More rules

Author: pregress

.github/workflows/spelling.yml

@@ -0,0 +1,166 @@
+name: Check Spelling
+
+# Comment management is handled through a secondary job, for details see:
+# https://github.com/check-spelling/check-spelling/wiki/Feature%3A-Restricted-Permissions
+#
+# `jobs.comment-push` runs when a push is made to a repository and the `jobs.spelling` job needs to make a comment
+#   (in odd cases, it might actually run just to collapse a comment, but that's fairly rare)
+#   it needs `contents: write` in order to add a comment.
+#
+# `jobs.comment-pr` runs when a pull_request is made to a repository and the `jobs.spelling` job needs to make a comment
+#   or collapse a comment (in the case where it had previously made a comment and now no longer needs to show a comment)
+#   it needs `pull-requests: write` in order to manipulate those comments.
+
+# Updating pull request branches is managed via comment handling.
+# For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list
+#
+# These elements work together to make it happen:
+#
+# `on.issue_comment`
+#   This event listens to comments by users asking to update the metadata.
+#
+# `jobs.update`
+#   This job runs in response to an issue_comment and will push a new commit
+#   to update the spelling metadata.
+#
+# `with.experimental_apply_changes_via_bot`
+#   Tells the action to support and generate messages that enable it
+#   to make a commit to update the spelling metadata.
+#
+# `with.ssh_key`
+#   In order to trigger workflows when the commit is made, you can provide a
+#   secret (typically, a write-enabled github deploy key).
+#
+#   For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key
+
+# Sarif reporting
+#
+# Access to Sarif reports is generally restricted (by GitHub) to members of the repository.
+#
+# Requires enabling `security-events: write`
+# and configuring the action with `use_sarif: 1`
+#
+#   For information on the feature, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Sarif-output
+
+# Minimal workflow structure:
+#
+# on:
+#   push:
+#     ...
+#   pull_request_target:
+#     ...
+# jobs:
+#   # you only want the spelling job, all others should be omitted
+#   spelling:
+#     # remove `security-events: write` and `use_sarif: 1`
+#     # remove `experimental_apply_changes_via_bot: 1`
+#     ... otherwise adjust the `with:` as you wish
+
+on:
+  push:
+    branches:
+    - "**"
+    tags-ignore:
+    - "**"
+  pull_request_target:
+    branches:
+    - "**"
+    types:
+    - 'opened'
+    - 'reopened'
+    - 'synchronize'
+  issue_comment:
+    types:
+    - 'created'
+
+jobs:
+  spelling:
+    name: Check Spelling
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: read
+      security-events: write
+    outputs:
+      followup: ${{ steps.spelling.outputs.followup }}
+    runs-on: ubuntu-latest
+    if: ${{ contains(github.event_name, 'pull_request') || github.event_name == 'push' }}
+    concurrency:
+      group: spelling-${{ github.event.pull_request.number || github.ref }}
+      # note: If you use only_check_changed_files, you do not want cancel-in-progress
+      cancel-in-progress: true
+    steps:
+    - name: check-spelling
+      id: spelling
+      uses: check-spelling/check-spelling@main
+      with:
+        suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }}
+        checkout: true
+        check_file_names: 1
+        spell_check_this: check-spelling/spell-check-this@prerelease
+        post_comment: 0
+        use_magic_file: 1
+        report-timing: 1
+        warnings: bad-regex,binary-file,deprecated-feature,large-file,limited-references,no-newline-at-eof,noisy-file,non-alpha-in-dictionary,token-is-substring,unexpected-line-ending,whitespace-in-dictionary,minified-file,unsupported-configuration,no-files-to-check
+        experimental_apply_changes_via_bot: 1
+        use_sarif: ${{ (!github.event.pull_request || (github.event.pull_request.head.repo.full_name == github.repository)) && 1 }}
+        extra_dictionary_limit: 20
+        extra_dictionaries:
+          cspell:software-terms/dict/softwareTerms.txt
+
+  comment-push:
+    name: Report (Push)
+    # If your workflow isn't running on push, you can remove this job
+    runs-on: ubuntu-latest
+    needs: spelling
+    permissions:
+      contents: write
+    if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push'
+    steps:
+    - name: comment
+      uses: check-spelling/check-spelling@main
+      with:
+        checkout: true
+        spell_check_this: check-spelling/spell-check-this@prerelease
+        task: ${{ needs.spelling.outputs.followup }}
+
+  comment-pr:
+    name: Report (PR)
+    # If you workflow isn't running on pull_request*, you can remove this job
+    runs-on: ubuntu-latest
+    needs: spelling
+    permissions:
+      contents: read
+      pull-requests: write
+    if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request')
+    steps:
+    - name: comment
+      uses: check-spelling/check-spelling@main
+      with:
+        checkout: true
+        spell_check_this: check-spelling/spell-check-this@prerelease
+        task: ${{ needs.spelling.outputs.followup }}
+        experimental_apply_changes_via_bot: 1
+
+  update:
+    name: Update PR
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: read
+    runs-on: ubuntu-latest
+    if: ${{
+        github.event_name == 'issue_comment' &&
+        github.event.issue.pull_request &&
+        contains(github.event.comment.body, '@check-spelling-bot apply')
+      }}
+    concurrency:
+      group: spelling-update-${{ github.event.issue.number }}
+      cancel-in-progress: false
+    steps:
+    - name: apply spelling updates
+      uses: check-spelling/check-spelling@main
+      with:
+        experimental_apply_changes_via_bot: 1
+        checkout: true
+        ssh_key: "${{ secrets.CHECK_SPELLING }}"

