META-INF.rewrite.azure.yml Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of rewrite-terraform Show documentation

Refactor Terraform. Automatically.

There is a newer version: 2.7.0

# # Copyright 2021 the original author or authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 #

# Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.AzureBestPractices displayName: Best practices for Azure description: Securely operate on Microsoft Azure. tags: - terraform - Azure recipeList: - org.openrewrite.terraform.azure.EncryptAzureVMDataDiskWithADECMK - org.openrewrite.terraform.azure.EnableAzureStorageSecureTransferRequired - org.openrewrite.terraform.azure.DisableKubernetesDashboard - org.openrewrite.terraform.azure.EnsureTheStorageContainerStoringActivityLogsIsNotPubliclyAccessible - org.openrewrite.terraform.azure.EnsureAzureNetworkWatcherNSGFlowLogsRetentionIsGreaterThan90Days - org.openrewrite.terraform.azure.EnsureAzureAppServiceWebAppRedirectsHTTPToHTTPS - org.openrewrite.terraform.azure.EnsureWebAppUsesTheLatestVersionOfTLSEncryption # - org.openrewrite.terraform.azure.EnsureWebAppHasIncomingClientCertificatesEnabled # leaving out of default pool, unsure, todo - org.openrewrite.terraform.azure.EnsureWebAppUsesTheLatestVersionOfHTTP - org.openrewrite.terraform.azure.EnsureStandardPricingTierIsSelected - org.openrewrite.terraform.azure.EnsureASecurityContactPhoneNumberIsPresent - org.openrewrite.terraform.azure.EnsureSendEmailNotificationForHighSeverityAlertsIsEnabled - org.openrewrite.terraform.azure.EnsureSendEmailNotificationForHighSeverityAlertsToAdminsIsEnabled - org.openrewrite.terraform.azure.EnsureAzureSQLServerAuditLogRetentionIsGreaterThan90Days - org.openrewrite.terraform.azure.EnsureAzureSQLServerThreatDetectionAlertsAreEnabledForAllThreatTypes - org.openrewrite.terraform.azure.EnsureAzureSQLServerSendAlertsToFieldValueIsSet - org.openrewrite.terraform.azure.EnsureMSSQLServersHaveEmailServiceAndCoAdministratorsEnabled - org.openrewrite.terraform.azure.EnsureMySQLServerDatabasesHaveEnforceSSLConnectionEnabled - org.openrewrite.terraform.azure.EnsureAzurePostgreSQLDatabaseServerWithSSLConnectionIsEnabled - org.openrewrite.terraform.azure.SetAzureStorageAccountDefaultNetworkAccessToDeny - org.openrewrite.terraform.azure.EnableAzureStorageAccountTrustedMicrosoftServicesAccess - org.openrewrite.terraform.azure.EnsureActivityLogRetentionIsSetTo365DaysOrGreater - org.openrewrite.terraform.azure.EnsureLogProfileIsConfiguredToCaptureAllActivities - org.openrewrite.terraform.azure.EnsureAllKeysHaveAnExpirationDate - org.openrewrite.terraform.azure.EnsureAKVSecretsHaveAnExpirationDateSet - org.openrewrite.terraform.azure.EnsureAzureKeyVaultIsRecoverable - org.openrewrite.terraform.azure.EnsureStorageAccountUsesLatestTLSVersion - org.openrewrite.terraform.azure.EnsurePublicNetworkAccessEnabledIsSetToFalseForMySQLServers - org.openrewrite.terraform.azure.EnsureMySQLIsUsingTheLatestVersionOfTLSEncryption - org.openrewrite.terraform.azure.EnsureAppServiceEnablesHTTPLogging - org.openrewrite.terraform.azure.EnsureAppServiceEnablesDetailedErrorMessages - org.openrewrite.terraform.azure.EnsureAppServiceEnablesFailedRequestTracing - org.openrewrite.terraform.azure.EnsurePostgreSQLServerDisablesPublicNetworkAccess - org.openrewrite.terraform.azure.EnsureManagedIdentityProviderIsEnabledForAppServices - org.openrewrite.terraform.azure.EnsureFTPDeploymentsAreDisabled # - org.openrewrite.terraform.azure.EnsureAppServicesUseAzureFiles # leaving out of default pool, unsure, todo - org.openrewrite.terraform.azure.EnsureMySQLServerDisablesPublicNetworkAccess - org.openrewrite.terraform.azure.EnsureMySQLServerEnablesGeoRedundantBackups - org.openrewrite.terraform.azure.EnableGeoRedundantBackupsOnPostgreSQLServer - org.openrewrite.terraform.azure.EnsureKeyVaultAllowsFirewallRulesSettings - org.openrewrite.terraform.azure.EnsureKeyVaultEnablesPurgeProtection # - org.openrewrite.terraform.azure.EnsureKeyVaultKeyIsBackedByHSM # leaving out of default pool, unsure, todo - org.openrewrite.terraform.azure.EnsureKeyVaultSecretsHaveContentTypeSet - org.openrewrite.terraform.azure.EnsureAKSPoliciesAddOn - org.openrewrite.terraform.azure.EnsureAzureApplicationGatewayHasWAFEnabled - org.openrewrite.terraform.azure.EnsureMySQLServerEnablesThreatDetectionPolicy - org.openrewrite.terraform.azure.EnsurePostgreSQLServerEnablesThreatDetectionPolicy - org.openrewrite.terraform.azure.EnsurePostgreSQLServerEnablesInfrastructureEncryption --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EncryptAzureVMDataDiskWithADECMK displayName: Encrypt Azure VM data disk with ADE/CMK description: Ensure Azure VM data disk is encrypted with ADE/CMK. tags: - terraform - Azure - CKV_AZURE_2 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_managed_disk