Beta - Storage Account Without Delete Lock

  • Query id: 0cc95bf8-9b98-4278-ad9f-fea4aed3d271
  • Query name: Beta - Storage Account Without Delete Lock
  • Platform: Terraform
  • Severity: Low
  • Category: Availability
  • CWE: 862
  • Risk score: 1.0
  • URL: Github

Description

Resources of type 'azurerm_storage_account' should have a 'azurerm_management_lock' associated with them to prevent users from accidentally or maliciously deleting a storage account
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "azurerm_storage_account" "example_pos1" {
  name                     = "examplestorageacct"
  location                 = azurerm_resource_group.example_pos1.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

# no azurerm_management_lock
Positive test num. 2 - tf file
resource "azurerm_storage_account" "example_pos2" {
  name                     = "examplestorageacct"
  location                 = azurerm_resource_group.example_pos2.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_management_lock" "storage_delete_lock_pos2" {
  name               = "storage-delete-lock"
  scope              = azurerm_storage_account.example_pos2.id
  lock_level         = "ReadOnly"                                       # incorrect lock level
  notes              = "Prevent accidental deletion of the storage account"
}
Positive test num. 3 - tf file
resource "azurerm_resource_group" "example_pos3" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example_pos3" {
  name                     = "examplestorageacct"
  resource_group_name      = azurerm_resource_group.example_pos3.name
  location                 = azurerm_resource_group.example_pos3.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_management_lock" "storage_delete_lock_pos3" {
  name               = "storage-delete-lock"
  scope              = azurerm_resource_group.example_pos3.id
  lock_level         = "ReadOnly"                                       # incorrect lock level
  notes              = "Prevent accidental deletion of the storage account"
}

Positive test num. 4 - tf file 
resource "azurerm_resource_group" "example_pos4" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example_pos4" {
  name                     = "examplestorageacct"
  # no resource_group_name to make association
  location                 = azurerm_resource_group.example_pos4.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_management_lock" "storage_delete_lock_pos4" {
  name               = "storage-delete-lock"
  scope              = azurerm_resource_group.example_pos4.id
  lock_level         = "CanNotDelete"
  notes              = "Prevent accidental deletion of the storage account"
}
Positive test num. 5 - tf file 
resource "azurerm_resource_group" "example_pos5" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example_pos5" {
  name                     = "examplestorageacct"
  resource_group_name      = azurerm_resource_group.example_pos5.name
  location                 = azurerm_resource_group.example_pos5.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_management_lock" "storage_delete_lock_pos5_1" {
  name               = "storage-delete-lock"
  scope              = azurerm_storage_account.not_example_pos5.id    # incorrect referencing
  lock_level         = "CanNotDelete"
  notes              = "Prevent accidental deletion of the storage account"
}

resource "azurerm_management_lock" "storage_delete_lock_pos5_2" {
  name               = "storage-delete-lock"
  scope              = azurerm_resource_group.not_example_pos5.id      # incorrect referencing
  lock_level         = "CanNotDelete"
  notes              = "Prevent accidental deletion of the storage account"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "azurerm_storage_account" "example_neg1" {
  name                     = "examplestorageacct"
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_management_lock" "storage_delete_lock_neg1" {
  name               = "storage-delete-lock"
  scope              = azurerm_storage_account.example_neg1.id
  lock_level         = "CanNotDelete"
  notes              = "Prevent accidental deletion of the storage account"
}
Negative test num. 2 - tf file
resource "azurerm_resource_group" "example_neg2" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example_neg2" {
  name                     = "examplestorageacct"
  resource_group_name      = azurerm_resource_group.example_neg2.name
  location                 = azurerm_resource_group.example_neg2.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_management_lock" "storage_delete_lock_neg2" {
  name               = "storage-delete-lock"
  scope              = azurerm_resource_group.example_neg2.id
  lock_level         = "CanNotDelete"
  notes              = "Prevent accidental deletion of the storage account"
}