The rule https://docs.kics.io/latest/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024/ checks the encryption status of the terraform code for an azure managed disk.
The rule checks for the existence and value of the sub-param 'enabled', which is not part of the schema: https://github.com/hashicorp/terraform-provider-azurerm/blob/74dcb3fcc62f6fbc54d5d605a819f42f247c8eae/internal/services/compute/encryption_settings.go
Expected Behavior
- the rule should not be triggered if the disk is encrypted using either PMKs or CMKs
- the rule shall be adapted to use the current schema for testing
Actual Behavior
The code:
resource "azurerm_managed_disk" "ultra" {
name = "ultradisk"
location = var.resource_location
resource_group_name = var.resource_group_name
storage_account_type = "UltraSSD_LRS"
create_option = "Empty"
disk_size_gb = "200"
network_access_policy = "DenyAll"
}
will result in the kics result:
Encryption On Managed Disk Disabled, Severity: MEDIUM, Results: 1
11:54:13 Description: Ensure that the encryption is active on the disk
11:54:13 Platform: Terraform
11:54:13 CWE: 311
11:54:13 Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024
11:54:13
11:54:13 [1]: ../../path/database/main.tf:73
11:54:13
11:54:13 072:
11:54:13 073: resource "azurerm_managed_disk" "ultra" {
11:54:13 074: name = "ultradisk"
11:54:13
The code, as proposed by the rule on https://docs.kics.io/latest/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024/ :
resource "azurerm_managed_disk" "ultra" {
name = "ultradisk"
location = var.resource_location
resource_group_name = var.resource_group_name
storage_account_type = "UltraSSD_LRS"
create_option = "Empty"
disk_size_gb = "200"
encryption_settings {
enabled = true
}
network_access_policy = "DenyAll"
}will not trigger this rule, but a validation of the code by OpenTofu/Terraform will fail:
tofu validate
╷
│ Error: Insufficient disk_encryption_key blocks
│
│ on database/main.tf line 91, in resource "azurerm_managed_disk" "ultra":
│ 91: encryption_settings {
│
│ At least 1 "disk_encryption_key" blocks are required.
╵
╷
│ Error: Unsupported argument
│
│ on database/main.tf line 92, in resource "azurerm_managed_disk" "ultra":
│ 92: enabled = true
│
│ An argument named "enabled" is not expected here.
╵Steps to Reproduce the Problem
(Command line arguments and flags used)
- docker run --rm -v .:/path checkmarx/kics scan -p /path --exclude-severities 'info,low'
Specifications
(N/A if not applicable)
- Version: v2.1.10
- Platform: docker
The rule https://docs.kics.io/latest/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024/ checks the encryption status of the terraform code for an azure managed disk.
The rule checks for the existence and value of the sub-param 'enabled', which is not part of the schema: https://github.com/hashicorp/terraform-provider-azurerm/blob/74dcb3fcc62f6fbc54d5d605a819f42f247c8eae/internal/services/compute/encryption_settings.go
Expected Behavior
Actual Behavior
The code:
will result in the kics result:
The code, as proposed by the rule on https://docs.kics.io/latest/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024/ :
will not trigger this rule, but a validation of the code by OpenTofu/Terraform will fail:
Steps to Reproduce the Problem
(Command line arguments and flags used)
Specifications
(N/A if not applicable)