docs/README.md

@@ -7,14 +7,21 @@
 |[azurerm_eventhub_namespace_public_network_access_enabled](./rules/azurerm_eventhub_namespace_public_network_access_enabled.md)|Notice|✔|
 |[azurerm_eventhub_namespace_unsecure_tls](./rules/azurerm_eventhub_namespace_unsecure_tls.md)|Warning|✔|
 |[azurerm_iothub_endpoint_eventhub_authentication_type](./rules/azurerm_iothub_endpoint_eventhub_authentication_type.md)|Notice|✔|
+|[azurerm_key_vault_enable_rbac_authorization](./rules/azurerm_key_vault_enable_rbac_authorization.md)|Warning||
 |[azurerm_key_vault_network_acls_default_deny](./rules/azurerm_key_vault_network_acls_default_deny.md)|Warning|✔|
 |[azurerm_key_vault_public_network_access_enabled](./rules/azurerm_key_vault_public_network_access_enabled.md)|Notice||
 |[azurerm_linux_function_app_ftps_state](./rules/azurerm_linux_function_app_ftps_state.md)|Warning|✔|
 |[azurerm_linux_function_app_https_only](./rules/azurerm_linux_function_app_https_only.md)|Warning|✔|
 |[azurerm_linux_function_app_minimum_tls_version](./rules/azurerm_linux_function_app_minimum_tls_version.md)|Warning|✔|
+|[azurerm_linux_function_app_slot_ftps_state](./rules/azurerm_linux_function_app_slot_ftps_state.md)|Warning|✔|
+|[azurerm_linux_function_app_slot_https_only](./rules/azurerm_linux_function_app_slot_https_only.md)|Warning|✔|
+|[azurerm_linux_function_app_slot_minimum_tls_version](./rules/azurerm_linux_function_app_slot_minimum_tls_version.md)|Warning|✔|
 |[azurerm_linux_web_app_ftps_state](./rules/azurerm_linux_web_app_ftps_state.md)|Warning|✔|
 |[azurerm_linux_web_app_https_only](./rules/azurerm_linux_web_app_https_only.md)|Warning|✔|
 |[azurerm_linux_web_app_minimum_tls_version](./rules/azurerm_linux_web_app_minimum_tls_version.md)|Warning|✔|
+|[azurerm_linux_web_app_slot_ftps_state](./rules/azurerm_linux_web_app_slot_ftps_state.md)|Warning|✔|
+|[azurerm_linux_web_app_slot_https_only](./rules/azurerm_linux_web_app_slot_https_only.md)|Warning|✔|
+|[azurerm_linux_web_app_slot_minimum_tls_version](./rules/azurerm_linux_web_app_slot_minimum_tls_version.md)|Warning|✔|
 |[azurerm_mssql_database_encryption](./rules/azurerm_mssql_database_encryption.md)|Warning|✔|
 |[azurerm_mssql_firewall_rule_all_allowed](./rules/azurerm_mssql_firewall_rule_all_allowed.md)|Error|✔|
 |[azurerm_mssql_server_azuread_authentication_only](./rules/azurerm_mssql_server_azuread_authentication_only.md)|Warning|✔|
@@ -26,9 +33,15 @@
 |[azurerm_windows_function_app_ftps_state](./rules/azurerm_windows_function_app_ftps_state.md)|Warning|✔|
 |[azurerm_windows_function_app_https_only](./rules/azurerm_windows_function_app_https_only.md)|Warning|✔|
 |[azurerm_windows_function_app_minimum_tls_version](./rules/azurerm_windows_function_app_minimum_tls_version.md)|Warning|✔|
+|[azurerm_windows_function_app_slot_ftps_state](./rules/azurerm_windows_function_app_slot_ftps_state.md)|Warning|✔|
+|[azurerm_windows_function_app_slot_https_only](./rules/azurerm_windows_function_app_slot_https_only.md)|Warning|✔|
+|[azurerm_windows_function_app_slot_minimum_tls_version](./rules/azurerm_windows_function_app_slot_minimum_tls_version.md)|Warning|✔|
 |[azurerm_windows_web_app_ftps_state](./rules/azurerm_windows_web_app_ftps_state.md)|Warning|✔|
 |[azurerm_windows_web_app_https_only](./rules/azurerm_windows_web_app_https_only.md)|Warning|✔|
 |[azurerm_windows_web_app_minimum_tls_version](./rules/azurerm_windows_web_app_minimum_tls_version.md)|Warning|✔|
+|[azurerm_windows_web_app_slot_ftps_state](./rules/azurerm_windows_web_app_slot_ftps_state.md)|Warning|✔|
+|[azurerm_windows_web_app_slot_https_only](./rules/azurerm_windows_web_app_slot_https_only.md)|Warning|✔|
+|[azurerm_windows_web_app_slot_minimum_tls_version](./rules/azurerm_windows_web_app_slot_minimum_tls_version.md)|Warning|✔|
 