content: |- encryption_settings { enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnableAzureStorageSecureTransferRequired displayName: Enable Azure Storage secure transfer required description: Microsoft recommends requiring secure transfer for all storage accounts. tags: - terraform - Azure - CKV_AZURE_3 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_storage_account content: enable_https_traffic_only = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.DisableKubernetesDashboard displayName: Disable Kubernetes dashboard description: Disabling the dashboard eliminates it as an attack vector. The dashboard add-on is disabled by default for all new clusters created on Kubernetes 1.18 or greater. tags: - terraform - Azure - CKV_AZURE_8 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_kubernetes_cluster content: |- addon_profile { kube_dashboard { enabled = false } } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureTheStorageContainerStoringActivityLogsIsNotPubliclyAccessible displayName: Ensure the storage container storing activity logs is not publicly accessible description: Ensure the storage container storing activity logs is not publicly accessible. tags: - terraform - Azure - CKV2_AZURE_8 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_storage_container content: container_access_type = "private" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAzureNetworkWatcherNSGFlowLogsRetentionIsGreaterThan90Days displayName: Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days description: Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days. tags: - terraform - Azure - CKV_AZURE_12 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_network_watcher_flow_log content: days = 90 --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAzureAppServiceWebAppRedirectsHTTPToHTTPS displayName: Ensure Azure App Service Web app redirects HTTP to HTTPS description: Ensure Azure App Service Web app redirects HTTP to HTTPS. tags: - terraform - Azure - CKV_AZURE_14 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: https_only = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureWebAppUsesTheLatestVersionOfTLSEncryption displayName: Ensure Web App uses the latest version of TLS encryption description: Ensure Web App uses the latest version of TLS encryption. tags: - terraform - Azure - CKV_AZURE_15 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: |- site_config { min_tls_version = "1.2" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureWebAppHasIncomingClientCertificatesEnabled displayName: Ensure Web App has incoming client certificates enabled description: Ensure Web App has incoming client certificates enabled. tags: - terraform - Azure - CKV_AZURE_17 # questionable if this should be on by default, todo recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: client_cert_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureWebAppUsesTheLatestVersionOfHTTP displayName: Ensure Web App uses the latest version of HTTP description: Ensure Web App uses the latest version of HTTP. tags: - terraform - Azure - CKV_AZURE_18 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: |- site_config { http2_enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureStandardPricingTierIsSelected displayName: Ensure standard pricing tier is selected description: Ensure standard pricing tier is selected. tags: - terraform - Azure - CKV_AZURE_19 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_security_center_subscription_pricing content: tier = "Standard" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureASecurityContactPhoneNumberIsPresent displayName: Ensure a security contact phone number is present description: Ensure a security contact phone number is present. tags: - terraform - Azure - CKV_AZURE_20 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_security_center_contact content: phone = "+1-555-555-5555" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureSendEmailNotificationForHighSeverityAlertsIsEnabled displayName: Ensure Send email notification for high severity alerts is enabled description: Ensure Send email notification for high severity alerts is enabled. tags: - terraform - Azure - CKV_AZURE_21 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_security_center_contact content: alert_notifications = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureSendEmailNotificationForHighSeverityAlertsToAdminsIsEnabled displayName: Ensure Send email notification for high severity alerts to admins is enabled description: Ensure Send email notification for high severity alerts to admins is enabled. tags: - terraform - Azure - CKV_AZURE_22 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_security_center_contact