org.openrewrite.terraform.azure.AzureBestPractices
Securely operate on Microsoft Azure.
- Azure
- terraform
GitHub, Issue Tracker, Maven Central
- groupId: org.openrewrite.recipe
- artifactId: rewrite-terraform
- version: 2.0.1
This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-terraform:2.0.1 in your build file or by running a shell command (in which case no build changes are needed):
{% tabs %}
{% tab title="Gradle" %}
{% code title="build.gradle" %}
plugins {
id("org.openrewrite.rewrite") version("6.1.4")
}
rewrite {
activeRecipe("org.openrewrite.terraform.azure.AzureBestPractices")
}
repositories {
mavenCentral()
}
dependencies {
rewrite("org.openrewrite.recipe:rewrite-terraform:2.0.1")
}{% endcode %} {% endtab %} {% tab title="Maven POM" %} {% code title="pom.xml" %}
<project>
<build>
<plugins>
<plugin>
<groupId>org.openrewrite.maven</groupId>
<artifactId>rewrite-maven-plugin</artifactId>
<version>5.2.4</version>
<configuration>
<activeRecipes>
<recipe>org.openrewrite.terraform.azure.AzureBestPractices</recipe>
</activeRecipes>
</configuration>
<dependencies>
<dependency>
<groupId>org.openrewrite.recipe</groupId>
<artifactId>rewrite-terraform</artifactId>
<version>2.0.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
{% endcode %} {% endtab %}
{% tab title="Maven Command Line" %} {% code title="shell" %} You will need to have Maven installed on your machine before you can run the following command.
mvn -U org.openrewrite.maven:rewrite-maven-plugin:run \
-Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-terraform:RELEASE \
-Drewrite.activeRecipes=org.openrewrite.terraform.azure.AzureBestPractices{% endcode %} {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Recipe List" %}
- Encrypt Azure VM data disk with ADE/CMK
- Enable Azure Storage secure transfer required
- Disable Kubernetes dashboard
- Ensure the storage container storing activity logs is not publicly accessible
- Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days
- Ensure Azure App Service Web app redirects HTTP to HTTPS
- Ensure Web App uses the latest version of TLS encryption
- Ensure Web App uses the latest version of HTTP
- Ensure standard pricing tier is selected
- Ensure a security contact phone number is present
- Ensure Send email notification for high severity alerts is enabled
- Ensure Send email notification for high severity alerts to admins is enabled
- Ensure Azure SQL server audit log retention is greater than 90 days
- Ensure Azure SQL Server threat detection alerts are enabled for all threat types
- Ensure Azure SQL server send alerts to field value is set
- Ensure MSSQL servers have email service and co-administrators enabled
- Ensure MySQL server databases have Enforce SSL connection enabled
- Ensure Azure PostgreSQL database server with SSL connection is enabled
- Set Azure Storage Account default network access to deny
- Enable Azure Storage Account Trusted Microsoft Services access
- Ensure activity log retention is set to 365 days or greater
- Ensure log profile is configured to capture all activities
- Ensure all keys have an expiration date
- Ensure AKV secrets have an expiration date set
- Ensure Azure key vault is recoverable
- Ensure storage account uses latest TLS version
- Ensure public network access enabled is set to False for mySQL servers
- Ensure MySQL is using the latest version of TLS encryption
- Ensure app service enables HTTP logging
- Ensure app service enables detailed error messages
- Ensure app service enables failed request tracing
- Ensure PostgreSQL server disables public network access
- Ensure managed identity provider is enabled for app services
- Ensure FTP Deployments are disabled
- Ensure MySQL server disables public network access
- Ensure MySQL server enables geo-redundant backups
- Enable geo-redundant backups on PostgreSQL server
- Ensure key vault allows firewall rules settings
- Ensure key vault enables purge protection
- Ensure key vault secrets have
content_typeset - Ensure AKS policies add-on
- Ensure Azure application gateway has WAF enabled
- Ensure MySQL server enables Threat Detection policy
- Ensure PostgreSQL server enables Threat Detection policy
- Ensure PostgreSQL server enables infrastructure encryption
{% endtab %}
{% tab title="Yaml Recipe List" %}
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.terraform.azure.AzureBestPractices
displayName: Best practices for Azure
description: Securely operate on Microsoft Azure.
