diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json index 8f9f52a297e..5fb6bf2d971 100644 --- a/assets/queries/common/passwords_and_secrets/regex_rules.json +++ b/assets/queries/common/passwords_and_secrets/regex_rules.json @@ -16,6 +16,14 @@ { "description": "Avoiding Ansible playbook update_password", "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?" + }, + { + "description": "Allow passwords retrieved from Terraform data sources", + "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.azurerm_key_vault_secret\\.[A-Za-z0-9_]+\\.value" + }, + { + "description": "Allow passwords retrieved from AWS KMS Secrets", + "regex": "(?i)['\"]?password['\"]?\\s*=\\s*data\\.aws_kms_secrets\\.[A-Za-z0-9_]+\\.plaintext\\[\"[A-Za-z0-9_]+\"\\]" } ], "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*" diff --git a/assets/queries/common/passwords_and_secrets/test/negative47.tf b/assets/queries/common/passwords_and_secrets/test/negative47.tf new file mode 100644 index 00000000000..8647a01ff60 --- /dev/null +++ b/assets/queries/common/passwords_and_secrets/test/negative47.tf @@ -0,0 +1,44 @@ +provider "azurerm" { + features {} +} + +# Example of using an existing Key Vault and secret +data "azurerm_key_vault" "example" { + name = "your-key-vault-name" + resource_group_name = "your-resource-group" +} + +data "azurerm_key_vault_secret" "LinuxVmPassword" { + name = "your-secret-name" + key_vault_id = data.azurerm_key_vault.example.id +} + +resource "azurerm_linux_virtual_machine" "example_vm" { + name = "example-vm" + resource_group_name = "your-resource-group" + location = "your-location" + size = "Standard_DS1_v2" + admin_username = "adminuser" + admin_password = data.azurerm_key_vault_secret.LinuxVmPassword.value + + network_interface_ids = [ + # Your network interface ID + ] + + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } +} + +output "vm_password" { + value = data.azurerm_key_vault_secret.LinuxVmPassword.value + sensitive = true +} diff --git a/assets/queries/common/passwords_and_secrets/test/negative48.tf b/assets/queries/common/passwords_and_secrets/test/negative48.tf new file mode 100644 index 00000000000..85e9a2c0f38 --- /dev/null +++ b/assets/queries/common/passwords_and_secrets/test/negative48.tf @@ -0,0 +1,17 @@ +data "template_file" "sci_integration_app_properties_secret_template" { + template = file(join("", ["/secrets/sci-integration-app", var.resource_identifier_shorthand], ".json")) + + vars = { + ayreshirerarran_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["ayreshirerarran_password"] + lanark_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lanark_password"] + tayside_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["tayside_password"] + glasgow_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["glasgow_password"] + grampian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["grampian_password"] + highland_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["highland_password"] + westernisles_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["westernisles_password"] + dumfriesandgalloway_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["dumfriesandgalloway_password"] + forthvalley_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["forthvalley_password"] + borders_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["borders_password"] + lothian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lothian_password"] + } +}