content: alerts_to_admins = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAzureSQLServerAuditLogRetentionIsGreaterThan90Days displayName: Ensure Azure SQL server audit log retention is greater than 90 days description: Ensure Azure SQL server audit log retention is greater than 90 days. tags: - terraform - Azure - CKV_AZURE_24 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_sql_server content: |- extended_auditing_policy { retention_in_days = 90 } - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mssql_server content: |- extended_auditing_policy { retention_in_days = 90 } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAzureSQLServerThreatDetectionAlertsAreEnabledForAllThreatTypes displayName: Ensure Azure SQL Server threat detection alerts are enabled for all threat types description: Ensure Azure SQL Server threat detection alerts are enabled for all threat types. tags: - terraform - Azure - CKV_AZURE_25 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mssql_server_security_alert_policy content: disabled_alerts = [] --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAzureSQLServerSendAlertsToFieldValueIsSet displayName: Ensure Azure SQL server send alerts to field value is set description: Ensure Azure SQL server send alerts to field value is set. tags: - terraform - Azure - CKV_AZURE_26 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mssql_server_security_alert_policy content: email_addresses = ["[email protected]"] --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureMSSQLServersHaveEmailServiceAndCoAdministratorsEnabled displayName: Ensure MSSQL servers have email service and co-administrators enabled description: Ensure MSSQL servers have email service and co-administrators enabled. tags: - terraform - Azure - CKV_AZURE_27 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mssql_server_security_alert_policy content: email_account_admins = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureMySQLServerDatabasesHaveEnforceSSLConnectionEnabled displayName: Ensure MySQL server databases have Enforce SSL connection enabled description: Ensure MySQL server databases have Enforce SSL connection enabled. tags: - terraform - Azure - CKV_AZURE_28 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mysql_server content: ssl_enforcement_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAzurePostgreSQLDatabaseServerWithSSLConnectionIsEnabled displayName: Ensure Azure PostgreSQL database server with SSL connection is enabled description: Ensure Azure PostgreSQL database server with SSL connection is enabled. tags: - terraform - Azure - CKV_AZURE_29 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_postgresql_server content: ssl_enforcement_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.SetAzureStorageAccountDefaultNetworkAccessToDeny displayName: Set Azure Storage Account default network access to deny description: Ensure Azure Storage Account default network access is set to Deny. tags: - terraform - Azure - CKV_AZURE_35 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_storage_account_network_rules content: default_action = "Deny" - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_storage_account content: |- network_rules { default_action = "Deny" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnableAzureStorageAccountTrustedMicrosoftServicesAccess displayName: Enable Azure Storage Account Trusted Microsoft Services access description: Certain Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. Using this configuration, you can allow the set of trusted Microsoft services to bypass those network rules. tags: - terraform - Azure - CKV_AZURE_36 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_storage_account content: bypass = ["AzureServices"] - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_storage_account_network_rules content: bypass = ["AzureServices"] --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureActivityLogRetentionIsSetTo365DaysOrGreater displayName: Ensure activity log retention is set to 365 days or greater description: Ensure activity log retention is set to 365 days or greater. tags: - terraform - Azure - CKV_AZURE_37 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_monitor_log_profile content: |- retention_policy { enabled = true days = 365 } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureLogProfileIsConfiguredToCaptureAllActivities displayName: Ensure log profile is configured to capture all activities description: Ensure log profile is configured to capture all activities. tags: - terraform - Azure - CKV_AZURE_38 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_monitor_log_profile content: |- categories = [ "Action", "Delete", "Write", ] --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAllKeysHaveAnExpirationDate displayName: Ensure all keys have an expiration date description: Ensure all keys have an expiration date. tags: - terraform - Azure - CKV_AZURE_40 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_key_vault_key content: expiration_date = "2022-12-30T20:00:00Z" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAKVSecretsHaveAnExpirationDateSet displayName: Ensure AKV secrets have an expiration date set description: Ensure AKV secrets have an expiration date set. tags: - terraform - Azure - CKV_AZURE_41 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_key_vault_secret content: expiration_date = "2022-12-30T20:00:00Z" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAzureKeyVaultIsRecoverable displayName: Ensure Azure key vault is recoverable description: Ensure Azure key vault is recoverable. tags: - terraform - Azure - CKV_AZURE_42 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_key_vault content: soft_delete_enabled = true - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_key_vault content: purge_protection_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureStorageAccountUsesLatestTLSVersion displayName: Ensure storage account uses latest TLS version description: Communication between an Azure Storage account and a client application is encrypted using Transport Layer Security (TLS). Microsoft recommends using the latest version of TLS for all your Microsoft Azure App Service web applications. tags: - terraform - Azure - CKV_AZURE_44 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_storage_account content: min_tls_version = "TLS1_2" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsurePublicNetworkAccessEnabledIsSetToFalseForMySQLServers displayName: Ensure public network access enabled is set to False for mySQL servers description: Ensure public network access enabled is set to False for mySQL servers. tags: - terraform - Azure - CKV_AZURE_53 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mysql_server content: public_network_access_enabled = false --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureMySQLIsUsingTheLatestVersionOfTLSEncryption displayName: Ensure MySQL is using the latest version of TLS encryption description: Ensure MySQL is using the latest version of TLS encryption. tags: - terraform - Azure - CKV_AZURE_54 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mysql_server content: ssl_minimal_tls_version_enforced = TLS1_2 --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAppServiceEnablesHTTPLogging displayName: Ensure app service enables HTTP logging description: Ensure app service enables HTTP logging. tags: - terraform - Azure - CKV_AZURE_63 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: |- logs { http_logs { retention_in_days = 4 retention_in_mb = 10 } } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAppServiceEnablesDetailedErrorMessages displayName: Ensure app service enables detailed error messages description: Ensure app service enables detailed error messages. tags: - terraform - Azure - CKV_AZURE_65 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: |- logs { detailed_error_messages_enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAppServiceEnablesFailedRequestTracing displayName: Ensure app service enables failed request tracing description: Ensure app service enables failed request tracing. tags: - terraform - Azure - CKV_AZURE_66 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: |- logs { failed_request_tracing_enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsurePostgreSQLServerDisablesPublicNetworkAccess displayName: Ensure PostgreSQL server disables public network access description: Ensure PostgreSQL server disables public network access. tags: - terraform - Azure - CKV_AZURE_68 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_postgresql_server content: public_network_access_enabled = false --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureManagedIdentityProviderIsEnabledForAppServices displayName: Ensure managed identity provider is enabled for app services description: Ensure managed identity provider is enabled for app services. tags: - terraform - Azure - CKV_AZURE_71 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: |- identity { type = "SystemAssigned" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureFTPDeploymentsAreDisabled displayName: Ensure FTP Deployments are disabled description: Ensure FTP Deployments are disabled. tags: - terraform - Azure - CKV_AZURE_78 # should be able to tell if FTP is being used, then set to FtpsOnly; otherwise, disable. Leaving as disable for now. todo recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: ftps_state = "Disabled" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAppServicesUseAzureFiles displayName: Ensure app services use Azure files description: Ensure app services use Azure files. tags: - terraform - Azure - CKV_AZURE_88 # questionable, todo recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_app_service content: |- storage_account { type = "AzureFiles" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureMySQLServerDisablesPublicNetworkAccess displayName: Ensure MySQL server disables public network access description: Ensure MySQL server disables public network access. tags: - terraform - Azure - CKV_AZURE_90 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mysql_server content: public_network_access_enabled = false --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureMySQLServerEnablesGeoRedundantBackups displayName: Ensure MySQL server enables geo-redundant backups description: Ensure MySQL server enables geo-redundant backups. tags: - terraform - Azure - CKV_AZURE_94 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mysql_server content: geo_redundant_backup_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnableGeoRedundantBackupsOnPostgreSQLServer displayName: Enable geo-redundant backups on PostgreSQL server description: Ensure PostgreSQL server enables geo-redundant backups. tags: - terraform - Azure - CKV_AZURE_102 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_postgresql_server content: geo_redundant_backup_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureKeyVaultAllowsFirewallRulesSettings displayName: Ensure key vault allows firewall rules settings description: Ensure key vault allows firewall rules settings. tags: - terraform - Azure - CKV_AZURE_109 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_key_vault content: |- network_acls { default_action = "Deny" bypass = "AzureServices" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureKeyVaultEnablesPurgeProtection displayName: Ensure key vault enables purge protection description: Ensure key vault enables purge protection. tags: - terraform - Azure - CKV_AZURE_110 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_key_vault content: purge_protection_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureKeyVaultKeyIsBackedByHSM displayName: Ensure key vault key is backed by HSM description: Ensure key vault key is backed by HSM. tags: - terraform - Azure - CKV_AZURE_112 # questionable, todo recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_key_vault_key content: key_type = "RSA-HSM" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureKeyVaultSecretsHaveContentTypeSet displayName: Ensure key vault secrets have `content_type` set description: Ensure key vault secrets have `content_type` set. tags: - terraform - Azure - CKV_AZURE_114 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_key_vault content: content_type = "text/plain" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAKSPoliciesAddOn displayName: Ensure AKS policies add-on description: Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. tags: - terraform - Azure - CKV_AZURE_116 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_kubernetes_cluster content: |- addon_profile { azure_policy { enabled = false } } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureAzureApplicationGatewayHasWAFEnabled displayName: Ensure Azure application gateway has WAF enabled description: Ensure Azure application gateway has WAF enabled. tags: - terraform - Azure - CKV_AZURE_120 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_application_gateway content: |- waf_configuration { enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsureMySQLServerEnablesThreatDetectionPolicy displayName: Ensure MySQL server enables Threat Detection policy description: Ensure MySQL server enables Threat Detection policy. tags: - terraform - Azure - CKV_AZURE_127 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_mysql_server content: |- threat_detection_policy { enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsurePostgreSQLServerEnablesThreatDetectionPolicy displayName: Ensure PostgreSQL server enables Threat Detection policy description: Ensure PostgreSQL server enables Threat Detection policy. tags: - terraform - Azure - CKV_AZURE_128 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_postgresql_server content: |- threat_detection_policy { enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.azure.EnsurePostgreSQLServerEnablesInfrastructureEncryption displayName: Ensure PostgreSQL server enables infrastructure encryption description: Ensure PostgreSQL server enables infrastructure encryption. tags: - terraform - Azure - CKV_AZURE_130 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: azurerm_postgresql_server content: infrastructure_encryption_enabled = true