-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Onboarding) Implement MOCK-AZR-SVB-02 #5
base: main
Are you sure you want to change the base?
Conversation
@@ -35,6 +35,7 @@ func TestServiceBus(t *testing.T) { | |||
// We verify that LocalAuthEnabled is always false | |||
t.Run("MOCK-AZR-SVB-01", func(t *testing.T) { | |||
assert.False(t, serviceBus.LocalAuthEnabled) | |||
assert.False(t, serviceBus.PublicNetworkAccessEnabled) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This assertion here because it's the default value.. but what would happen if someone used it with a non-default (setting it to true)? Would this test still pass?
hi @samcolson4 ! Thanks for the PR! Regarding the logic behind the implementation of SCF controls for terraform, if someone wants to deploy a a Service Bus with public access network enabled, they would be able to. However, from an enforcing layer, they would be blocked from actually running their code. Since the terraform module's idea is to allow people to run code that is aligned to the security controls, we should avoid that (having options that are, really, not options as they are blocked elsewhere). Can you think of a way to implement these controls in order to make sure the terraform module user cannot set Public Network Access as enabled ? :) |
@gusfcarvalho - my latest commit uses the I can see in Robel's implementation he added another layer to this around private subnets so I may grab him to speak about that too. |
false