Azure Container Registry With No Locks

  • Query id: 581dae78-307d-45d5-aae4-fe2b0db267a5
  • Query name: Azure Container Registry With No Locks
  • Platform: Ansible
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create an azure container registry
  azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: myResourceGroupFake
    admin_user_enabled: true
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
- name: Create a lock for a resource group
  azure_rm_lock:
    resource_group: myResourceGroup32
    name: myLock
    level: read_only
- name: Create an azure container registry2
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: someResourceGroup
    admin_user_enabled: "true"
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
Positive test num. 2 - yaml file
- name: Create an azure container registryy1
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    admin_user_enabled: "true"
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
  register: acr
- name: "Create lock for ACR1"
  azure.azcollection.azure_rm_lock:
    managed_resource_id: "{{ acr3.id }}"
    name: "acr_lock"
    level: can_not_delete

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create an azure container registry
  azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    resource_group: myResourceGroup
    admin_user_enabled: true
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
- name: Create a lock for a resource group
  azure_rm_lock:
    resource_group: myResourceGroup
    name: myLock
    level: read_only
Negative test num. 2 - yaml file
- name: Create an azure container registry11
  azure.azcollection.azure_rm_containerregistry:
    name: myRegistry
    location: eastus
    admin_user_enabled: "true"
    sku: Premium
    tags:
      Release: beta1
      Environment: Production
  register: acr2
- name: "Create lock for ACR11"
  azure.azcollection.azure_rm_lock:
    managed_resource_id: "{{ acr2.id }}"
    name: "acr_lock"
    level: can_not_delete