Azure Container Registry With No Locks

  • Query id: a187ac47-8163-42ce-8a63-c115236be6fb
  • Query name: Azure Container Registry With No Locks
  • Platform: Terraform
  • Severity: High
  • Category: Insecure Configurations
  • CWE: 639
  • URL: Github

Description

Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "azurerm_container_registry" "acr" {
name = "containerRegistry1"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = "Standard"
admin_enabled = false
}


resource "azurerm_management_lock" "public-ip" {
name = "resource-ip"
scope = azurerm_container_registry.acr1.id
lock_level = "CanNotDelete"
notes = "Locked because it's needed by a third-party"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "azurerm_container_registry" "acr" {
name = "containerRegistry1"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = "Standard"
admin_enabled = false
}


resource "azurerm_management_lock" "public-ip" {
name = "resource-ip"
scope = azurerm_container_registry.acr.id
lock_level = "CanNotDelete"
notes = "Locked because it's needed by a third-party"
}