Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update az_mssql.tf #4

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions az_mssql.tf
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ resource "azurerm_resource_group" "az_rg" {
}

resource "azurerm_mssql_server" "mssql1" {
name = "mssql1"
name = "mssql1"
Copy link

@bridgecrew bridgecrew bot Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Azure resources that support tags have tags
    Resource: azurerm_mssql_server.mssql1 | ID: BC_AZR_GENERAL_81

How to Fix

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_managed_disk" "example" {
  name                 = "acctestmd"
  location             = "West US 2"
  resource_group_name  = azurerm_resource_group.example.name
  storage_account_type = "Standard_LRS"
  create_option        = "Empty"
  disk_size_gb         = "1"

+  tags = {
+    environment = "staging"
  }
}

Description

Many different types of Azure resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.

View Microsoft's recommended tagging best practices here.

Copy link

@bridgecrew bridgecrew bot Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure SQL server disables public network access
    Resource: azurerm_mssql_server.mssql1 | ID: BC_AZR_NETWORKING_34

How to Fix

resource "azurerm_mssql_server" "example" {
              ...
 +            public_network_access_enabled = false
            }

Description

TBA

Copy link

@bridgecrew bridgecrew bot Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure MSSQL is using the latest version of TLS encryption
    Resource: azurerm_mssql_server.mssql1 | ID: BC_AZR_GENERAL_76

How to Fix

 resource "azurerm_mssql_server" "examplea" {
   ...
 + minimum_tls_version           = "1.2"
   ...
 }

Description

The Transport Layer Security (TLS) protocol secures transmission of data between servers and web browsers, over the Internet, using standard encryption technology. To follow security best practices and the latest PCI compliance standards, enable the latest version of TLS protocol (i.e. TLS 1.2) for all your MSSQL servers.

resource_group_name = azurerm_resource_group.az_rg.name
location = azurerm_resource_group.az_rg.location
version = "12.0"
@@ -108,7 +108,7 @@ resource "azurerm_storage_account" "sa4" {
}

resource "azurerm_mssql_server" "mssql5" {
name = "mssql5"
name = "mssql5"
Copy link

@bridgecrew bridgecrew bot Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure SQL server disables public network access
    Resource: azurerm_mssql_server.mssql5 | ID: BC_AZR_NETWORKING_34

How to Fix

resource "azurerm_mssql_server" "example" {
              ...
 +            public_network_access_enabled = false
            }

Description

TBA

Copy link

@bridgecrew bridgecrew bot Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure Azure SQL Server audit log retention is greater than 90 days
    Resource: azurerm_mssql_server.mssql5 | ID: BC_AZR_LOGGING_3

How to Fix

resource "azurerm_sql_server" "example" {
    ...
    extended_auditing_policy {
      storage_endpoint            = azurerm_storage_account.example.primary_blob_endpoint
      storage_account_access_key  = azurerm_storage_account.example.primary_access_key
      storage_account_access_key_is_secondary = true
 +       retention_in_days                       = <90 or greater>
    }
}

Description

Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.

We recommend you configure SQL server audit retention to be greater than 90 days.

Benchmarks

  • CIS AZURE V1.1 4.3
  • CIS AZURE V1.3 4.1.3

Copy link

@bridgecrew bridgecrew bot Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Azure resources that support tags have tags
    Resource: azurerm_mssql_server.mssql5 | ID: BC_AZR_GENERAL_81

How to Fix

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_managed_disk" "example" {
  name                 = "acctestmd"
  location             = "West US 2"
  resource_group_name  = azurerm_resource_group.example.name
  storage_account_type = "Standard_LRS"
  create_option        = "Empty"
  disk_size_gb         = "1"

+  tags = {
+    environment = "staging"
  }
}

Description

Many different types of Azure resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.

View Microsoft's recommended tagging best practices here.

Copy link

@bridgecrew bridgecrew bot Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure MSSQL is using the latest version of TLS encryption
    Resource: azurerm_mssql_server.mssql5 | ID: BC_AZR_GENERAL_76

How to Fix

 resource "azurerm_mssql_server" "examplea" {
   ...
 + minimum_tls_version           = "1.2"
   ...
 }

Description

The Transport Layer Security (TLS) protocol secures transmission of data between servers and web browsers, over the Internet, using standard encryption technology. To follow security best practices and the latest PCI compliance standards, enable the latest version of TLS protocol (i.e. TLS 1.2) for all your MSSQL servers.

resource_group_name = azurerm_resource_group.az_rg.name
location = azurerm_resource_group.az_rg.location
version = "12.0"