feat: storage account - public access enabled (#9)

pregress · web-flow · commit cfc2e76b3f03 · 2024-11-04T14:05:23.000+01:00
Co-authored-by: Preben Huybrechts &lt;preben.huybrechts@niko.eu&gt;
diff --git a/docs/README.md b/docs/README.md
@@ -6,6 +6,7 @@
 |azurerm_linux_web_app_https_only|Force all traffic over https |WARNING|✔||
 |azurerm_linux_web_app_minimum_tls_version|Enforce TLS 1.2 on linux web apps |WARNING|✔||
 |azurerm_mssql_database_transparent_data_encryption_enabled|Enforce transparant data encryption|WARNING|✔||
+|azurerm_storage_account_public_network_access_enabled|Consider disabling public network access on storage accounts. |NOTICE|✔||
 |azurerm_storage_account_tls_version|Enforce TLS 1.2 on storage accounts |WARNING|✔||
 |azurerm_windows_web_app_ftps_state|Disable sftp to a windows web app |WARNING|✔||
 |azurerm_windows_web_app_https_only|Force all traffic over https |WARNING|✔||
diff --git a/main.go b/main.go
@@ -16,6 +16,7 @@ func CreateRuleSet() *tflint.BuiltinRuleSet {
 			rules.NewAzurermLinuxWebAppHttpsOnly(),
 			rules.NewAzurermLinuxWebAppMinimumTlsVersion(),
 			rules.NewAzurermMssqlDatabaseEncryption(),
+			rules.NewAzurermStorageAccountPublicNetworkAccessEnabled(),
 			rules.NewAzurermStorageAccountUnsecureTls(),
 			rules.NewAzurermWindowsWebAppFtpsState(),
 			rules.NewAzurermWindowsWebAppHttpsOnly(),
diff --git a/rules/azurerm_storage_account_public_network_access_enabled .go b/rules/azurerm_storage_account_public_network_access_enabled .go
@@ -0,0 +1,84 @@
+package rules
+
+import (
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AzurermStorageAccountPublicNetworkAccessEnabled checks that transparent data encryption is enabled
+type AzurermStorageAccountPublicNetworkAccessEnabled struct {
+	tflint.DefaultRule
+
+	resourceType  string
+	attributeName string
+}
+
+// NewAzurermStorageAccountPublicNetworkAccessEnabled returns a new rule instance
+func NewAzurermStorageAccountPublicNetworkAccessEnabled() *AzurermStorageAccountPublicNetworkAccessEnabled {
+	return &AzurermStorageAccountPublicNetworkAccessEnabled{
+		resourceType:  "azurerm_storage_account",
+		attributeName: "public_network_access_enabled",
+	}
+}
+
+// Name returns the rule name
+func (r *AzurermStorageAccountPublicNetworkAccessEnabled) Name() string {
+	return "azurerm_storage_account_public_network_access_enabled"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AzurermStorageAccountPublicNetworkAccessEnabled) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AzurermStorageAccountPublicNetworkAccessEnabled) Severity() tflint.Severity {
+	return tflint.NOTICE
+}
+
+// Link returns the rule reference link
+func (r *AzurermStorageAccountPublicNetworkAccessEnabled) Link() string {
+	return ""
+}
+
+// Check checks if transparent data encryption is enabled
+func (r *AzurermStorageAccountPublicNetworkAccessEnabled) Check(runner tflint.Runner) error {
+	resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{
+		Attributes: []hclext.AttributeSchema{
+			{Name: r.attributeName},
+		},
+	}, nil)
+	if err != nil {
+		return err
+	}
+
+	for _, resource := range resources.Blocks {
+		attribute, exists := resource.Body.Attributes[r.attributeName]
+		if !exists {
+			// Emit an issue if the attribute does not exist
+			runner.EmitIssue(
+				r,
+				"public_network_access_enabled is not defined and defaults to true, consider disabling it",
+				resource.DefRange,
+			)
+			continue
+		}
+
+		err := runner.EvaluateExpr(attribute.Expr, func(val bool) error {
+			if val {
+				runner.EmitIssue(
+					r,
+					"Consider changing public_network_access_enabled to false",
+					attribute.Expr.Range(),
+				)
+			}
+			return nil
+		}, nil)
+
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/rules/azurerm_storage_account_public_network_access_enabled_test.go b/rules/azurerm_storage_account_public_network_access_enabled_test.go
@@ -0,0 +1,74 @@
+package rules
+
+import (
+	"testing"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
+
+func Test_AzurermStorageAccountPublicNetworkAccessEnabled(t *testing.T) {
+	tests := []struct {
+		Name     string
+		Content  string
+		Expected helper.Issues
+	}{
+		{
+			Name: "public network access disabled",
+			Content: `
+resource "azurerm_storage_account" "example" {
+    public_network_access_enabled = true
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAzurermStorageAccountPublicNetworkAccessEnabled(),
+					Message: "Consider changing public_network_access_enabled to false",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 3, Column: 37},
+						End:      hcl.Pos{Line: 3, Column: 41},
+					},
+				},
+			},
+		},
+		{
+			Name: "public network access missing",
+			Content: `
+resource "azurerm_storage_account" "example" {
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAzurermStorageAccountPublicNetworkAccessEnabled(),
+					Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 2, Column: 1},
+						End:      hcl.Pos{Line: 2, Column: 45},
+					},
+				},
+			},
+		},
+		{
+			Name: "public network access disabled",
+			Content: `
+resource "azurerm_storage_account" "example" {
+    public_network_access_enabled = false
+}`,
+			Expected: helper.Issues{},
+		},
+	}
+
+	rule := NewAzurermStorageAccountPublicNetworkAccessEnabled()
+
+	for _, test := range tests {
+		t.Run(test.Name, func(t *testing.T) {
+			runner := helper.TestRunner(t, map[string]string{"resource.tf": test.Content})
+
+			if err := rule.Check(runner); err != nil {
+				t.Fatalf("Unexpected error occurred: %s", err)
+			}
+
+			helper.AssertIssues(t, test.Expected, runner.Issues)
+		})
+	}
+}
