Beta - Databricks Workspace Without CMK

  • Query id: 416ac446-9a2e-4f6d-84d2-82add788c7da
  • Query name: Beta - Databricks Workspace Without CMK
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • CWE: 522
  • Risk score: 3.0
  • URL: Github

Description

The 'azurerm_databricks_workspace' resource should enable CMK encryption
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "azurerm_databricks_workspace" "positive1" {
  name                = "my-databricks-workspace"
  resource_group_name = azurerm_resource_group.positive1.name
  location            = azurerm_resource_group.positive1.location
  sku                 = "premium"

  customer_managed_key_enabled      = true
  # missing "managed_disk_cmk_key_vault_key_id"
}

resource "azurerm_databricks_workspace" "positive2" {
  name                = "my-databricks-workspace"
  resource_group_name = azurerm_resource_group.positive2.name
  location            = azurerm_resource_group.positive2.location
  sku                 = "premium"

  customer_managed_key_enabled      = false  # Should be true
  managed_disk_cmk_key_vault_key_id = azurerm_key_vault_key.cmk.id
}

resource "azurerm_databricks_workspace" "positive3" {
  name                = "my-databricks-workspace"
  resource_group_name = azurerm_resource_group.positive3.name
  location            = azurerm_resource_group.positive3.location
  sku                 = "premium"

  customer_managed_key_enabled      = false  # Should be true
  # missing "managed_disk_cmk_key_vault_key_id"
}

resource "azurerm_databricks_workspace" "positive4" {
  name                = "my-databricks-workspace"
  resource_group_name = azurerm_resource_group.positive4.name
  location            = azurerm_resource_group.positive4.location
  sku                 = "premium"

  # missing "customer_managed_key_enabled"
  managed_disk_cmk_key_vault_key_id     = azurerm_key_vault_key.cmk.id
}

resource "azurerm_databricks_workspace" "positive5" {
  name                = "my-databricks-workspace"
  resource_group_name = azurerm_resource_group.positive5.name
  location            = azurerm_resource_group.positive5.location
  sku                 = "premium"

  # missing "customer_managed_key_enabled" and "managed_disk_cmk_key_vault_key_id"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "azurerm_databricks_workspace" "negative" {
  name                = "my-databricks-workspace"
  resource_group_name = azurerm_resource_group.negative.name
  location            = azurerm_resource_group.negative.location
  sku                 = "premium"  # Required for CMK support

  customer_managed_key_enabled      = true  # Enables CMK
  managed_disk_cmk_key_vault_key_id = azurerm_key_vault_key.cmk.id     # Your CMK key for managed_disk
}