Beta - Recovery Services Vault Without Soft Delete

• Query id: b373043c-f3bf-40db-b67a-c982732c7781
• Query name: Beta - Recovery Services Vault Without Soft Delete
• Platform: Terraform
• Severity: High
• Category: Backup
• CWE: 754
• Risk score: 6.0
• URL: Github

Description

No 'azurerm_recovery_services_vault' resource should set 'soft_delete_enabled' to false, this makes it impossible to recover backup data
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_recovery_services_vault" "positive" {
  name                = "positive-recovery-vault"
  location            = azurerm_resource_group.positive.location
  resource_group_name = azurerm_resource_group.positive.name
  sku                 = "Standard"

  soft_delete_enabled = false
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_recovery_services_vault" "negative1" {
  name                = "negative1-recovery-vault"
  location            = azurerm_resource_group.negative1.location
  resource_group_name = azurerm_resource_group.negative1.name
  sku                 = "Standard"

  # "soft_delete_enabled" missing - defaults to true
}

resource "azurerm_recovery_services_vault" "negative2" {
  name                = "negative2-recovery-vault"
  location            = azurerm_resource_group.negative2.location
  resource_group_name = azurerm_resource_group.negative2.name
  sku                 = "Standard"

  soft_delete_enabled = true
}