Virtual Network with DDoS Protection Plan disabled
- Query id: b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a
- Query name: Virtual Network with DDoS Protection Plan disabled
- Platform: Terraform
- Severity: Medium
- Category: Availability
- URL: Github
Description¶
Virtual Network should have DDoS Protection Plan enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_network_security_group" "example" {
name = "acceptanceTestSecurityGroup1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_network_ddos_protection_plan" "example" {
name = "ddospplan1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_virtual_network" "positive1" {
name = "virtualNetwork1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
address_space = ["10.0.0.0/16"]
dns_servers = ["10.0.0.4", "10.0.0.5"]
subnet {
name = "subnet1"
address_prefix = "10.0.1.0/24"
}
subnet {
name = "subnet2"
address_prefix = "10.0.2.0/24"
}
subnet {
name = "subnet3"
address_prefix = "10.0.3.0/24"
security_group = azurerm_network_security_group.example.id
}
tags = {
environment = "Production"
}
}
Positive test num. 2 - tf file
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_network_security_group" "example" {
name = "acceptanceTestSecurityGroup1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_network_ddos_protection_plan" "example" {
name = "ddospplan1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_virtual_network" "positive1" {
name = "virtualNetwork1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
address_space = ["10.0.0.0/16"]
dns_servers = ["10.0.0.4", "10.0.0.5"]
ddos_protection_plan {
id = azurerm_network_ddos_protection_plan.example.id
enable = false
}
subnet {
name = "subnet1"
address_prefix = "10.0.1.0/24"
}
subnet {
name = "subnet2"
address_prefix = "10.0.2.0/24"
}
subnet {
name = "subnet3"
address_prefix = "10.0.3.0/24"
security_group = azurerm_network_security_group.example.id
}
tags = {
environment = "Production"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_network_security_group" "example" {
name = "acceptanceTestSecurityGroup1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_network_ddos_protection_plan" "example" {
name = "ddospplan1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_virtual_network" "negative1" {
name = "virtualNetwork1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
address_space = ["10.0.0.0/16"]
dns_servers = ["10.0.0.4", "10.0.0.5"]
ddos_protection_plan {
id = azurerm_network_ddos_protection_plan.example.id
enable = true
}
subnet {
name = "subnet1"
address_prefix = "10.0.1.0/24"
}
subnet {
name = "subnet2"
address_prefix = "10.0.2.0/24"
}
subnet {
name = "subnet3"
address_prefix = "10.0.3.0/24"
security_group = azurerm_network_security_group.example.id
}
tags = {
environment = "Production"
}
}