tenable/terrascan

False positive on "Ensure that Azure Virtual Network subnet is configured with a Network Security Group" [AC_AZURE_0356]

zadigus opened this issue · 0 comments

  • terrascan version: 1.18.1
  • Operating System: Linux

Description

I have some terraform configuration which I want to scan. The configuration contains the following VNet configuration:

resource "azurerm_subnet" "fw" {
  name                 = "AzureFirewallSubnet"
  resource_group_name  = var.resource_group_name
  virtual_network_name = azurerm_virtual_network.vnet_hub.name
  address_prefixes     = [var.hub_network["firewall"]]
}

resource "azurerm_subnet" "gw" {
  name                 = "GatewaySubnet"
  resource_group_name  = var.resource_group_name
  virtual_network_name = azurerm_virtual_network.vnet_hub.name
  address_prefixes     = [var.hub_network["vpn_gateway"]]
}

with no associated network security group. Per Microsoft documentation, for the Azure FW Subnet and for the Gateway Subnet, those subnet should not be associated with NSGs.

What I Did

When I run

terrascan scan

I get the following errors:

Description: Ensure that Azure Virtual Network subnet is configured with a Network Security Group, File: ../terraform/hub/vnet/main.tf, Line: 12, Severity: MEDIUM, Rule Name: reme_noSecurityGroupAssociated, Rule ID: AC_AZURE_0356, Resource Name: fw, Resource Type: azurerm_subnet, Category: Infrastructure Security

Description: Ensure that Azure Virtual Network subnet is configured with a Network Security Group, File: ../terraform/hub/vnet/main.tf, Line: 21, Severity: MEDIUM, Rule Name: reme_noSecurityGroupAssociated, Rule ID: AC_AZURE_0356, Resource Name: gw, Resource Type: azurerm_subnet, Category: Infrastructure Security

I should get no error.