Beta - VM Without Managed Disk
- Query id: 0536c90c-714e-4184-991e-3fed8d8b7b46
- Query name: Beta - VM Without Managed Disk
- Platform: Terraform
- Severity: Medium
- Category: Resource Management
- CWE: 922
- Risk score: 3.0
- URL: Github
Description¶
Virtual machine resources should set a managed disk for encryption, resilience and reduction of costs
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_virtual_machine" "positive1" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.positive1.location
resource_group_name = azurerm_resource_group.positive1.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
# missing "storage_os_disk" (tecnically required)
}
resource "azurerm_virtual_machine" "positive1_2" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.positive1_2.location
resource_group_name = azurerm_resource_group.positive1_2.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
storage_os_disk {
name = "myosdisk1"
create_option = "FromImage"
vhd_uri = "https://<storageaccount>.blob.core.windows.net/<container>/<diskname>.vhd"
# unmanaged disk
}
}
resource "azurerm_virtual_machine" "positive1_3" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.positive1_3.location
resource_group_name = azurerm_resource_group.positive1_3.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
storage_os_disk {
name = "myosdisk1"
create_option = "FromImage"
# missing managed_disk_type/managed_disk_id
}
}
Positive test num. 2 - tf file
resource "azurerm_linux_virtual_machine" "positive2" {
name = "positive2-machine"
resource_group_name = azurerm_resource_group.positive2.name
location = azurerm_resource_group.positive2.location
size = "Standard_F2"
admin_username = "adminuser"
# missing os_managed_disk_id
}
Positive test num. 3 - tf file
resource "azurerm_windows_virtual_machine" "positive3" {
name = "positive3-machine"
resource_group_name = azurerm_resource_group.positive3.name
location = azurerm_resource_group.positive3.location
size = "Standard_F2"
admin_username = "adminuser"
# missing os_managed_disk_id
}
Positive test num. 4 - tf file
resource "azurerm_virtual_machine_scale_set" "positive4_1" {
name = "vmss-premium-positive4_1"
location = azurerm_resource_group.positive4_1.location
resource_group_name = azurerm_resource_group.positive4_1.name
upgrade_policy_mode = "Manual"
storage_profile_os_disk {
caching = "ReadOnly"
create_option = "FromImage"
vhd_containers = [
"https://mystorageaccount.blob.core.windows.net/vhds/"
]
# vhd_containers instead of "managed_disk_type"
}
}
resource "azurerm_virtual_machine_scale_set" "positive4_2" {
name = "vmss-premium-positive4_2"
location = azurerm_resource_group.positive4_2.location
resource_group_name = azurerm_resource_group.positive4_2.name
upgrade_policy_mode = "Manual"
storage_profile_os_disk {
caching = "ReadOnly"
create_option = "FromImage"
os_type = "Linux" # Required when using "image"
image = "https://mystorageaccount.blob.core.windows.net/system/Microsoft.Compute/Images/custom-os-image/osDisk.vhd"
# image instead of "managed_disk_type"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_virtual_machine" "negative1_1" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.negative1_1.location
resource_group_name = azurerm_resource_group.negative1_1.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
storage_os_disk {
name = "myosdisk1"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
}
resource "azurerm_virtual_machine" "negative1_2" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.negative1_2.location
resource_group_name = azurerm_resource_group.negative1_2.name
network_interface_ids = [azurerm_network_interface.negative1_2.id]
vm_size = "Standard_DS1_v2"
storage_os_disk {
name = "myosdisk1"
caching = "ReadWrite"
create_option = "Attach"
managed_disk_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/disks/myManagedDisk"
}
}
Negative test num. 2 - tf file
resource "azurerm_linux_virtual_machine" "negative2" {
name = "negative2-machine"
resource_group_name = azurerm_resource_group.negative2.name
location = azurerm_resource_group.negative2.location
size = "Standard_F2"
admin_username = "adminuser"
os_managed_disk_id = azurerm_managed_disk.negative2.id
}
Negative test num. 3 - tf file
resource "azurerm_windows_virtual_machine" "negative3" {
name = "negative3-machine"
resource_group_name = azurerm_resource_group.negative3.name
location = azurerm_resource_group.negative3.location
size = "Standard_F2"
admin_username = "adminuser"
os_managed_disk_id = azurerm_managed_disk.negative3.id
}
Negative test num. 4 - tf file
resource "azurerm_virtual_machine_scale_set" "negative4" {
name = "vmss-ssd-negative4"
location = azurerm_resource_group.negative4.location
resource_group_name = azurerm_resource_group.negative4.name
upgrade_policy_mode = "Manual"
storage_profile_os_disk {
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "StandardSSD_LRS"
}
}