AC_AZURE_0356 (subnets must have NSGs assigned) being triggered when using complex input types
adhodgson1 opened this issue · comments
Andrew Hodgson commented
- terrascan version: 1.18.0
- Operating System: Windows 11
Description
I have a complex vnet module which can create multiple subnets and NSGs and this module is triggering the accurics.azure.NS.161 policy violation. I also have noted similar behaviour to that found in #1453 whereby the inbound SSH any rule isn't being caught, however in my case its because the rule is defined in a complex input type. I don't know if I am asking too much here or whether anything can be done about it. Here is some example code to reproduce the issue:
locals {
nsg_rule_list = flatten([
for nsg_name, nsg in local.network_security_groups : [
for rule_name, rule in lookup(nsg, "rules", {}) : merge(rule, {
nsg_name = nsg_name
name = rule_name
})
]
])
subnets = {
subnet1 = {
address_prefixes = ["172.16.1.0/25"]
network_security_group_id = "subnet1-nsg"
}
}
network_security_groups = {
subnet1-nsg = {
rules = {
"inbound ssh" = {
description = "Allow inbound SSH traffic"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
}
}
}
resource "azurerm_resource_group" "rg" {
name = "test-rg"
location = "uksouth"
}
resource "azurerm_virtual_network" "vnet" {
name = "test-vnet"
address_space = ["172.16.1.0/24"]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_subnet" "subnet" {
for_each = { for subnet_name, subnet in local.subnets : subnet_name => subnet }
name = each.key
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = each.value.address_prefixes
}
resource "azurerm_network_security_group" "nsg" {
for_each = local.network_security_groups
name = each.key
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_network_security_rule" "nsg_rule" {
for_each = { for nsg in local.nsg_rule_list : "${nsg.nsg_name}_${nsg.name}" => nsg }
name = each.value.name
description = lookup(each.value, "description", null)
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg[each.value.nsg_name].name
priority = each.value.priority
direction = each.value.direction
access = each.value.access
protocol = each.value.protocol
source_port_range = lookup(each.value, "source_port_range", null)
source_port_ranges = lookup(each.value, "source_port_ranges", null)
destination_port_range = lookup(each.value, "destination_port_range", null)
destination_port_ranges = lookup(each.value, "destination_port_ranges", null)
source_address_prefix = lookup(each.value, "source_address_prefix", null)
source_address_prefixes = lookup(each.value, "source_address_prefixes", null)
destination_address_prefix = lookup(each.value, "destination_address_prefix", null)
destination_address_prefixes = lookup(each.value, "destination_address_prefixes", null)
}
resource "azurerm_subnet_network_security_group_association" "nsg_association" {
for_each = { for subnet_name, subnet in local.subnets : subnet_name => subnet if lookup(subnet, "network_security_group", "") != "" }
subnet_id = azurerm_subnet.subnet[each.key].id
network_security_group_id = azurerm_network_security_group.nsg[each.value.network_security_group].id
}
What I Did
terrascan scan
Violation Details -
Description : Ensure that Azure Virtual Network subnet is configured with a Network Security Group
File : main.tf
Module Name : root
Plan Root : .\
Line : 47
Severity : MEDIUM
-----------------------------------------------------------------------
Description : Ensure that Azure Resource Group has resource lock enabled
File : main.tf
Module Name : root
Plan Root : .\
Line : 35
Severity : LOW
-----------------------------------------------------------------------
Scan Summary -
File/Folder : C:\work\network-test
IaC Type : terraform
Scanned At : 2023-02-24 12:30:17.2441648 +0000 UTC
Policies Validated : 131
Violated Policies : 2
Low : 1
Medium : 1
High : 0