermMsSqlServerPublicNetworkAccessEnabled checks that transparent data encryption is enabled +type AzurermMsSqlServerPublicNetworkAccessEnabled struct { + tflint.DefaultRule + + resourceType string + attributeName string +} + +// NewAzurermMsSqlServerPublicNetworkAccessEnabled returns a new rule instance +func NewAzurermMsSqlServerPublicNetworkAccessEnabled() *AzurermMsSqlServerPublicNetworkAccessEnabled { + return &AzurermMsSqlServerPublicNetworkAccessEnabled{ + resourceType: "azurerm_mssql_server", + attributeName: "public_network_access_enabled", + } +} + +// Name returns the rule name +func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Name() string { + return "azurerm_mssql_server_public_network_access_enabled" +} + +// Enabled returns whether the rule is enabled by default +func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Severity() tflint.Severity { + return tflint.NOTICE +} + +// Link returns the rule reference link +func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Link() string { + return "" +} + +// Check checks if transparent data encryption is enabled +func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Check(runner tflint.Runner) error { + resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ + Attributes: []hclext.AttributeSchema{ + {Name: r.attributeName}, + }, + }, nil) + if err != nil { + return err + } + + for _, resource := range resources.Blocks { + attribute, exists := resource.Body.Attributes[r.attributeName] + if !exists { + // Emit an issue if the attribute does not exist + runner.EmitIssue( + r, + "public_network_access_enabled is not defined and defaults to true, consider disabling it", + resource.DefRange, + ) + continue + } + + err := runner.EvaluateExpr(attribute.Expr, func(val bool) error { + if val { + runner.EmitIssue( + r, + "Consider changing public_network_access_enabled to false", + attribute.Expr.Range(), + ) + } + return nil + }, nil) + + if err != nil { + return err + } + } + + return nil +} diff --git a/rules/azurerm_mssql_server_public_network_access_enabled_test.go b/rules/azurerm_mssql_server_public_network_access_enabled_test.go new file mode 100644 index 0000000..3d6b621 --- /dev/null +++ b/rules/azurerm_mssql_server_public_network_access_enabled_test.go @@ -0,0 +1,74 @@ +package rules + +import ( + "testing" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/helper" +) + +func Test_AzurermMsSqlServerPublicNetworkAccessEnabled(t *testing.T) { + tests := []struct { + Name string + Content string + Expected helper.Issues + }{ + { + Name: "public network access disabled", + Content: ` +resource "azurerm_mssql_server" "example" { + public_network_access_enabled = true +}`, + Expected: helper.Issues{ + { + Rule: NewAzurermMsSqlServerPublicNetworkAccessEnabled(), + Message: "Consider changing public_network_access_enabled to false", + Range: hcl.Range{ + Filename: "resource.tf", + Start: hcl.Pos{Line: 3, Column: 37}, + End: hcl.Pos{Line: 3, Column: 41}, + }, + }, + }, + }, + { + Name: "public network access missing", + Content: ` +resource "azurerm_mssql_server" "example" { +}`, + Expected: helper.Issues{ + { + Rule: NewAzurermMsSqlServerPublicNetworkAccessEnabled(), + Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it", + Range: hcl.Range{ + Filename: "resource.tf", + Start: hcl.Pos{Line: 2, Column: 1}, + End: hcl.Pos{Line: 2, Column: 42}, + }, + }, + }, + }, + { + Name: "public network access disabled", + Content: ` +resource "azurerm_mssql_server" "example" { + public_network_access_enabled = false +}`, + Expected: helper.Issues{}, + }, + } + + rule := NewAzurermMsSqlServerPublicNetworkAccessEnabled() + + for _, test := range tests { + t.Run(test.Name, func(t *testing.T) { + runner := helper.TestRunner(t, map[string]string{"resource.tf": test.Content}) + + if err := rule.Check(runner); err != nil { + t.Fatalf("Unexpected error occurred: %s", err) + } + + helper.AssertIssues(t, test.Expected, runner.Issues) + }) + } +} diff --git a/rules/azurerm_mssql_server_tls_version.go b/rules/azurerm_mssql_server_tls_version.go new file mode 100644 index 0000000..44d7648 --- /dev/null +++ b/rules/azurerm_mssql_server_tls_version.go @@ -0,0 +1,90 @@ +package rules + +import ( + "fmt" + + "github.com/terraform-linters/tflint-plugin-sdk/hclext" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" + // "github.com/terraform-linters/tflint-ruleset-azurerm/project" +) + +// AzurermMsSqlServerUnsecureTLS checks the pattern is valid +type AzurermMsSqlServerUnsecureTLS struct { + tflint.DefaultRule + + resourceType string + attributeName string + enum []string +} + +// NewAzurermMsSqlServerUnsecureTLS returns new rule with default attributes +func NewAzurermMsSqlServerUnsecureTLS() *AzurermMsSqlServerUnsecureTLS { + return &AzurermMsSqlServerUnsecureTLS{ + resourceType: "azurerm_mssql_server", + attributeName: "min_tls_version", + enum: []string{ + "TLS1_2", + "TLS1_3", + }, + } +} + +// Name returns the rule name +func (r *AzurermMsSqlServerUnsecureTLS) Name() string { + return "azurerm_mssql_server_unsecure_tls" +} + +// Enabled returns whether the rule is enabled by default +func (r *AzurermMsSqlServerUnsecureTLS) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AzurermMsSqlServerUnsecureTLS) Severity() tflint.Severity { + return tflint.WARNING +} + +// Link returns the rule reference link +func (r *AzurermMsSqlServerUnsecureTLS) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AzurermMsSqlServerUnsecureTLS) Check(runner tflint.Runner) error { + resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ + Attributes: []hclext.AttributeSchema{ + {Name: r.attributeName}, + }, + }, nil) + if err != nil { + return err + } + + for _, resource := range resources.Blocks { + attribute, exists := resource.Body.Attributes[r.attributeName] + if !exists { + continue + } + err := runner.EvaluateExpr(attribute.Expr, func (val string) error { + found := false + for _, item := range r.enum { + if item == val { + found = true + } + } + if !found { + runner.EmitIssue( + r, + fmt.Sprintf(`"%s" is an insecure value as min_tls_version`, val), + attribute.Expr.Range(), + ) + } + return nil + }, nil) + if err != nil { + return err + } + } + + return nil +} \ No newline at end of file diff --git a/rules/azurerm_mssql_server_tls_version_test.go b/rules/azurerm_mssql_server_tls_version_test.go new file mode 100644 index 0000000..315f47b --- /dev/null +++ b/rules/azurerm_mssql_server_tls_version_test.go @@ -0,0 +1,57 @@ +package rules + +import ( + "testing" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/helper" +) + +func Test_AzurermMsSqlServerUnsecureTLS(t *testing.T) { + tests := []struct { + Name string + Content string + Expected helper.Issues + }{ + { + Name: "insecure TLS version found", + Content: ` +resource "azurerm_mssql_server" "example" { + min_tls_version = "TLS1_0" +}`, + Expected: helper.Issues{ + { + Rule: NewAzurermMsSqlServerUnsecureTLS(), + Message: `"TLS1_0" is an insecure value as min_tls_version`, + Range: hcl.Range{ + Filename: "resource.tf", + Start: hcl.Pos{Line: 3, Column: 23}, + End: hcl.Pos{Line: 3, Column: 31}, + }, + }, + }, + }, + { + Name: "secure TLS version", + Content: ` +resource "azurerm_mssql_server" "example" { + min_tls_version = "TLS1_2" +}`, + Expected: helper.Issues{}, + }, + } + + rule := NewAzurermMsSqlServerUnsecureTLS() + + for _, test := range tests { + t.Run(test.Name, func(t *testing.T) { + runner := helper.TestRunner(t, map[string]string{"resource.tf": test.Content}) + + if err := rule.Check(runner); err != nil { + t.Fatalf("Unexpected error occurred: %s", err) + } + + helper.AssertIssues(t, test.Expected, runner.Issues) + }) + } +} \ No newline at end of file From 7ce8faae1f3412d3925df54c0f7abdcfeeb75c54 Mon Sep 17 00:00:00 2001 From: Preben Huybrechts Date: Tue, 5 Nov 2024 13:20:51 +0100 Subject: [PATCH 2/3] fix copypaste --- docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index 3c375d5..e9b672e 100644 --- a/docs/README.md +++ b/docs/README.md @@ -35,7 +35,7 @@ | --- | --- | --- | --- | --- | |azurerm_mssql_server_azuread_authentication_only |Only user Azure AD authentication to SQL |WARNING|✔|| |azurerm_mssql_server_public_network_access_enabled|Consider disabling public network access on SQL servers. |NOTICE|✔|| -|azurerm_mssql_server_minimum_tls_version|Enforce TLS 1.2 on event hubs |WARNING|✔|| +|azurerm_mssql_server_minimum_tls_version|Enforce TLS 1.2 on SQL servers. |WARNING|✔|| ## azurerm_mssql_firewall_rule From b272212f94f5fd3ae17b63a69fd7b4413ea99042 Mon Sep 17 00:00:00 2001 From: Preben Huybrechts Date: Tue, 5 Nov 2024 13:30:54 +0100 Subject: [PATCH 3/3] linter --- main.go | 8 ++++---- ...azurerm_mssql_firewall_rule_all_allowed.go | 20 +++++++++---------- ...rm_mssql_firewall_rule_all_allowed_test.go | 6 +++--- ...ssql_server_azuread_authentication_only.go | 20 +++++++++---------- ...server_azuread_authentication_only_test.go | 10 +++++----- ...ql_server_public_network_access_enabled.go | 20 +++++++++---------- ...rver_public_network_access_enabled_test.go | 8 ++++---- rules/azurerm_mssql_server_tls_version.go | 20 +++++++++---------- .../azurerm_mssql_server_tls_version_test.go | 6 +++--- 9 files changed, 59 insertions(+), 59 deletions(-) diff --git a/main.go b/main.go index 17b703d..79e2175 100644 --- a/main.go +++ b/main.go @@ -22,10 +22,10 @@ func createRuleSet() *tflint.BuiltinRuleSet { rules.NewAzurermLinuxWebAppHTTPSOnly(), rules.NewAzurermLinuxWebAppMinimumTLSVersion(), rules.NewAzurermMssqlDatabaseEncryption(), - rules.NewAzurermMsSqlFirewallRuleAllAllowed(), - rules.NewAzurermMsSqlServerAdAuthOnly(), - rules.NewAzurermMsSqlServerPublicNetworkAccessEnabled(), - rules.NewAzurermMsSqlServerUnsecureTLS(), + rules.NewAzurermMsSQLFirewallRuleAllAllowed(), + rules.NewAzurermMsSQLServerAdAuthOnly(), + rules.NewAzurermMsSQLServerPublicNetworkAccessEnabled(), + rules.NewAzurermMsSQLServerUnsecureTLS(), rules.NewAzurermStorageAccountPublicNetworkAccessEnabled(), rules.NewAzurermStorageAccountUnsecureTLS(), rules.NewAzurermWindowsFunctionAppFtpsState(), diff --git a/rules/azurerm_mssql_firewall_rule_all_allowed.go b/rules/azurerm_mssql_firewall_rule_all_allowed.go index d78a73d..9c22100 100644 --- a/rules/azurerm_mssql_firewall_rule_all_allowed.go +++ b/rules/azurerm_mssql_firewall_rule_all_allowed.go @@ -5,8 +5,8 @@ import ( "github.com/terraform-linters/tflint-plugin-sdk/tflint" ) -// AzurermMsSqlFirewallRuleAllAllowed checks if the firewall rule allows all IP addresses -type AzurermMsSqlFirewallRuleAllAllowed struct { +// AzurermMsSQLFirewallRuleAllAllowed checks if the firewall rule allows all IP addresses +type AzurermMsSQLFirewallRuleAllAllowed struct { tflint.DefaultRule resourceType string @@ -14,9 +14,9 @@ type AzurermMsSqlFirewallRuleAllAllowed struct { endIPAttr string } -// NewAzurermMsSqlFirewallRuleAllAllowed returns a new rule instance -func NewAzurermMsSqlFirewallRuleAllAllowed() *AzurermMsSqlFirewallRuleAllAllowed { - return &AzurermMsSqlFirewallRuleAllAllowed{ +// NewAzurermMsSQLFirewallRuleAllAllowed returns a new rule instance +func NewAzurermMsSQLFirewallRuleAllAllowed() *AzurermMsSQLFirewallRuleAllAllowed { + return &AzurermMsSQLFirewallRuleAllAllowed{ resourceType: "azurerm_mssql_firewall_rule", startIPAttr: "start_ip_address", endIPAttr: "end_ip_address", @@ -24,27 +24,27 @@ func NewAzurermMsSqlFirewallRuleAllAllowed() *AzurermMsSqlFirewallRuleAllAllowed } // Name returns the rule name -func (r *AzurermMsSqlFirewallRuleAllAllowed) Name() string { +func (r *AzurermMsSQLFirewallRuleAllAllowed) Name() string { return "azurerm_mssql_firewall_rule_all_allowed" } // Enabled returns whether the rule is enabled by default -func (r *AzurermMsSqlFirewallRuleAllAllowed) Enabled() bool { +func (r *AzurermMsSQLFirewallRuleAllAllowed) Enabled() bool { return true } // Severity returns the rule severity -func (r *AzurermMsSqlFirewallRuleAllAllowed) Severity() tflint.Severity { +func (r *AzurermMsSQLFirewallRuleAllAllowed) Severity() tflint.Severity { return tflint.ERROR } // Link returns the rule reference link -func (r *AzurermMsSqlFirewallRuleAllAllowed) Link() string { +func (r *AzurermMsSQLFirewallRuleAllAllowed) Link() string { return "" } // Check checks if the firewall rule allows all IP addresses -func (r *AzurermMsSqlFirewallRuleAllAllowed) Check(runner tflint.Runner) error { +func (r *AzurermMsSQLFirewallRuleAllAllowed) Check(runner tflint.Runner) error { resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ Attributes: []hclext.AttributeSchema{ {Name: r.startIPAttr}, diff --git a/rules/azurerm_mssql_firewall_rule_all_allowed_test.go b/rules/azurerm_mssql_firewall_rule_all_allowed_test.go index 94cffd6..0705a37 100644 --- a/rules/azurerm_mssql_firewall_rule_all_allowed_test.go +++ b/rules/azurerm_mssql_firewall_rule_all_allowed_test.go @@ -7,7 +7,7 @@ import ( "github.com/terraform-linters/tflint-plugin-sdk/helper" ) -func Test_AzurermMsSqlFirewallRuleAllAllowed(t *testing.T) { +func Test_AzurermMsSQLFirewallRuleAllAllowed(t *testing.T) { tests := []struct { Name string Content string @@ -22,7 +22,7 @@ resource "azurerm_mssql_firewall_rule" "example" { }`, Expected: helper.Issues{ { - Rule: NewAzurermMsSqlFirewallRuleAllAllowed(), + Rule: NewAzurermMsSQLFirewallRuleAllAllowed(), Message: "Firewall rule allows access from all IP addresses (0.0.0.0-255.255.255.255). Consider restricting the IP range for better security.", Range: hcl.Range{ Filename: "resource.tf", @@ -50,7 +50,7 @@ resource "azurerm_mssql_firewall_rule" "example" { }, } - rule := NewAzurermMsSqlFirewallRuleAllAllowed() + rule := NewAzurermMsSQLFirewallRuleAllAllowed() for _, test := range tests { t.Run(test.Name, func(t *testing.T) { diff --git a/rules/azurerm_mssql_server_azuread_authentication_only.go b/rules/azurerm_mssql_server_azuread_authentication_only.go index 3cd8f73..3483e58 100644 --- a/rules/azurerm_mssql_server_azuread_authentication_only.go +++ b/rules/azurerm_mssql_server_azuread_authentication_only.go @@ -8,8 +8,8 @@ import ( "github.com/terraform-linters/tflint-plugin-sdk/tflint" ) -// AzurermMsSqlServerAdAuthOnly checks that azuread_authentication_only is set to true -type AzurermMsSqlServerAdAuthOnly struct { +// AzurermMsSQLServerAdAuthOnly checks that azuread_authentication_only is set to true +type AzurermMsSQLServerAdAuthOnly struct { tflint.DefaultRule resourceType string @@ -17,9 +17,9 @@ type AzurermMsSqlServerAdAuthOnly struct { expectedValue string } -// NewAzurermMsSqlServerAdAuthOnly returns a new rule instance -func NewAzurermMsSqlServerAdAuthOnly() *AzurermMsSqlServerAdAuthOnly { - return &AzurermMsSqlServerAdAuthOnly{ +// NewAzurermMsSQLServerAdAuthOnly returns a new rule instance +func NewAzurermMsSQLServerAdAuthOnly() *AzurermMsSQLServerAdAuthOnly { + return &AzurermMsSQLServerAdAuthOnly{ resourceType: "azurerm_mssql_server", attributePath: []string{"azuread_administrator", "azuread_authentication_only"}, expectedValue: "true", @@ -27,27 +27,27 @@ func NewAzurermMsSqlServerAdAuthOnly() *AzurermMsSqlServerAdAuthOnly { } // Name returns the rule name -func (r *AzurermMsSqlServerAdAuthOnly) Name() string { +func (r *AzurermMsSQLServerAdAuthOnly) Name() string { return "azurerm_mssql_server_azuread_authentication_only" } // Enabled returns whether the rule is enabled by default -func (r *AzurermMsSqlServerAdAuthOnly) Enabled() bool { +func (r *AzurermMsSQLServerAdAuthOnly) Enabled() bool { return true } // Severity returns the rule severity -func (r *AzurermMsSqlServerAdAuthOnly) Severity() tflint.Severity { +func (r *AzurermMsSQLServerAdAuthOnly) Severity() tflint.Severity { return tflint.WARNING } // Link returns the rule reference link -func (r *AzurermMsSqlServerAdAuthOnly) Link() string { +func (r *AzurermMsSQLServerAdAuthOnly) Link() string { return "" } // Check verifies that azuread_authentication_only is set to "Disabled" -func (r *AzurermMsSqlServerAdAuthOnly) Check(runner tflint.Runner) error { +func (r *AzurermMsSQLServerAdAuthOnly) Check(runner tflint.Runner) error { resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ Blocks: []hclext.BlockSchema{ { diff --git a/rules/azurerm_mssql_server_azuread_authentication_only_test.go b/rules/azurerm_mssql_server_azuread_authentication_only_test.go index 81b05c9..545bb25 100644 --- a/rules/azurerm_mssql_server_azuread_authentication_only_test.go +++ b/rules/azurerm_mssql_server_azuread_authentication_only_test.go @@ -7,7 +7,7 @@ import ( "github.com/terraform-linters/tflint-plugin-sdk/helper" ) -func Test_AzurermMsSqlServerAdAuthOnly(t *testing.T) { +func Test_AzurermMsSQLServerAdAuthOnly(t *testing.T) { tests := []struct { Name string Content string @@ -23,7 +23,7 @@ resource "azurerm_mssql_server" "example" { }`, Expected: helper.Issues{ { - Rule: NewAzurermMsSqlServerAdAuthOnly(), + Rule: NewAzurermMsSQLServerAdAuthOnly(), Message: "azuread_authentication_only is set to false, should be set to true", Range: hcl.Range{ Filename: "resource.tf", @@ -58,7 +58,7 @@ resource "azurerm_mssql_server" "example" { }`, Expected: helper.Issues{ { - Rule: NewAzurermMsSqlServerAdAuthOnly(), + Rule: NewAzurermMsSQLServerAdAuthOnly(), Message: "azuread_authentication_only is missing in azuread_administrator, should be set to true", Range: hcl.Range{ Filename: "resource.tf", @@ -81,7 +81,7 @@ resource "azurerm_mssql_server" "example" { }`, Expected: helper.Issues{ { - Rule: NewAzurermMsSqlServerAdAuthOnly(), + Rule: NewAzurermMsSQLServerAdAuthOnly(), Message: "azuread_administrator block is missing, azuread_authentication_only should be set to true", Range: hcl.Range{ Filename: "resource.tf", @@ -99,7 +99,7 @@ resource "azurerm_mssql_server" "example" { }, } - rule := NewAzurermMsSqlServerAdAuthOnly() + rule := NewAzurermMsSQLServerAdAuthOnly() for _, test := range tests { t.Run(test.Name, func(t *testing.T) { diff --git a/rules/azurerm_mssql_server_public_network_access_enabled.go b/rules/azurerm_mssql_server_public_network_access_enabled.go index