Beta - VM With Automatic Updates Disabled
- Query id: 187e6d39-5e1e-4afa-9c0a-b79632eef346
- Query name: Beta - VM With Automatic Updates Disabled
- Platform: Terraform
- Severity: Medium
- Category: Best Practices
- CWE: 1329
- Risk score: 3.0
- URL: Github
Description¶
Windows based VMs should enabled automatic updates
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_windows_virtual_machine" "positive1" {
name = "positive1-machine"
resource_group_name = azurerm_resource_group.positive1.name
location = azurerm_resource_group.positive1.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive1.id,
]
enable_automatic_updates = false
}
resource "azurerm_windows_virtual_machine" "positive2" {
name = "positive2-machine"
resource_group_name = azurerm_resource_group.positive2.name
location = azurerm_resource_group.positive2.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive2.id,
]
automatic_updates_enabled = false
}
resource "azurerm_windows_virtual_machine_scale_set" "positive3" {
name = "positive3-vmss"
resource_group_name = azurerm_resource_group.positive3.name
location = azurerm_resource_group.positive3.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
computer_name_prefix = "vm-"
enable_automatic_updates = false
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_windows_virtual_machine" "negative1" {
name = "negative1-machine"
resource_group_name = azurerm_resource_group.negative1.name
location = azurerm_resource_group.negative1.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.negative1.id,
]
enable_automatic_updates = true
}
resource "azurerm_windows_virtual_machine" "negative2" {
name = "negative2-machine"
resource_group_name = azurerm_resource_group.negative2.name
location = azurerm_resource_group.negative2.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.negative2.id,
]
automatic_updates_enabled = true # newer field
}
resource "azurerm_windows_virtual_machine_scale_set" "negative3" {
name = "negative3-vmss"
resource_group_name = azurerm_resource_group.negative3.name
location = azurerm_resource_group.negative3.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
computer_name_prefix = "vm-"
enable_automatic_updates = true
}
resource "azurerm_windows_virtual_machine" "negative4" {
name = "negative4-machine"
resource_group_name = azurerm_resource_group.negative4.name
location = azurerm_resource_group.negative4.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.negative4.id,
]
# missing "enable_automatic_updates" and "automatic_updates_enabled" - defaults to true
}
resource "azurerm_windows_virtual_machine_scale_set" "negative5" {
name = "negative5-vmss"
resource_group_name = azurerm_resource_group.negative5.name
location = azurerm_resource_group.negative5.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
computer_name_prefix = "vm-"
# missing "enable_automatic_updates" - defaults to true
}