Skip to content

Fix 9 critical IaC security vulnerabilities in Terraform Azure configuration #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
emmanuelknafo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix 9 critical IaC security vulnerabilities in Terraform Azure configuration #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 5 additions & 10 deletions terraform/azure/aks.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
resource azurerm_kubernetes_cluster "k8s_cluster" {

Check warning on line 1 in terraform/azure/aks.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[MEDIUM] AKS Private Cluster Disabled 

Azure Kubernetes Service (AKS) API should not be exposed to the internet
dns_prefix = "terragoat-${var.environment}"
location = var.location
name = "terragoat-aks-${var.environment}"
Expand All @@ -11,15 +11,10 @@
vm_size = "Standard_D2_v2"
node_count = 2
}
addon_profile {
oms_agent {
enabled = false
}
kube_dashboard {
enabled = true
}
}
role_based_access_control {
enabled = false

# Enable Azure RBAC for Kubernetes authorization
azure_active_directory_role_based_access_control {
managed = true
azure_rbac_enabled = true
}
}
32 changes: 16 additions & 16 deletions terraform/azure/networking.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,26 +42,26 @@
resource_group_name = azurerm_resource_group.example.name

security_rule {
access = "Allow"
direction = "Inbound"
name = "AllowSSH"
priority = 200
protocol = "TCP"
source_address_prefix = "*"
source_port_range = "*"
destination_port_range = "22-22"
access = "Allow"
direction = "Inbound"
name = "AllowSSH"
priority = 200
protocol = "TCP"
source_address_prefix = var.admin_ip_range
source_port_range = "*"
destination_port_range = "22"

Check warning

Code scanning / KICS

SSH Is Exposed To The Internet Warning

'destination_port_range' might be 22
destination_address_prefix = "*"
}

security_rule {
access = "Allow"
direction = "Inbound"
name = "AllowRDP"
priority = 300
protocol = "TCP"
source_address_prefix = "*"
source_port_range = "*"
destination_port_range = "3389-3389"
access = "Allow"
direction = "Inbound"
name = "AllowRDP"
priority = 300
protocol = "TCP"
source_address_prefix = var.admin_ip_range
source_port_range = "*"
destination_port_range = "3389"

Check warning on line 64 in terraform/azure/networking.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[HIGH] RDP Is Exposed To The Internet 

Port 3389 (Remote Desktop) is exposed to the internet

Check failure

Code scanning / KICS

RDP Is Exposed To The Internet Error

'destination_port_range' might be 3389
destination_address_prefix = "*"
}
}
Expand Down
20 changes: 20 additions & 0 deletions terraform/azure/random.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,24 @@
resource "random_integer" "rnd_int" {
min = 1
max = 10000
}

resource "random_password" "sql_admin_password" {
length = 24
special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
min_lower = 1
min_numeric = 1
min_upper = 1
min_special = 1
}

resource "random_password" "postgresql_admin_password" {
length = 24
special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
min_lower = 1
min_numeric = 1
min_upper = 1
min_special = 1
}
6 changes: 5 additions & 1 deletion terraform/azure/roles.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,11 @@ resource "azurerm_role_definition" "example" {
description = "This is a custom role created via Terraform"

permissions {
actions = ["*"]
actions = [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read"
]
not_actions = []
}

Expand Down
11 changes: 4 additions & 7 deletions terraform/azure/sql.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@
end_ip_address = "10.0.17.62"
}

resource "azurerm_sql_server" "example" {

Check warning on line 9 in terraform/azure/sql.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[MEDIUM] AD Admin Not Configured For SQL Server 

The Active Directory Administrator is not configured for a SQL server
name = "terragoat-sqlserver-${var.environment}${random_integer.rnd_int.result}"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "ariel"
administrator_login_password = "Aa12345678"
administrator_login_password = random_password.sql_admin_password.result
tags = {
environment = var.environment
terragoat = "true"
Expand All @@ -25,11 +25,8 @@
state = "Enabled"
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
disabled_alerts = [
"Sql_Injection",
"Data_Exfiltration"
]
retention_days = 20
disabled_alerts = []
retention_days = 20
}

resource "azurerm_mysql_server" "example" {
Expand All @@ -47,7 +44,7 @@
auto_grow_enabled = true
backup_retention_days = 7
infrastructure_encryption_enabled = true
public_network_access_enabled = true

Check warning on line 47 in terraform/azure/sql.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[HIGH] MySQL Server Public Access Enabled 

MySQL Server public access should be disabled
ssl_enforcement_enabled = false
}

Expand All @@ -61,7 +58,7 @@
geo_redundant_backup_enabled = false
auto_grow_enabled = true
administrator_login = "terragoat"
administrator_login_password = "Aa12345678"
administrator_login_password = random_password.postgresql_admin_password.result
version = "9.5"
ssl_enforcement_enabled = false
}
Expand Down
18 changes: 10 additions & 8 deletions terraform/azure/storage.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,19 @@
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = 1
encryption_settings {
enabled = false
}

# Enable encryption at host for data at rest
encryption_at_host_enabled = true
}

resource "azurerm_storage_account" "example" {

Check warning on line 13 in terraform/azure/storage.tf

View workflow job for this annotation

GitHub Actions / Run KICS scan

[HIGH] Default Azure Storage Account Network Access Is Too Permissive 

Default Azure Storage Account network access should be set to Deny
name = "tgsa${var.environment}${random_integer.rnd_int.result}"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
name = "tgsa${var.environment}${random_integer.rnd_int.result}"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
https_traffic_only_enabled = true
min_tls_version = "TLS1_2"
queue_properties {
logging {
delete = false
Expand Down
6 changes: 6 additions & 0 deletions terraform/azure/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,10 @@ variable "location" {
variable "environment" {
default = "dev"
description = "Must be all lowercase letters or numbers"
}

variable "admin_ip_range" {
type = string
description = "IP address range allowed for administrative access (SSH/RDP)"
default = "0.0.0.0/0" # Replace with your actual IP range in production
}
Loading