Best practices for Azure

** org.openrewrite.terraform.azure.AzureBestPractices** Securely operate on Microsoft Azure.
Tags
Azure
terraform
Source
​Github, Issue Tracker, Maven Central​
groupId: org.openrewrite.recipe
artifactId: rewrite-terraform
version: 1.6.0
Usage
This recipe has no required configuration options and can be activated directly after taking a dependency on org.openrewrite.recipe:rewrite-terraform:1.6.0 in your build file:
Gradle
Maven
build.gradle
1
plugins {
2
    id("org.openrewrite.rewrite") version("5.22.2")
3
}
4
​
5
rewrite {
6
    activeRecipe("org.openrewrite.terraform.azure.AzureBestPractices")
7
}
8
​
9
repositories {
10
    mavenCentral()
11
}
12
​
13
dependencies {
14
    rewrite("org.openrewrite.recipe:rewrite-terraform:1.6.0")
15
}
Copied!
pom.xml
1
<project>
2
  <build>
3
    <plugins>
4
      <plugin>
5
        <groupId>org.openrewrite.maven</groupId>
6
        <artifactId>rewrite-maven-plugin</artifactId>
7
        <version>4.25.0</version>
8
        <configuration>
9
          <activeRecipes>
10
            <recipe>org.openrewrite.terraform.azure.AzureBestPractices</recipe>
11
          </activeRecipes>
12
        </configuration>
13
        <dependencies>
14
          <dependency>
15
            <groupId>org.openrewrite.recipe</groupId>
16
            <artifactId>rewrite-terraform</artifactId>
17
            <version>1.6.0</version>
18
          </dependency>
19
        </dependencies>
20
      </plugin>
21
    </plugins>
22
  </build>
23
</project>
Copied!
Recipes can also be activated directly from the command line by adding the argument -Drewrite.activeRecipesorg.openrewrite.terraform.azure.AzureBestPractices
Definition
Recipe List
Yaml Recipe List
​Encrypt Azure VM data disk with ADE/CMK​
​Enable Azure Storage secure transfer required​
​Disable Kubernetes dashboard​
​Ensure the storage container storing activity logs is not publicly accessible​
​Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days​
​Ensure Azure App Service Web app redirects HTTP to HTTPS​
​Ensure Web App uses the latest version of TLS encryption​
​Ensure Web App uses the latest version of HTTP​
​Ensure standard pricing tier is selected​
​Ensure a security contact phone number is present​
​Ensure Send email notification for high severity alerts is enabled​
​Ensure Send email notification for high severity alerts to admins is enabled​
​Ensure Azure SQL server audit log retention is greater than 90 days​
​Ensure Azure SQL Server threat detection alerts are enabled for all threat types​
​Ensure Azure SQL server send alerts to field value is set​
​Ensure MSSQL servers have email service and co-administrators enabled​
​Ensure MySQL server databases have Enforce SSL connection enabled​
​Ensure Azure PostgreSQL database server with SSL connection is enabled​
​Set Azure Storage Account default network access to deny​
​Enable Azure Storage Account Trusted Microsoft Services access​
​Ensure activity log retention is set to 365 days or greater​
​Ensure log profile is configured to capture all activities​
​Ensure all keys have an expiration date​
​Ensure AKV secrets have an expiration date set​
​Ensure Azure key vault is recoverable​
​Ensure storage account uses latest TLS version​
​Ensure public network access enabled is set to False for mySQL servers​
​Ensure MySQL is using the latest version of TLS encryption​
​Ensure app service enables HTTP logging​
​Ensure app service enables detailed error messages​
​Ensure app service enables failed request tracing​
​Ensure PostgreSQL server disables public network access​
​Ensure managed identity provider is enabled for app services​
​Ensure FTP Deployments are disabled​
​Ensure MySQL server disables public network access​
​Ensure MySQL server enables geo-redundant backups​
​Enable geo-redundant backups on PostgreSQL server​
​Ensure key vault allows firewall rules settings​
​Ensure key vault enables purge protection​
​Ensure key vault secrets have content_type set​
​Ensure AKS policies add-on​
​Ensure Azure application gateway has WAF enabled​
​Ensure MySQL server enables Threat Detection policy​
​Ensure PostgreSQL server enables Threat Detection policy​
​Ensure PostgreSQL server enables infrastructure encryption​
1
---
2
type: specs.openrewrite.org/v1beta/recipe
3
name: org.openrewrite.terraform.azure.AzureBestPractices
4
displayName: Best practices for Azure
5
description: Securely operate on Microsoft Azure.
