feat: Keyvault acls (#15)

pregress · web-flow · commit c017f1a82e40 · 2024-11-12T07:00:39.000+01:00
* feat: Keyvault acls
diff --git a/docs/README.md b/docs/README.md
@@ -9,7 +9,8 @@
 ## azurerm_key_vault
 |Name|Description|Severity|Enabled|Link|
 | --- | --- | --- | --- | --- |
-|azurerm_key_vault_public_network_access_enabled|Consider disabling public network access on keyvaults. |NOTICE|✔||
+|azurerm_key_vault_public_network_access_enabled|Consider disabling public network access on keyvaults. |NOTICE|||
+|azurerm_key_vault_network_acls_default_deny|Deny network access to Keyvaults. You can add `bypass = "AzureServices"` to allow azure services to connect to keyvault or add `ip_rules`|WARNING|✔||
 
 ## azurerm_linux_function_app
 |Name|Description|Severity|Enabled|Link|
diff --git a/main.go b/main.go
@@ -14,6 +14,7 @@ func createRuleSet() *tflint.BuiltinRuleSet {
 		Rules: []tflint.Rule{
 			rules.NewAzurermEventhubNamespacePublicNetworkAccessEnabled(),
 			rules.NewAzurermEventhubNamespaceUnsecureTLS(),
+			rules.NewAzurermKeyVaultNetworkACLsDefaultDeny(),
 			rules.NewAzurermKeyVaultPublicNetworkAccessEnabled(),
 			rules.NewAzurermLinuxFunctionAppFtpsState(),
 			rules.NewAzurermLinuxFunctionAppHTTPSOnly(),
diff --git a/rules/azurerm_keyvault_network_acls.go b/rules/azurerm_keyvault_network_acls.go
@@ -0,0 +1,107 @@
+package rules
+
+import (
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AzurermKeyVaultNetworkACLsDefaultDeny checks that network_acls default_action is set to "Deny"
+type AzurermKeyVaultNetworkACLsDefaultDeny struct {
+	tflint.DefaultRule
+
+	resourceType string
+	blockName    string
+}
+
+// NewAzurermKeyVaultNetworkACLsDefaultDeny returns a new rule instance
+func NewAzurermKeyVaultNetworkACLsDefaultDeny() *AzurermKeyVaultNetworkACLsDefaultDeny {
+	return &AzurermKeyVaultNetworkACLsDefaultDeny{
+		resourceType: "azurerm_key_vault",
+		blockName:    "network_acls",
+	}
+}
+
+// Name returns the rule name
+func (r *AzurermKeyVaultNetworkACLsDefaultDeny) Name() string {
+	return "azurerm_key_vault_network_acls_default_deny"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AzurermKeyVaultNetworkACLsDefaultDeny) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AzurermKeyVaultNetworkACLsDefaultDeny) Severity() tflint.Severity {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *AzurermKeyVaultNetworkACLsDefaultDeny) Link() string {
+	return ""
+}
+
+// Check checks if network_acls default_action is set to "Deny"
+func (r *AzurermKeyVaultNetworkACLsDefaultDeny) Check(runner tflint.Runner) error {
+	resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{
+		Blocks: []hclext.BlockSchema{
+			{
+				Type: r.blockName,
+				Body: &hclext.BodySchema{
+					Attributes: []hclext.AttributeSchema{
+						{Name: "default_action"},
+					},
+				},
+			},
+		},
+	}, nil)
+	if err != nil {
+		return err
+	}
+
+	for _, resource := range resources.Blocks {
+		networkACLs := resource.Body.Blocks
+
+		if len(networkACLs) == 0 {
+			runner.EmitIssue(
+				r,
+				"network_acls block is not defined, consider adding it with default_action = \"Deny\"",
+				resource.DefRange,
+			)
+			continue
+		}
+
+		for _, networkACL := range networkACLs {
+			if networkACL.Type != r.blockName {
+				continue
+			}
+
+			attribute, exists := networkACL.Body.Attributes["default_action"]
+			if !exists {
+				runner.EmitIssue(
+					r,
+					"default_action is not defined in network_acls block",
+					networkACL.DefRange,
+				)
+				continue
