search

microsoft / power-platform-terraform-quickstarts

Examples for using the Power Platform Terraform Provider
https://github.com/microsoft/terraform-provider-power-platform
MIT License
20 stars 3 forks source link

Fix CKV2_AZURE_50 on the SAP QuickStart #82

Closed eduardodfmex closed 4 months ago

eduardodfmex commented 4 months ago

Fix CKV2_AZURE_50 on the SAP QuickStart

CKV2_AZURE_50: "Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible"

To Reproduce

Steps to reproduce the behavior:

The check now is marked by the checkov reveew.

Sample Terraform Code

REMINDER: REMOVE SENSITIVE DATA SUCH AS SECRETS, USER NAMES, EMAILS, TENANT INFORMATION, ETC.

resource "azurerm_storage_account" "storage_account" {
  name                            = azurecaf_name.storage_account_name.result
  resource_group_name             = var.resource_group_name
  location                        = var.region
  account_tier                    = "Standard"
  account_replication_type        = "GRS"
  min_tls_version                 = "TLS1_2"
  public_network_access_enabled   = true //this feature needs to be changed to be false once the setup is completed.
  allow_nested_items_to_be_public = true //this feature needs to be changed to be false once the setup is completed.
  shared_access_key_enabled       = true //this feature needs to be changed to be false once the setup is completed.

  identity {
    type = "SystemAssigned"
  }

  network_rules {
    default_action = "Allow" // this feature needs to be changed to be"Deny"
    #checkov:skip=CKV_AZURE_59: "Ensure that Storage accounts disallow public access, this deployment requires public access to the storage account"
    #checkov:skip=CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
    #checkov:skip=CKV_AZURE_50: "Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible"

    bypass = ["AzureServices", "Logging", "Metrics"]
  }

Expected behavior

We will add the following exception:

#checkov:skip=CKV_AZURE_50: "Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible"

System Information

Contribution

Contribution

Do you plan to raise a PR to address this issue? YES / NO?