Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positives in storage-queue-services-logging for Azure Storage Accounts that don't use a storage queue #3383

Open
1 of 3 tasks
thombrj opened this issue May 9, 2024 · 0 comments
Open
1 of 3 tasks

False positives in storage-queue-services-logging for Azure Storage Accounts that don't use a storage queue #3383

thombrj opened this issue May 9, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@thombrj
Copy link

thombrj commented May 9, 2024

Describe the bug
Any Terraform configuration that defines an Azure Storage Account must declare a queue_properties block, else the pattern storage-queue-services-logging will be matched. The storage analytics log within queue_properties are only relevant for storage queues, one fourth of the functionality offered by Azure Storage Accounts.

To Reproduce
Create a terraform config declaring a storage account without a queue_properties block. E.g:

resource "azurerm_storage_account" "this" {
  name                              = "myazurestorageacc"
  resource_group_name               = "myazureresourcegroup"
  location                          = "australiaeast"
  account_tier                      = "Standard"
  account_replication_type          = "GRS"
  tags                              = local.tags
  allow_nested_items_to_be_public   = false
  infrastructure_encryption_enabled = true
  min_tls_version                   = "TLS1_2"
  shared_access_key_enabled         = false

  blob_properties {
    delete_retention_policy {
      days = 31
    }
    container_delete_retention_policy {
      days = 31
    }
    versioning_enabled  = true
    change_feed_enabled = true
  }
}

image

Expected behavior
This warning is not triggered from Terraform configuration that does not use a storage queue

Priority
How important is this to you?

  • P0: blocking me from making progress
  • P1: this will block me in the near future
  • P2: annoying but not blocking me

Additional Context
This rule is providing more noise than value, and will likely be disabled in my environment. Removing the following pattern-inside block will resolve the issue in my expected behavior scenario (tested using semgrep playground), however I recognise that this warning probably should be shown in the event of using an azurerm_storage_queue resource. As the queue_properties is defined on the Storage Account, I am not sure on the appropriate way forward.

    - pattern-inside: |
        resource "azurerm_storage_account" "..." {
          ...
        }
@thombrj thombrj added the bug Something isn't working label May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thombrj