6
tags:
7
  - Azure
8
  - terraform
9
recipeList:
10
  - org.openrewrite.terraform.azure.EncryptAzureVMDataDiskWithADECMK
11
  - org.openrewrite.terraform.azure.EnableAzureStorageSecureTransferRequired
12
  - org.openrewrite.terraform.azure.DisableKubernetesDashboard
13
  - org.openrewrite.terraform.azure.EnsureTheStorageContainerStoringActivityLogsIsNotPubliclyAccessible
14
  - org.openrewrite.terraform.azure.EnsureAzureNetworkWatcherNSGFlowLogsRetentionIsGreaterThan90Days
15
  - org.openrewrite.terraform.azure.EnsureAzureAppServiceWebAppRedirectsHTTPToHTTPS
16
  - org.openrewrite.terraform.azure.EnsureWebAppUsesTheLatestVersionOfTLSEncryption
17
  - org.openrewrite.terraform.azure.EnsureWebAppUsesTheLatestVersionOfHTTP
18
  - org.openrewrite.terraform.azure.EnsureStandardPricingTierIsSelected
19
  - org.openrewrite.terraform.azure.EnsureASecurityContactPhoneNumberIsPresent
20
  - org.openrewrite.terraform.azure.EnsureSendEmailNotificationForHighSeverityAlertsIsEnabled
21
  - org.openrewrite.terraform.azure.EnsureSendEmailNotificationForHighSeverityAlertsToAdminsIsEnabled
22
  - org.openrewrite.terraform.azure.EnsureAzureSQLServerAuditLogRetentionIsGreaterThan90Days
23
  - org.openrewrite.terraform.azure.EnsureAzureSQLServerThreatDetectionAlertsAreEnabledForAllThreatTypes
24
  - org.openrewrite.terraform.azure.EnsureAzureSQLServerSendAlertsToFieldValueIsSet
25
  - org.openrewrite.terraform.azure.EnsureMSSQLServersHaveEmailServiceAndCoAdministratorsEnabled
26
  - org.openrewrite.terraform.azure.EnsureMySQLServerDatabasesHaveEnforceSSLConnectionEnabled
27
  - org.openrewrite.terraform.azure.EnsureAzurePostgreSQLDatabaseServerWithSSLConnectionIsEnabled
28
  - org.openrewrite.terraform.azure.SetAzureStorageAccountDefaultNetworkAccessToDeny
29
  - org.openrewrite.terraform.azure.EnableAzureStorageAccountTrustedMicrosoftServicesAccess
30
  - org.openrewrite.terraform.azure.EnsureActivityLogRetentionIsSetTo365DaysOrGreater
31
  - org.openrewrite.terraform.azure.EnsureLogProfileIsConfiguredToCaptureAllActivities
32
  - org.openrewrite.terraform.azure.EnsureAllKeysHaveAnExpirationDate
33
  - org.openrewrite.terraform.azure.EnsureAKVSecretsHaveAnExpirationDateSet
34
  - org.openrewrite.terraform.azure.EnsureAzureKeyVaultIsRecoverable
35
  - org.openrewrite.terraform.azure.EnsureStorageAccountUsesLatestTLSVersion
36
  - org.openrewrite.terraform.azure.EnsurePublicNetworkAccessEnabledIsSetToFalseForMySQLServers
37
  - org.openrewrite.terraform.azure.EnsureMySQLIsUsingTheLatestVersionOfTLSEncryption
38
  - org.openrewrite.terraform.azure.EnsureAppServiceEnablesHTTPLogging
39
  - org.openrewrite.terraform.azure.EnsureAppServiceEnablesDetailedErrorMessages
40
  - org.openrewrite.terraform.azure.EnsureAppServiceEnablesFailedRequestTracing
41
  - org.openrewrite.terraform.azure.EnsurePostgreSQLServerDisablesPublicNetworkAccess
42
  - org.openrewrite.terraform.azure.EnsureManagedIdentityProviderIsEnabledForAppServices
43
  - org.openrewrite.terraform.azure.EnsureFTPDeploymentsAreDisabled
44
  - org.openrewrite.terraform.azure.EnsureMySQLServerDisablesPublicNetworkAccess
45
  - org.openrewrite.terraform.azure.EnsureMySQLServerEnablesGeoRedundantBackups
46
  - org.openrewrite.terraform.azure.EnableGeoRedundantBackupsOnPostgreSQLServer
47
  - org.openrewrite.terraform.azure.EnsureKeyVaultAllowsFirewallRulesSettings
48
  - org.openrewrite.terraform.azure.EnsureKeyVaultEnablesPurgeProtection
49
  - org.openrewrite.terraform.azure.EnsureKeyVaultSecretsHaveContentTypeSet
50
  - org.openrewrite.terraform.azure.EnsureAKSPoliciesAddOn
51
  - org.openrewrite.terraform.azure.EnsureAzureApplicationGatewayHasWAFEnabled
52
  - org.openrewrite.terraform.azure.EnsureMySQLServerEnablesThreatDetectionPolicy
53
  - org.openrewrite.terraform.azure.EnsurePostgreSQLServerEnablesThreatDetectionPolicy
54
  - org.openrewrite.terraform.azure.EnsurePostgreSQLServerEnablesInfrastructureEncryption
Copied!
Azure
Disable Kubernetes dashboard
Last modified 5d ago
Export as PDF
Copy link
Contents