Need

Protection against accidental deletion of critical objects

Context

• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of Azure Resource Manager (azurerm) for managing Azure resources

Description

Non compliant code

        provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}
        
        

This Terraform configuration file creates an Azure resource group named "example-resources" in the "West Europe" region. However, there is a significant vulnerability in this configuration: there is no protection against accidental deletion of the resource group.

In Terraform, the prevent_destroy lifecycle configuration block can be used to protect resources from being destroyed. If this block is not included in the configuration for a resource, anyone with access to the Terraform configuration and the necessary permissions in Azure can accidentally or intentionally delete the resource by running terraform destroy or terraform apply after removing the resource from the configuration.

This lack of protection against deletion is a serious vulnerability, especially for critical resources that should not be deleted. If such a resource is deleted, it could lead to data loss, service disruption, and other negative impacts.

To fix this vulnerability, the prevent_destroy lifecycle configuration block should be added to the configuration for the resource. This will cause Terraform to reject any plans that include destroying the resource, thus protecting it from accidental deletion.

Steps

• Enable resource lock on the resource group to prevent accidental deletion
• Implement a backup strategy for the resources in the resource group
• Regularly test the backup and restore process to ensure its effectiveness

Compliant code

        provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_management_lock" "example" {
  name       = "example-lock"
  scope      = azurerm_resource_group.example.id
  lock_level = "CanNotDelete"
  notes      = "This lock prevents accidental deletion of the resource group"
}
        
        

The code above is a Terraform script for Azure Resource Manager (azurerm) provider. It creates a resource group named "example-resources" in the "West Europe" location.

To protect the resource group from accidental deletion, a management lock is added. The azurerm_management_lock resource creates a lock on the resource group. The lock_level is set to "CanNotDelete", which means the resource group cannot be deleted when the lock is in place. The notes field is used to provide a description of the lock.

Please note that this lock will prevent all users from deleting the resource group, regardless of their permissions. The lock can only be removed by users with sufficient permissions.

In addition to this, it is recommended to implement a backup strategy for the resources in the resource group and regularly test the backup and restore process to ensure its effectiveness. This will provide an additional layer of protection against data loss.

References

• 101. Lack of protection against deletion