 ## Rules by Resource
 
@@ -43,6 +56,7 @@
 
 ### azurerm_key_vault
 
+- [azurerm_key_vault_enable_rbac_authorization](./rules/azurerm_key_vault_enable_rbac_authorization.md)
 - [azurerm_key_vault_network_acls_default_deny](./rules/azurerm_key_vault_network_acls_default_deny.md)
 - [azurerm_key_vault_public_network_access_enabled](./rules/azurerm_key_vault_public_network_access_enabled.md)
 
@@ -52,12 +66,24 @@
 - [azurerm_linux_function_app_https_only](./rules/azurerm_linux_function_app_https_only.md)
 - [azurerm_linux_function_app_minimum_tls_version](./rules/azurerm_linux_function_app_minimum_tls_version.md)
 
+### azurerm_linux_function_app_slot
+
+- [azurerm_linux_function_app_slot_ftps_state](./rules/azurerm_linux_function_app_slot_ftps_state.md)
+- [azurerm_linux_function_app_slot_https_only](./rules/azurerm_linux_function_app_slot_https_only.md)
+- [azurerm_linux_function_app_slot_minimum_tls_version](./rules/azurerm_linux_function_app_slot_minimum_tls_version.md)
+
 ### azurerm_linux_web_app
 
 - [azurerm_linux_web_app_ftps_state](./rules/azurerm_linux_web_app_ftps_state.md)
 - [azurerm_linux_web_app_https_only](./rules/azurerm_linux_web_app_https_only.md)
 - [azurerm_linux_web_app_minimum_tls_version](./rules/azurerm_linux_web_app_minimum_tls_version.md)
 
+### azurerm_linux_web_app_slot
+
+- [azurerm_linux_web_app_slot_ftps_state](./rules/azurerm_linux_web_app_slot_ftps_state.md)
+- [azurerm_linux_web_app_slot_https_only](./rules/azurerm_linux_web_app_slot_https_only.md)
+- [azurerm_linux_web_app_slot_minimum_tls_version](./rules/azurerm_linux_web_app_slot_minimum_tls_version.md)
+
 ### azurerm_mssql_database
 
