Feat: storage network rules

Author: pregress

README.md

@@ -17,7 +17,7 @@ You can install the plugin with `tflint --init`. Declare a config in `.tflint.hc
 plugin "azurerm-security" {
   enabled = true
 
-  version = "0.1.9"
+  version = "0.1.10"
   source  = "github.com/pregress/tflint-ruleset-azurerm-security"
 }
 ```

docs/rules/azurerm_storage_account_public_network_access_enabled.md

@@ -13,16 +13,32 @@ resource "azurerm_storage_account" "example" {
 
 ## Why
 
-Disabling public_network_access_enabled ensures the Storage Account is not accessible from the public internet, reducing exposure to potential security threats and limiting access to trusted, private networks only.
+Storage accounts with unrestricted public network access expose your data to potential security threats. By either disabling public network access altogether or implementing network rules with "Deny" as the default action, you can significantly reduce your storage account's attack surface.
 
 ## How to Fix
 
+Option 1: Disable public network access completely:
+
 ```hcl
 resource "azurerm_storage_account" "example" {
     public_network_access_enabled = false
 }
 ```
 
+Option 2: Implement network rules with default action set to "Deny":
+
+```hcl
+resource "azurerm_storage_account" "example" {
+    network_rules {
+        default_action = "Deny"
+        bypass         = ["AzureServices"]
+        # Add specific IP rules or virtual network subnet IDs as needed
+        ip_rules       = ["203.0.113.0/24"]
+    }
+}
+```
+
+This configuration enables fine-grained access control, allowing connectivity only from specified IP addresses or virtual networks while blocking all other traffic.
 
 ## How to disable
 

project/main.go

@@ -3,7 +3,7 @@ package project
 import "fmt"
 
 // Version is ruleset version
-const Version string = "0.1.9"
+const Version string = "0.1.10"
 
 // ReferenceLink returns the rule reference link
 func ReferenceLink(name string) string {

rules/azurerm_storage_account_public_network_access_enabled .go renamed to rules/azurerm_storage_account_public_network_access_enabled.go

@@ -3,7 +3,7 @@ package rules
 import (
 	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
 	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
-	
+
 	"github.com/terraform-linters/tflint-ruleset-azurerm-security/project"
 )
 
@@ -49,18 +49,51 @@ func (r *AzurermStorageAccountPublicNetworkAccessEnabled) Check(runner tflint.Ru
 		Attributes: []hclext.AttributeSchema{
 			{Name: r.attributeName},
 		},
+		Blocks: []hclext.BlockSchema{
+			{
+				Type: "network_rules",
+				Body: &hclext.BodySchema{
+					Attributes: []hclext.AttributeSchema{
+						{Name: "default_action"},
+					},
+				},
+			},
+		},
 	}, nil)
 	if err != nil {
 		return err
 	}
 
 	for _, resource := range resources.Blocks {
+		// Check for network_rules block with default_action = "Deny"
+		hasSecureNetworkRulesWithDeny := false
+		hasSecureNetworkRules := false
+		for _, block := range resource.Body.Blocks {
+			if block.Type == "network_rules" {
+				hasSecureNetworkRules = true
+				if defaultActionAttr, exists := block.Body.Attributes["default_action"]; exists {
+					var defaultAction string
+					if err := runner.EvaluateExpr(defaultActionAttr.Expr, &defaultAction, nil); err == nil {
+						if defaultAction == "Deny" {
+							hasSecureNetworkRulesWithDeny = true
+							break
+						}
+					}
+				}
+			}
+		}
+
+		// If network rules with default_action = "Deny" exist, the configuration is secure
+		if hasSecureNetworkRulesWithDeny {
+			continue
+		}
+
 		attribute, exists := resource.Body.Attributes[r.attributeName]
-		if !exists {
-			// Emit an issue if the attribute does not exist
+		if !exists && !hasSecureNetworkRules {
+			// If the attribute does not exist and there are no secure network rules, emit an issue
 			runner.EmitIssue(
 				r,
-				"public_network_access_enabled is not defined and defaults to true, consider disabling it",
+				"public_network_access_enabled is not defined and defaults to true, consider disabling it or adding network_rules with default_action = \"Deny\"",
 				resource.DefRange,
 			)
 			continue
@@ -70,7 +103,7 @@ func (r *AzurermStorageAccountPublicNetworkAccessEnabled) Check(runner tflint.Ru
 			if val {
 				runner.EmitIssue(
 					r,
-					"Consider changing public_network_access_enabled to false",
+					"Consider changing public_network_access_enabled to false or add network_rules with default_action = \"Deny\"",
 					attribute.Expr.Range(),
 				)
 			}

rules/azurerm_storage_account_public_network_access_enabled_test.go

@@ -14,15 +14,15 @@ func Test_AzurermStorageAccountPublicNetworkAccessEnabled(t *testing.T) {
 		Expected helper.Issues
 	}{
 		{
-			Name: "public network access disabled",
+			Name: "public network access enabled",
 			Content: `
 resource "azurerm_storage_account" "example" {
     public_network_access_enabled = true
 }`,
 			Expected: helper.Issues{
 				{
 					Rule:    NewAzurermStorageAccountPublicNetworkAccessEnabled(),
-					Message: "Consider changing public_network_access_enabled to false",
+					Message: "Consider changing public_network_access_enabled to false or add network_rules with default_action = \"Deny\"",
 					Range: hcl.Range{
 						Filename: "resource.tf",
 						Start:    hcl.Pos{Line: 3, Column: 37},
@@ -39,7 +39,7 @@ resource "azurerm_storage_account" "example" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAzurermStorageAccountPublicNetworkAccessEnabled(),
-					Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it",
+					Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it or adding network_rules with default_action = \"Deny\"",
 					Range: hcl.Range{
 						Filename: "resource.tf",
 						Start:    hcl.Pos{Line: 2, Column: 1},
@@ -56,6 +56,44 @@ resource "azurerm_storage_account" "example" {
 }`,
 			Expected: helper.Issues{},
 		},
+		{
+			Name: "public network access enabled netork rules with default_action = Deny",
+			Content: `
+resource "azurerm_storage_account" "example" {
+    public_network_access_enabled = true
+
+	network_rules {
+		default_action             = "Deny"
+		bypass                     = ["AzureServices"]
+		ip_rules = ["1.1.1.1"]
+	}
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "public network access enbled network rules with default_action = Allow",
+			Content: `
+resource "azurerm_storage_account" "example" {
+    public_network_access_enabled = true
+
+	network_rules {
+		default_action             = "Allow"
+		bypass                     = ["AzureServices"]
+		ip_rules = ["1.1.1.1"]
+	}
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAzurermStorageAccountPublicNetworkAccessEnabled(),
+					Message: "Consider changing public_network_access_enabled to false or add network_rules with default_action = \"Deny\"",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 3, Column: 37},
+						End:      hcl.Pos{Line: 3, Column: 41},
+					},
+				},
+			},
+		},
 	}
 
 	rule := NewAzurermStorageAccountPublicNetworkAccessEnabled()