dc9512a..307e28a 100644 --- a/rules/azurerm_mssql_server_public_network_access_enabled.go +++ b/rules/azurerm_mssql_server_public_network_access_enabled.go @@ -5,44 +5,44 @@ import ( "github.com/terraform-linters/tflint-plugin-sdk/tflint" ) -// AzurermMsSqlServerPublicNetworkAccessEnabled checks that transparent data encryption is enabled -type AzurermMsSqlServerPublicNetworkAccessEnabled struct { +// AzurermMsSQLServerPublicNetworkAccessEnabled checks that transparent data encryption is enabled +type AzurermMsSQLServerPublicNetworkAccessEnabled struct { tflint.DefaultRule resourceType string attributeName string } -// NewAzurermMsSqlServerPublicNetworkAccessEnabled returns a new rule instance -func NewAzurermMsSqlServerPublicNetworkAccessEnabled() *AzurermMsSqlServerPublicNetworkAccessEnabled { - return &AzurermMsSqlServerPublicNetworkAccessEnabled{ +// NewAzurermMsSQLServerPublicNetworkAccessEnabled returns a new rule instance +func NewAzurermMsSQLServerPublicNetworkAccessEnabled() *AzurermMsSQLServerPublicNetworkAccessEnabled { + return &AzurermMsSQLServerPublicNetworkAccessEnabled{ resourceType: "azurerm_mssql_server", attributeName: "public_network_access_enabled", } } // Name returns the rule name -func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Name() string { +func (r *AzurermMsSQLServerPublicNetworkAccessEnabled) Name() string { return "azurerm_mssql_server_public_network_access_enabled" } // Enabled returns whether the rule is enabled by default -func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Enabled() bool { +func (r *AzurermMsSQLServerPublicNetworkAccessEnabled) Enabled() bool { return true } // Severity returns the rule severity -func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Severity() tflint.Severity { +func (r *AzurermMsSQLServerPublicNetworkAccessEnabled) Severity() tflint.Severity { return tflint.NOTICE } // Link returns the rule reference link -func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Link() string { +func (r *AzurermMsSQLServerPublicNetworkAccessEnabled) Link() string { return "" } // Check checks if transparent data encryption is enabled -func (r *AzurermMsSqlServerPublicNetworkAccessEnabled) Check(runner tflint.Runner) error { +func (r *AzurermMsSQLServerPublicNetworkAccessEnabled) Check(runner tflint.Runner) error { resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ Attributes: []hclext.AttributeSchema{ {Name: r.attributeName}, diff --git a/rules/azurerm_mssql_server_public_network_access_enabled_test.go b/rules/azurerm_mssql_server_public_network_access_enabled_test.go index 3d6b621..b480fb4 100644 --- a/rules/azurerm_mssql_server_public_network_access_enabled_test.go +++ b/rules/azurerm_mssql_server_public_network_access_enabled_test.go @@ -7,7 +7,7 @@ import ( "github.com/terraform-linters/tflint-plugin-sdk/helper" ) -func Test_AzurermMsSqlServerPublicNetworkAccessEnabled(t *testing.T) { +func Test_AzurermMsSQLServerPublicNetworkAccessEnabled(t *testing.T) { tests := []struct { Name string Content string @@ -21,7 +21,7 @@ resource "azurerm_mssql_server" "example" { }`, Expected: helper.Issues{ { - Rule: NewAzurermMsSqlServerPublicNetworkAccessEnabled(), + Rule: NewAzurermMsSQLServerPublicNetworkAccessEnabled(), Message: "Consider changing public_network_access_enabled to false", Range: hcl.Range{ Filename: "resource.tf", @@ -38,7 +38,7 @@ resource "azurerm_mssql_server" "example" { }`, Expected: helper.Issues{ { - Rule: NewAzurermMsSqlServerPublicNetworkAccessEnabled(), + Rule: NewAzurermMsSQLServerPublicNetworkAccessEnabled(), Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it", Range: hcl.Range{ Filename: "resource.tf", @@ -58,7 +58,7 @@ resource "azurerm_mssql_server" "example" { }, } - rule := NewAzurermMsSqlServerPublicNetworkAccessEnabled() + rule := NewAzurermMsSQLServerPublicNetworkAccessEnabled() for _, test := range tests { t.Run(test.Name, func(t *testing.T) { diff --git a/rules/azurerm_mssql_server_tls_version.go b/rules/azurerm_mssql_server_tls_version.go index 44d7648..e163898 100644 --- a/rules/azurerm_mssql_server_tls_version.go +++ b/rules/azurerm_mssql_server_tls_version.go @@ -8,8 +8,8 @@ import ( // "github.com/terraform-linters/tflint-ruleset-azurerm/project" ) -// AzurermMsSqlServerUnsecureTLS checks the pattern is valid -type AzurermMsSqlServerUnsecureTLS struct { +// AzurermMsSQLServerUnsecureTLS checks the pattern is valid +type AzurermMsSQLServerUnsecureTLS struct { tflint.DefaultRule resourceType string @@ -17,9 +17,9 @@ type AzurermMsSqlServerUnsecureTLS struct { enum []string } -// NewAzurermMsSqlServerUnsecureTLS returns new rule with default attributes -func NewAzurermMsSqlServerUnsecureTLS() *AzurermMsSqlServerUnsecureTLS { - return &AzurermMsSqlServerUnsecureTLS{ +// NewAzurermMsSQLServerUnsecureTLS returns new rule with default attributes +func NewAzurermMsSQLServerUnsecureTLS() *AzurermMsSQLServerUnsecureTLS { + return &AzurermMsSQLServerUnsecureTLS{ resourceType: "azurerm_mssql_server", attributeName: "min_tls_version", enum: []string{ @@ -30,27 +30,27 @@ func NewAzurermMsSqlServerUnsecureTLS() *AzurermMsSqlServerUnsecureTLS { } // Name returns the rule name -func (r *AzurermMsSqlServerUnsecureTLS) Name() string { +func (r *AzurermMsSQLServerUnsecureTLS) Name() string { return "azurerm_mssql_server_unsecure_tls" } // Enabled returns whether the rule is enabled by default -func (r *AzurermMsSqlServerUnsecureTLS) Enabled() bool { +func (r *AzurermMsSQLServerUnsecureTLS) Enabled() bool { return true } // Severity returns the rule severity -func (r *AzurermMsSqlServerUnsecureTLS) Severity() tflint.Severity { +func (r *AzurermMsSQLServerUnsecureTLS) Severity() tflint.Severity { return tflint.WARNING } // Link returns the rule reference link -func (r *AzurermMsSqlServerUnsecureTLS) Link() string { +func (r *AzurermMsSQLServerUnsecureTLS) Link() string { return "" } // Check checks the pattern is valid -func (r *AzurermMsSqlServerUnsecureTLS) Check(runner tflint.Runner) error { +func (r *AzurermMsSQLServerUnsecureTLS) Check(runner tflint.Runner) error { resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ Attributes: []hclext.AttributeSchema{ {Name: r.attributeName}, diff --git a/rules/azurerm_mssql_server_tls_version_test.go b/rules/azurerm_mssql_server_tls_version_test.go index 315f47b..123dd5c 100644 --- a/rules/azurerm_mssql_server_tls_version_test.go +++ b/rules/azurerm_mssql_server_tls_version_test.go @@ -7,7 +7,7 @@ import ( "github.com/terraform-linters/tflint-plugin-sdk/helper" ) -func Test_AzurermMsSqlServerUnsecureTLS(t *testing.T) { +func Test_AzurermMsSQLServerUnsecureTLS(t *testing.T) { tests := []struct { Name string Content string @@ -21,7 +21,7 @@ resource "azurerm_mssql_server" "example" { }`, Expected: helper.Issues{ { - Rule: NewAzurermMsSqlServerUnsecureTLS(), + Rule: NewAzurermMsSQLServerUnsecureTLS(), Message: `"TLS1_0" is an insecure value as min_tls_version`, Range: hcl.Range{ Filename: "resource.tf", @@ -41,7 +41,7 @@ resource "azurerm_mssql_server" "example" { }, } - rule := NewAzurermMsSqlServerUnsecureTLS() + rule := NewAzurermMsSQLServerUnsecureTLS() for _, test := range tests { t.Run(test.Name, func(t *testing.T) {