Unrestricted Databricks ACL

• Query id: 2c4fe4a9-f44b-4c70-b09b-5b75cd251805
• Query name: Unrestricted Databricks ACL
• Platform: Terraform
• Severity: High
• Category: Networking and Firewall
• URL: Github

Description

ACL allow ingress from 0.0.0.0/0 and/or ::/0
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "databricks_workspace_conf" "positive1" {
  custom_config = {
    "enableIpAccessLists" : true
  }
}

resource "databricks_ip_access_list" "positive1" {
  label     = "allow_in"
  list_type = "ALLOW"
  ip_addresses = [
    "0.0.0.0/0",
    "1.2.5.0/24"
  ]
  depends_on = [databricks_workspace_conf.positive1]
}

Positive test num. 2 - tf file

resource "databricks_workspace_conf" "positive2" {
  custom_config = {
    "enableIpAccessLists" : true
  }
}

resource "databricks_ip_access_list" "positive2" {
  label     = "allow_in"
  list_type = "ALLOW"
  ip_addresses = [
    "::/0",
    "1.2.5.0/24"
  ]
  depends_on = [databricks_workspace_conf.positive2]
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "databricks_workspace_conf" "negative" {
  custom_config = {
    "enableIpAccessLists" : true
  }
}

resource "databricks_ip_access_list" "negative" {
  label     = "allow_in"
  list_type = "ALLOW"
  ip_addresses = [
    "1.2.3.0/24",
    "1.2.5.0/24"
  ]
  depends_on = [databricks_workspace_conf.negative]
}