tags:
- Azure
- terraform
recipeList:
- org.openrewrite.terraform.azure.EncryptAzureVMDataDiskWithADECMK
- org.openrewrite.terraform.azure.EnableAzureStorageSecureTransferRequired
- org.openrewrite.terraform.azure.DisableKubernetesDashboard
- org.openrewrite.terraform.azure.EnsureTheStorageContainerStoringActivityLogsIsNotPubliclyAccessible
- org.openrewrite.terraform.azure.EnsureAzureNetworkWatcherNSGFlowLogsRetentionIsGreaterThan90Days
- org.openrewrite.terraform.azure.EnsureAzureAppServiceWebAppRedirectsHTTPToHTTPS
- org.openrewrite.terraform.azure.EnsureWebAppUsesTheLatestVersionOfTLSEncryption
- org.openrewrite.terraform.azure.EnsureWebAppUsesTheLatestVersionOfHTTP
- org.openrewrite.terraform.azure.EnsureStandardPricingTierIsSelected
- org.openrewrite.terraform.azure.EnsureASecurityContactPhoneNumberIsPresent
- org.openrewrite.terraform.azure.EnsureSendEmailNotificationForHighSeverityAlertsIsEnabled
- org.openrewrite.terraform.azure.EnsureSendEmailNotificationForHighSeverityAlertsToAdminsIsEnabled
- org.openrewrite.terraform.azure.EnsureAzureSQLServerAuditLogRetentionIsGreaterThan90Days
- org.openrewrite.terraform.azure.EnsureAzureSQLServerThreatDetectionAlertsAreEnabledForAllThreatTypes
- org.openrewrite.terraform.azure.EnsureAzureSQLServerSendAlertsToFieldValueIsSet
- org.openrewrite.terraform.azure.EnsureMSSQLServersHaveEmailServiceAndCoAdministratorsEnabled
- org.openrewrite.terraform.azure.EnsureMySQLServerDatabasesHaveEnforceSSLConnectionEnabled
- org.openrewrite.terraform.azure.EnsureAzurePostgreSQLDatabaseServerWithSSLConnectionIsEnabled
- org.openrewrite.terraform.azure.SetAzureStorageAccountDefaultNetworkAccessToDeny
- org.openrewrite.terraform.azure.EnableAzureStorageAccountTrustedMicrosoftServicesAccess
- org.openrewrite.terraform.azure.EnsureActivityLogRetentionIsSetTo365DaysOrGreater
- org.openrewrite.terraform.azure.EnsureLogProfileIsConfiguredToCaptureAllActivities
- org.openrewrite.terraform.azure.EnsureAllKeysHaveAnExpirationDate
- org.openrewrite.terraform.azure.EnsureAKVSecretsHaveAnExpirationDateSet
- org.openrewrite.terraform.azure.EnsureAzureKeyVaultIsRecoverable
- org.openrewrite.terraform.azure.EnsureStorageAccountUsesLatestTLSVersion
- org.openrewrite.terraform.azure.EnsurePublicNetworkAccessEnabledIsSetToFalseForMySQLServers
- org.openrewrite.terraform.azure.EnsureMySQLIsUsingTheLatestVersionOfTLSEncryption
- org.openrewrite.terraform.azure.EnsureAppServiceEnablesHTTPLogging
- org.openrewrite.terraform.azure.EnsureAppServiceEnablesDetailedErrorMessages
- org.openrewrite.terraform.azure.EnsureAppServiceEnablesFailedRequestTracing
- org.openrewrite.terraform.azure.EnsurePostgreSQLServerDisablesPublicNetworkAccess
- org.openrewrite.terraform.azure.EnsureManagedIdentityProviderIsEnabledForAppServices
- org.openrewrite.terraform.azure.EnsureFTPDeploymentsAreDisabled
- org.openrewrite.terraform.azure.EnsureMySQLServerDisablesPublicNetworkAccess
- org.openrewrite.terraform.azure.EnsureMySQLServerEnablesGeoRedundantBackups
- org.openrewrite.terraform.azure.EnableGeoRedundantBackupsOnPostgreSQLServer
- org.openrewrite.terraform.azure.EnsureKeyVaultAllowsFirewallRulesSettings
- org.openrewrite.terraform.azure.EnsureKeyVaultEnablesPurgeProtection
- org.openrewrite.terraform.azure.EnsureKeyVaultSecretsHaveContentTypeSet
- org.openrewrite.terraform.azure.EnsureAKSPoliciesAddOn
- org.openrewrite.terraform.azure.EnsureAzureApplicationGatewayHasWAFEnabled
- org.openrewrite.terraform.azure.EnsureMySQLServerEnablesThreatDetectionPolicy
- org.openrewrite.terraform.azure.EnsurePostgreSQLServerEnablesThreatDetectionPolicy
- org.openrewrite.terraform.azure.EnsurePostgreSQLServerEnablesInfrastructureEncryption
{% endtab %} {% endtabs %}
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.