+			}
+
+			err := runner.EvaluateExpr(attribute.Expr, func(val string) error {
+				if val != "Deny" {
+					runner.EmitIssue(
+						r,
+						"network_acls default_action should be set to \"Deny\"",
+						attribute.Expr.Range(),
+					)
+				}
+				return nil
+			}, nil)
+
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/rules/azurerm_keyvault_network_acls_test.go b/rules/azurerm_keyvault_network_acls_test.go
@@ -0,0 +1,97 @@
+package rules
+
+import (
+	"testing"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
+
+func Test_AzurermKeyVaultNetworkACLsDefaultDeny(t *testing.T) {
+	tests := []struct {
+		Name     string
+		Content  string
+		Expected helper.Issues
+	}{
+		{
+			Name: "no network_acls block",
+			Content: `
+resource "azurerm_key_vault" "example" {
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAzurermKeyVaultNetworkACLsDefaultDeny(),
+					Message: "network_acls block is not defined, consider adding it with default_action = \"Deny\"",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 2, Column: 1},
+						End:      hcl.Pos{Line: 2, Column: 39},
+					},
+				},
+			},
+		},
+		{
+			Name: "network_acls without default_action",
+			Content: `
+resource "azurerm_key_vault" "example" {
+    network_acls {
+    }
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAzurermKeyVaultNetworkACLsDefaultDeny(),
+					Message: "default_action is not defined in network_acls block",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 3, Column: 5},
+						End:      hcl.Pos{Line: 3, Column: 17},
+					},
+				},
+			},
+		},
+		{
+			Name: "network_acls with default_action Allow",
+			Content: `
+resource "azurerm_key_vault" "example" {
+    network_acls {
+        default_action = "Allow"
+    }
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAzurermKeyVaultNetworkACLsDefaultDeny(),
+					Message: "network_acls default_action should be set to \"Deny\"",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 4, Column: 26},
+						End:      hcl.Pos{Line: 4, Column: 33},
+					},
+				},
+			},
+		},
+		{
+			Name: "network_acls with default_action Deny",
+			Content: `
+resource "azurerm_key_vault" "example" {
+    network_acls {
+        default_action = "Deny"
+    }
+}`,
+			Expected: helper.Issues{},
+		},
+	}
+
+	rule := NewAzurermKeyVaultNetworkACLsDefaultDeny()
+
+	for _, test := range tests {
+		t.Run(test.Name, func(t *testing.T) {
+			runner := helper.TestRunner(t, map[string]string{"resource.tf": test.Content})
+
+			if err := rule.Check(runner); err != nil {
+				t.Fatalf("Unexpected error occurred: %s", err)
+			}
+
+			helper.AssertIssues(t, test.Expected, runner.Issues)
+		})
+	}
+}
diff --git a/rules/azurerm_keyvault_public_network_access_enabled.go b/rules/azurerm_keyvault_public_network_access_enabled.go
@@ -28,7 +28,7 @@ func (r *AzurermKeyVaultPublicNetworkAccessEnabled) Name() string {
 
 // Enabled returns whether the rule is enabled by default
 func (r *AzurermKeyVaultPublicNetworkAccessEnabled) Enabled() bool {
-	return true
+	return false
 }
 
 // Severity returns the rule severity

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func (r *AzurermKeyVaultPublicNetworkAccessEnabled) Name() string {`
`28`	`28`
`29`	`29`	`// Enabled returns whether the rule is enabled by default`
`30`	`30`	`func (r *AzurermKeyVaultPublicNetworkAccessEnabled) Enabled() bool {`
`31`		`- return true`
	`31`	`+ return false`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`// Severity returns the rule severity`