 - [azurerm_mssql_database_encryption](./rules/azurerm_mssql_database_encryption.md)
@@ -84,9 +110,21 @@
 - [azurerm_windows_function_app_https_only](./rules/azurerm_windows_function_app_https_only.md)
 - [azurerm_windows_function_app_minimum_tls_version](./rules/azurerm_windows_function_app_minimum_tls_version.md)
 
+### azurerm_windows_function_app_slot
+
+- [azurerm_windows_function_app_slot_ftps_state](./rules/azurerm_windows_function_app_slot_ftps_state.md)
+- [azurerm_windows_function_app_slot_https_only](./rules/azurerm_windows_function_app_slot_https_only.md)
+- [azurerm_windows_function_app_slot_minimum_tls_version](./rules/azurerm_windows_function_app_slot_minimum_tls_version.md)
+
 ### azurerm_windows_web_app
 
 - [azurerm_windows_web_app_ftps_state](./rules/azurerm_windows_web_app_ftps_state.md)
 - [azurerm_windows_web_app_https_only](./rules/azurerm_windows_web_app_https_only.md)
 - [azurerm_windows_web_app_minimum_tls_version](./rules/azurerm_windows_web_app_minimum_tls_version.md)
 
+### azurerm_windows_web_app_slot
+
+- [azurerm_windows_web_app_slot_ftps_state](./rules/azurerm_windows_web_app_slot_ftps_state.md)
+- [azurerm_windows_web_app_slot_https_only](./rules/azurerm_windows_web_app_slot_https_only.md)
+- [azurerm_windows_web_app_slot_minimum_tls_version](./rules/azurerm_windows_web_app_slot_minimum_tls_version.md)
+

docs/rules/azurerm_iothub_endpoint_eventhub_authentication_type.md

@@ -17,10 +17,11 @@ Using identityBased authentication with a managed identity enhances security by
 
 ## How to Fix
 
+```hcl
 resource "azurerm_iothub_endpoint_eventhub" "example" {
     authentication_type = "identityBased"
 }
-
+```
 
 ## How to disable
 

docs/rules/azurerm_key_vault_enable_rbac_authorization.md

@@ -0,0 +1,34 @@
+# azurerm_key_vault_enable_rbac_authorization
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_key_vault" "example" {
+    enable_rbac_authorization = false
+}
+```
+
+## Why
+
+Enabling enable_rbac_authorization allows access to the Key Vault to be managed through Azure Role-Based Access Control (RBAC), providing granular, centralized, and scalable permissions management. This is considered the current best practice.
+
+## How to Fix
+
+```hcl
+resource "azurerm_key_vault" "example" {
+    enable_rbac_authorization = true
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_key_vault_enable_rbac_authorization" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_linux_function_app_slot_ftps_state.md

@@ -0,0 +1,38 @@
+# azurerm_linux_function_app_slot_ftps_state
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_linux_function_app_slot" "example" {
+    site_config {
+        ftps_state = "FtpsOnly"
+    }
+}
+```
+
+## Why
+
+Disabling FTPS ensures that file transfer protocols are not used, reducing the risk of data interception and enhancing the overall security of the Linux Function App.
+
+## How to Fix
+
+```hcl
+resource "azurerm_linux_function_app_slot" "example" {
+    site_config {
+        ftps_state = "Disabled"
+    }
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_linux_function_app_slot_ftps_state" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_linux_function_app_slot_https_only.md

@@ -0,0 +1,34 @@
+# azurerm_linux_function_app_slot_https_only
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_linux_function_app_slot" "example" {
+    https_only = false
+}
+```
+
+## Why
+
+Enforcing https_only ensures all communications with the resource are encrypted, protecting sensitive data in transit and mitigating the risk of man-in-the-middle attacks.
+
+## How to Fix
+
+```hcl
+resource "azurerm_linux_function_app_slot" "example" {
+    https_only = true
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_linux_function_app_slot_https_only" {
+  enabled = false
+}
+```
+