Update az_mssql.tf #4
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![bridgecrew[bot]](https://avatars.githubusercontent.com/in/52968?s=60&v=4){kind=small}
| @@ -108,7 +108,7 @@ resource "azurerm_storage_account" "sa4" { | |||
| } | |||
|
|
|||
| resource "azurerm_mssql_server" "mssql5" { | |||
| name = "mssql5" | |||
| name = "mssql5" | |||
There was a problem hiding this comment.
Ensure SQL server disables public network access
Resource: azurerm_mssql_server.mssql5 | ID: BC_AZR_NETWORKING_34
How to Fix
resource "azurerm_mssql_server" "example" {
...
+ public_network_access_enabled = false
}Description
TBA| @@ -8,7 +8,7 @@ resource "azurerm_resource_group" "az_rg" { | |||
| } | |||
|
|
|||
| resource "azurerm_mssql_server" "mssql1" { | |||
| name = "mssql1" | |||
| name = "mssql1" | |||
There was a problem hiding this comment.
Ensure Azure resources that support tags have tags
Resource: azurerm_mssql_server.mssql1 | ID: BC_AZR_GENERAL_81
How to Fix
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_managed_disk" "example" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
+ tags = {
+ environment = "staging"
}
}
Description
Many different types of Azure resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View Microsoft's recommended tagging best practices here.
| @@ -8,7 +8,7 @@ resource "azurerm_resource_group" "az_rg" { | |||
| } | |||
|
|
|||
| resource "azurerm_mssql_server" "mssql1" { | |||
| name = "mssql1" | |||
| name = "mssql1" | |||
There was a problem hiding this comment.
Ensure SQL server disables public network access
Resource: azurerm_mssql_server.mssql1 | ID: BC_AZR_NETWORKING_34
How to Fix
resource "azurerm_mssql_server" "example" {
...
+ public_network_access_enabled = false
}Description
TBA| @@ -108,7 +108,7 @@ resource "azurerm_storage_account" "sa4" { | |||
| } | |||
|
|
|||
| resource "azurerm_mssql_server" "mssql5" { | |||
| name = "mssql5" | |||
| name = "mssql5" | |||
There was a problem hiding this comment.
Ensure Azure SQL Server audit log retention is greater than 90 days
Resource: azurerm_mssql_server.mssql5 | ID: BC_AZR_LOGGING_3
How to Fix
resource "azurerm_sql_server" "example" {
...
extended_auditing_policy {
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
storage_account_access_key_is_secondary = true
+ retention_in_days = <90 or greater>
}
}Description
Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.We recommend you configure SQL server audit retention to be greater than 90 days.
Benchmarks
- CIS AZURE V1.1 4.3
- CIS AZURE V1.3 4.1.3
| @@ -8,7 +8,7 @@ resource "azurerm_resource_group" "az_rg" { | |||
| } | |||
|
|
|||
| resource "azurerm_mssql_server" "mssql1" { | |||
| name = "mssql1" | |||
| name = "mssql1" | |||
There was a problem hiding this comment.
Ensure MSSQL is using the latest version of TLS encryption
Resource: azurerm_mssql_server.mssql1 | ID: BC_AZR_GENERAL_76
How to Fix
resource "azurerm_mssql_server" "examplea" {
...
+ minimum_tls_version = "1.2"
...
}Description
The Transport Layer Security (TLS) protocol secures transmission of data between servers and web browsers, over the Internet, using standard encryption technology. To follow security best practices and the latest PCI compliance standards, enable the latest version of TLS protocol (i.e. TLS 1.2) for all your MSSQL servers.| @@ -108,7 +108,7 @@ resource "azurerm_storage_account" "sa4" { | |||
| } | |||
|
|
|||
| resource "azurerm_mssql_server" "mssql5" { | |||
| name = "mssql5" | |||
| name = "mssql5" | |||
There was a problem hiding this comment.
Ensure Azure resources that support tags have tags
Resource: azurerm_mssql_server.mssql5 | ID: BC_AZR_GENERAL_81
How to Fix
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_managed_disk" "example" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
+ tags = {
+ environment = "staging"
}
}
Description
Many different types of Azure resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View Microsoft's recommended tagging best practices here.
| @@ -108,7 +108,7 @@ resource "azurerm_storage_account" "sa4" { | |||
| } | |||
|
|
|||
| resource "azurerm_mssql_server" "mssql5" { | |||
| name = "mssql5" | |||
| name = "mssql5" | |||
There was a problem hiding this comment.
Ensure MSSQL is using the latest version of TLS encryption
Resource: azurerm_mssql_server.mssql5 | ID: BC_AZR_GENERAL_76
How to Fix
resource "azurerm_mssql_server" "examplea" {
...
+ minimum_tls_version = "1.2"
...
}Description
The Transport Layer Security (TLS) protocol secures transmission of data between servers and web browsers, over the Internet, using standard encryption technology. To follow security best practices and the latest PCI compliance standards, enable the latest version of TLS protocol (i.e. TLS 1.2) for all your MSSQL servers.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.