github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/database/no_public_access.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/database/no_public_access.go (about)

     1  package database
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoPublicAccess = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AZU-0022",
    14  		Provider:    providers.AzureProvider,
    15  		Service:     "database",
    16  		ShortCode:   "no-public-access",
    17  		Summary:     "Ensure databases are not publicly accessible",
    18  		Impact:      "Publicly accessible database could lead to compromised data",
    19  		Resolution:  "Disable public access to database when not required",
    20  		Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`,
    21  		Links:       []string{},
    22  		Terraform: &scan.EngineMetadata{
    23  			GoodExamples:        terraformNoPublicAccessGoodExamples,
    24  			BadExamples:         terraformNoPublicAccessBadExamples,
    25  			Links:               terraformNoPublicAccessLinks,
    26  			RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
    27  		},
    28  		Severity: severity.Medium,
    29  	},
    30  	func(s *state.State) (results scan.Results) {
    31  		for _, server := range s.Azure.Database.MariaDBServers {
    32  			if server.Metadata.IsUnmanaged() {
    33  				continue
    34  			}
    35  			if server.EnablePublicNetworkAccess.IsTrue() {
    36  				results.Add(
    37  					"Database server has public network access enabled.",
    38  					server.EnablePublicNetworkAccess,
    39  				)
    40  			} else {
    41  				results.AddPassed(&server)
    42  			}
    43  		}
    44  		for _, server := range s.Azure.Database.MSSQLServers {
    45  			if server.Metadata.IsUnmanaged() {
    46  				continue
    47  			}
    48  			if server.EnablePublicNetworkAccess.IsTrue() {
    49  				results.Add(
    50  					"Database server has public network access enabled.",
    51  					server.EnablePublicNetworkAccess,
    52  				)
    53  			} else {
    54  				results.AddPassed(&server)
    55  			}
    56  		}
    57  		for _, server := range s.Azure.Database.MySQLServers {
    58  			if server.Metadata.IsUnmanaged() {
    59  				continue
    60  			}
    61  			if server.EnablePublicNetworkAccess.IsTrue() {
    62  				results.Add(
    63  					"Database server has public network access enabled.",
    64  					server.EnablePublicNetworkAccess,
    65  				)
    66  			} else {
    67  				results.AddPassed(&server)
    68  			}
    69  		}
    70  		for _, server := range s.Azure.Database.PostgreSQLServers {
    71  			if server.Metadata.IsUnmanaged() {
    72  				continue
    73  			}
    74  			if server.EnablePublicNetworkAccess.IsTrue() {
    75  				results.Add(
    76  					"Database server has public network access enabled.",
    77  					server.EnablePublicNetworkAccess,
    78  				)
    79  			} else {
    80  				results.AddPassed(&server)
    81  			}
    82  		}
    83  		return
    84  	},
    85  )