No ROS Stack Policy
- Query id: 72ceb736-0aee-43ea-a191-3a69ab135681
- Query name: No ROS Stack Policy
- Platform: Terraform
- Severity: Medium
- Category: Resource Management
- CWE: Ongoing
- URL: Github
Description¶
ROS Stack should have a stack policy in order to protect stack resources from and during update actions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_ros_stack" "pos" {
stack_name = "tf-testaccstack"
template_body = <<EOF
{
"ROSTemplateFormatVersion": "2015-09-01"
}
EOF
}
Positive test num. 2 - tf file
resource "alicloud_ros_stack" "pos2" {
stack_name = "tf-testaccstack"
template_body = <<EOF
{
"ROSTemplateFormatVersion": "2015-09-01"
}
EOF
stack_policy_body = <<EOF
{
"Statement": [{
"Action": "Update:Delete",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
}]
}
EOF
}
Positive test num. 3 - tf file
resource "alicloud_ros_stack" "pos3" {
stack_name = "tf-testaccstack"
template_body = <<EOF
{
"ROSTemplateFormatVersion": "2015-09-01"
}
EOF
stack_policy_during_update_body = <<EOF
{
"Statement": [{
"Action": "Update:Delete",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
}]
}
EOF
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_ros_stack" "neg1" {
stack_name = "tf-testaccstack"
template_body = <<EOF
{
"ROSTemplateFormatVersion": "2015-09-01"
}
EOF
stack_policy_body = <<EOF
{
"Statement": [{
"Action": "Update:Delete",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
}]
}
EOF
stack_policy_during_update_body = <<EOF
{
"Statement": [{
"Action": "Update:Delete",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
}]
}
EOF
}