Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Terraform static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your TERRAFORM code

Filtered: 31 rules found

cwe

Impact

Clean code attribute

Creating public APIs is security-sensitive
Security Hotspot
Allowing public network access to cloud resources is security-sensitive
Security Hotspot
Policies granting access to all resources of an account are security-sensitive
Security Hotspot
Policies granting all privileges are security-sensitive
Security Hotspot
Policies authorizing public access to resources are security-sensitive
Security Hotspot
Granting access to S3 buckets to all or authenticated users is security-sensitive
Security Hotspot
AWS IAM policies should limit the scope of permissions given
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Allowing public ACLs or policies on a S3 bucket is security-sensitive
Security Hotspot
Authorizing HTTP communications with S3 buckets is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Google Cloud load balancers SSL policies should not offer weak cipher suites
Vulnerability
Enabling Attribute-Based Access Control for Kubernetes is security-sensitive
Security Hotspot
Creating custom roles allowing privilege escalation is security-sensitive
Security Hotspot
Excessive granting of GCP IAM permissions is security-sensitive
Security Hotspot
Granting highly privileged GCP resource rights is security-sensitive
Security Hotspot
Using unencrypted cloud storages is security-sensitive
Security Hotspot
Disabling Role-Based Access Control on Azure resources is security-sensitive
Security Hotspot
Disabling certificate-based authentication is security-sensitive
Security Hotspot
Authorizing anonymous access to Azure resources is security-sensitive
Security Hotspot
Using unencrypted EFS file systems is security-sensitive
Security Hotspot
Using unencrypted SQS queues is security-sensitive
Security Hotspot
Using unencrypted SNS topics is security-sensitive
Security Hotspot
Using unencrypted SageMaker notebook instances is security-sensitive
Security Hotspot
Using unencrypted Elasticsearch domains is security-sensitive
Security Hotspot
Using unencrypted RDS DB resources is security-sensitive
Security Hotspot
Using unencrypted EBS volumes is security-sensitive
Security Hotspot
Disabling logging is security-sensitive
Security Hotspot
Administration services access should be restricted to specific IP addresses
Vulnerability
Disabling S3 bucket MFA delete is security-sensitive
Security Hotspot
Track uses of "TODO" tags
Code Smell

Enabling Attribute-Based Access Control for Kubernetes is security-sensitive

intentionality - complete

security

Security Hotspot

MajorSonarSource default severity
click to learn more

Enabling Legacy Authorization, Attribute-Based Access Control (ABAC), on Google Kubernetes Engine resources can reduce an organization’s ability to protect itself against access controls being compromised.

For Kubernetes, Attribute-Based Access Control has been superseded by Role-Based Access Control. ABAC is not under active development anymore and thus should be avoided.

Ask Yourself Whether

This resource is essential for the information system infrastructure.
This resource is essential for mission-critical functions.
Compliance policies require access to this resource to be enforced through the use of Role-Based Access Control.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Unless you are relying on ABAC, leave it disabled.

Sensitive Code Example

For Google Kubernetes Engine:

resource "google_container_cluster" "example" {
  enable_legacy_abac = true # Sensitive
}

Compliant Solution

For Google Kubernetes Engine:

resource "google_container_cluster" "example" {
  enable_legacy_abac = false
}

See

CWE - CWE-668 - Exposure of Resource to Wrong Sphere
Google Cloud Documentation - Hardening your cluster’s security

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted