AKS Disk Encryption Set ID Undefined

  • Query id: b17d8bb8-4c08-4785-867e-cb9e62a622aa
  • Query name: AKS Disk Encryption Set ID Undefined
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • URL: Github

Description

Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "azurerm_kubernetes_cluster" "positive" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "azurerm_kubernetes_cluster" "negative" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  disk_encryption_set_id = "id"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }
}


resource "azurerm_kubernetes_cluster" "negative" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
    os_disk_type = "Ephemeral"
  }
}