Skip to content

Commit 660cfa8

Browse files
GeekMasherGeekMasher
committed
feat(tf): Small updates
1 parent be15b60 commit 660cfa8

File tree

3 files changed

+46
-14
lines changed

3 files changed

+46
-14
lines changed

ql/lib/codeql/hcl/security/PublicStorage.qll

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,22 +18,22 @@ class AzurePublicStorage extends PublicStorage {
1818
)
1919
or
2020
// Azure Storage Accounts
21-
exists(Azure::StorageAccount storage_acount |
21+
exists(Azure::StorageAccount storage_account |
2222
(
2323
// v2
24-
storage_acount.getAllowBlobPublicAccessValue() = true and
25-
this = storage_acount.getAllowBlobPublicAccess()
24+
storage_account.getAllowBlobPublicAccessValue() = true and
25+
this = storage_account.getAllowBlobPublicAccess()
2626
)
2727
or
2828
(
2929
// v3
3030
(
31-
storage_acount.getPublicNetworkAccessValue() = true
31+
storage_account.getPublicNetworkAccessValue() = true
3232
or
33-
storage_acount.getAllowNestedItemsToBePublicValue() = true
33+
storage_account.getAllowNestedItemsToBePublicValue() = true
3434
)
3535
and
36-
this = storage_acount
36+
this = storage_account
3737
)
3838
)
3939
}

ql/test/queries-tests/Terraform/Azure/Storage/PublicAccess/PublicAccess.expected

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
1-
| storage.tf:9:1:15:1 | resource azurerm_storage_container insecure-storage-container | Azure Storage is Public |
2-
| storage.tf:18:1:28:1 | resource azurerm_storage_account insecure-storage-account | Azure Storage is Public |
1+
| storage.tf:15:1:22:1 | resource azurerm_storage_container insecure-storage-container | Azure Storage is Public |
2+
| storage.tf:25:1:33:1 | resource azurerm_storage_account insecure-storage-account | Azure Storage is Public |
3+
| storage.tf:49:1:59:1 | resource azurerm_storage_account insecure-storage-account | Azure Storage is Public |

ql/test/queries-tests/Terraform/Azure/Storage/PublicAccess/storage.tf

Lines changed: 37 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,59 @@
1+
# Resource Group
2+
resource "azurerm_resource_group" "example" {
3+
name = "example-resources"
4+
location = "West Europe"
5+
}
16

27
# secure
38
resource "azurerm_storage_container" "secure" {
49
name = "secure-storage-container"
10+
location = azurerm_resource_group.example.location
511
container_access_type = "private"
612
}
713

814
# insecure
915
resource "azurerm_storage_container" "insecure" {
1016
name = "insecure-storage-container"
17+
location = azurerm_resource_group.example.location
1118
container_access_type = "blob"
1219
properties = {
1320
"publicAccess" = "blob"
1421
}
1522
}
1623

24+
# insecure defaults (v3)
25+
resource "azurerm_storage_account" "insecure_storage_account" {
26+
name = "insecure-storage-account"
27+
location = azurerm_resource_group.example.location
28+
account_kind = "BlobStorage"
29+
account_tier = "Standard"
30+
account_replication_type = "GRS"
31+
resource_group_name = azurerm_resource_group.example
32+
min_tls_version = "TLS1_2"
33+
}
34+
35+
# Secure (v3)
36+
resource "azurerm_storage_account" "secure_storage_account" {
37+
name = "secure-storage-account"
38+
location = azurerm_resource_group.example.location
39+
account_kind = "BlobStorage"
40+
account_tier = "Standard"
41+
account_replication_type = "GRS"
42+
resource_group_name = azurerm_resource_group.example
43+
public_network_access_enabled = false
44+
allow_nested_items_to_be_public = false
45+
min_tls_version = "TLS1_2"
46+
}
47+
1748
# insecure (v3)
1849
resource "azurerm_storage_account" "insecure_storage_account" {
1950
name = "insecure-storage-account"
20-
location = var.location
21-
account_kind = var.kind
22-
account_tier = var.tier
23-
account_replication_type = var.replication_type
24-
resource_group_name = var.resource_group_name
51+
location = azurerm_resource_group.example.location
52+
account_kind = "BlobStorage"
53+
account_tier = "Standard"
54+
account_replication_type = "GRS"
55+
resource_group_name = azurerm_resource_group.example
2556
public_network_access_enabled = true
2657
allow_nested_items_to_be_public = true
27-
min_tls_version = var.min_tls_version
58+
min_tls_version = "TLS1_2"
2859
}

0 commit comments

Comments
 (0)