checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

CKV_AZURE_35 - false positive for storage account if network rules are controlled by separate resource

Open t3mi opened this issue 3 years ago • 1 comments

Describe the issue CKV_AZURE_35 flags a false positive for azurerm_storage_account instead of ignoring this check for it if separate resource azurerm_storage_account_network_rules is used to control network rules.

Examples

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
}

resource "azurerm_storage_account" "example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  min_tls_version          = "TLS1_2"

  tags = {
    environment = "staging"
  }
}

resource "azurerm_storage_account_network_rules" "example" {
  storage_account_id = azurerm_storage_account.example.id

  default_action             = "Deny"
  ip_rules                   = ["1.1.1.0/8"]
  virtual_network_subnet_ids = [azurerm_subnet.example.id]
  bypass                     = ["AzureServices"]
}

Version (please complete the following information):

  • 2.1.207

References

  • #475

t3mi avatar Sep 15 '22 08:09 t3mi

New resource exists azurerm_storage_account_network_rules that can manage network rules, need to check for existence of new resource as well as existing rule. Needs to become a graph check.

JamesWoolfenden avatar Dec 14 '22 16:12 JamesWoolfenden

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jun 13 '23 02:06 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jun 28 '23 06:06 stale[bot]