Azure Container Registry With No Locks
- Query id: a187ac47-8163-42ce-8a63-c115236be6fb
- Query name: Azure Container Registry With No Locks
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- CWE: 639
- URL: Github
Description¶
Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_container_registry" "acr" {
name = "containerRegistry1"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = "Standard"
admin_enabled = false
}
resource "azurerm_management_lock" "public-ip" {
name = "resource-ip"
scope = azurerm_container_registry.acr1.id
lock_level = "CanNotDelete"
notes = "Locked because it's needed by a third-party"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_container_registry" "acr" {
name = "containerRegistry1"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = "Standard"
admin_enabled = false
}
resource "azurerm_management_lock" "public-ip" {
name = "resource-ip"
scope = azurerm_container_registry.acr.id
lock_level = "CanNotDelete"
notes = "Locked because it's needed by a third-party"
}