Azure Container Registry With No Locks
- Query id: 581dae78-307d-45d5-aae4-fe2b0db267a5
- Query name: Azure Container Registry With No Locks
- Platform: Ansible
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Create an azure container registry
azure_rm_containerregistry:
name: myRegistry
location: eastus
resource_group: myResourceGroupFake
admin_user_enabled: true
sku: Premium
tags:
Release: beta1
Environment: Production
- name: Create a lock for a resource group
azure_rm_lock:
resource_group: myResourceGroup32
name: myLock
level: read_only
- name: Create an azure container registry2
azure.azcollection.azure_rm_containerregistry:
name: myRegistry
location: eastus
resource_group: someResourceGroup
admin_user_enabled: "true"
sku: Premium
tags:
Release: beta1
Environment: Production
Positive test num. 2 - yaml file
- name: Create an azure container registryy1
azure.azcollection.azure_rm_containerregistry:
name: myRegistry
location: eastus
admin_user_enabled: "true"
sku: Premium
tags:
Release: beta1
Environment: Production
register: acr
- name: "Create lock for ACR1"
azure.azcollection.azure_rm_lock:
managed_resource_id: "{{ acr3.id }}"
name: "acr_lock"
level: can_not_delete
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create an azure container registry
azure_rm_containerregistry:
name: myRegistry
location: eastus
resource_group: myResourceGroup
admin_user_enabled: true
sku: Premium
tags:
Release: beta1
Environment: Production
- name: Create a lock for a resource group
azure_rm_lock:
resource_group: myResourceGroup
name: myLock
level: read_only
Negative test num. 2 - yaml file
- name: Create an azure container registry11
azure.azcollection.azure_rm_containerregistry:
name: myRegistry
location: eastus
admin_user_enabled: "true"
sku: Premium
tags:
Release: beta1
Environment: Production
register: acr2
- name: "Create lock for ACR11"
azure.azcollection.azure_rm_lock:
managed_resource_id: "{{ acr2.id }}"
name: "acr_lock"
level: can_not_delete