docs (#19)

docs/README.md

@@ -1,73 +1,73 @@
 # Rules
 
 ## azurerm_eventhub_namespace
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_eventhub_namespace_public_network_access_enabled|Consider disabling public network access on eventhubs. |NOTICE|✔||
-|azurerm_eventhub_namespace_minimum_tls_version|Enforce TLS 1.2 on event hubs |WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_eventhub_namespace_public_network_access_enabled](./rules/azurerm_eventhub_namespace_public_network_access_enabled.md)|Consider disabling public network access on eventhubs. |NOTICE|✔|
+|[azurerm_eventhub_namespace_minimum_tls_version](./rules/azurerm_eventhub_namespace_unsecure_tls.md)|Enforce TLS 1.2 on event hubs |WARNING|✔|
 
 ## azurerm_iothub_endpoint_eventhub
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_iothub_endpoint_eventhub_authentication_type|Consider using managed identity to authenticate agains eventhub. |NOTICE|||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_iothub_endpoint_eventhub_authentication_type](./rules/azurerm_iothub_endpoint_eventhub_authentication_type.md)|Consider using managed identity to authenticate agains eventhub. |NOTICE||
 
 ## azurerm_key_vault
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_key_vault_public_network_access_enabled|Consider disabling public network access on keyvaults. |NOTICE|||
-|azurerm_key_vault_network_acls_default_deny|Deny network access to Keyvaults. You can add `bypass = "AzureServices"` to allow azure services to connect to keyvault or add `ip_rules`|WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_key_vault_public_network_access_enabled](./rules/azurerm_key_vault_public_network_access_enabled.md)|Consider disabling public network access on keyvaults. |NOTICE||
+|[azurerm_key_vault_network_acls_default_deny](./rules/azurerm_key_vault_network_acls_default_deny.md)|Deny network access to Keyvaults. You can add `bypass = "AzureServices"` to allow azure services to connect to keyvault or add `ip_rules`|WARNING|✔|
 
 ## azurerm_linux_function_app
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_linux_function_app_ftps_state|Disable sftp to a linux function app |WARNING|✔||
-|azurerm_linux_function_app_https_only|Force all traffic over https |WARNING|✔||
-|azurerm_linux_function_app_minimum_tls_version|Enforce TLS 1.2 on linux function apps |WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_linux_function_app_ftps_state](./rules/azurerm_linux_function_app_ftps_state.md)|Disable sftp to a linux function app |WARNING|✔|
+|[azurerm_linux_function_app_https_only](./rules/azurerm_linux_function_app_https_only.md)|Force all traffic over https |WARNING|✔|
+|[azurerm_linux_function_app_minimum_tls_version](./rules/azurerm_linux_function_app_minimum_tls_version.md)|Enforce TLS 1.2 on linux function apps |WARNING|✔|
 
 ## azurerm_linux_web_app
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_linux_web_app_ftps_state|Disable sftp to a linux web app |WARNING|✔||
-|azurerm_linux_web_app_https_only|Force all traffic over https |WARNING|✔||
-|azurerm_linux_web_app_minimum_tls_version|Enforce TLS 1.2 on linux web apps |WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_linux_web_app_ftps_state](./rules/azurerm_linux_web_app_ftps_state.md)|Disable sftp to a linux web app |WARNING|✔|
+|[azurerm_linux_web_app_https_only](./rules/azurerm_linux_web_app_https_only.md)|Force all traffic over https |WARNING|✔|
+|[azurerm_linux_web_app_minimum_tls_version](./rules/azurerm_linux_web_app_minimum_tls_version.md)|Enforce TLS 1.2 on linux web apps |WARNING|✔|
 
 ## azurerm_mssql_database
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_mssql_database_transparent_data_encryption_enabled|Enforce transparant data encryption|WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_mssql_database_transparent_data_encryption_enabled](./rules/azurerm_mssql_database_encryption.md)|Enforce transparant data encryption|WARNING|✔|
 
 ## azurerm_mssql_server
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_mssql_server_azuread_authentication_only |Only user Azure AD authentication to SQL |WARNING|✔||
-|azurerm_mssql_server_public_network_access_enabled|Consider disabling public network access on SQL servers. |NOTICE|✔||
-|azurerm_mssql_server_minimum_tls_version|Enforce TLS 1.2 on SQL servers. |WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_mssql_server_azuread_authentication_only](./rules/azurerm_mssql_server_azuread_authentication_only.md)|Only user Azure AD authentication to SQL |WARNING|✔|
+|[azurerm_mssql_server_public_network_access_enabled](./rules/azurerm_mssql_server_public_network_access_enabled.md)|Consider disabling public network access on SQL servers. |NOTICE|✔|
+|[azurerm_mssql_server_minimum_tls_version](./rules/azurerm_mssql_server_unsecure_tls.md)|Enforce TLS 1.2 on SQL servers. |WARNING|✔|
 
 ## azurerm_mssql_firewall_rule
 
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_mssql_firewall_rule_all_allowed|Remove a firewall rule that allows any ip.|ERROR|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_mssql_firewall_rule_all_allowed](./rules/azurerm_mssql_firewall_rule_all_allowed.md)|Remove a firewall rule that allows any ip.|ERROR|✔|
 
 
 ## azurerm_storage_account
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_storage_account_https_traffic_only_enabled|Enforce all traffic to use https on storage accounts|WARNING|✔||
-|azurerm_storage_account_public_network_access_enabled|Consider disabling public network access on storage accounts. |NOTICE|✔||
-|azurerm_storage_account_tls_version|Enforce TLS 1.2 on storage accounts |WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_storage_account_https_traffic_only_enabled](./rules/azurerm_storage_account_https_traffic_only_enabled.md)|Enforce all traffic to use https on storage accounts|WARNING|✔|
+|[azurerm_storage_account_public_network_access_enabled](./rules/azurerm_storage_account_public_network_access_enabled.md)|Consider disabling public network access on storage accounts. |NOTICE|✔|
+|[azurerm_storage_account_tls_version](./rules/azurerm_storage_account_unsecure_tls.md)|Enforce TLS 1.2 on storage accounts |WARNING|✔|
 
 ## azurerm_windows_function_app
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_windows_function_app_ftps_state|Disable sftp to a windows function app |WARNING|✔||
-|azurerm_windows_function_app_https_only|Force all traffic over https |WARNING|✔||
-|azurerm_windows_function_app_minimum_tls_version|Enforce TLS 1.2 on windows function apps |WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_windows_function_app_ftps_state](./rules/azurerm_windows_function_app_ftps_state.md)|Disable sftp to a windows function app |WARNING|✔|
+|[azurerm_windows_function_app_https_only](./rules/azurerm_windows_function_app_https_only.md)|Force all traffic over https |WARNING|✔|
+|[azurerm_windows_function_app_minimum_tls_version](./rules/azurerm_windows_function_app_minimum_tls_version.md)|Enforce TLS 1.2 on windows function apps |WARNING|✔|
 
 
 ## azurerm_windows_web_app
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_windows_web_app_ftps_state|Disable sftp to a windows web app |WARNING|✔||
-|azurerm_windows_web_app_https_only|Force all traffic over https |WARNING|✔||
-|azurerm_windows_web_app_minimum_tls_version|Enforce TLS 1.2 on windows web apps |WARNING|✔||
+|Name|Description|Severity|Enabled|
+| --- | --- | --- | --- |
+|[azurerm_windows_web_app_ftps_state](./rules/azurerm_windows_web_app_ftps_state.md)|Disable sftp to a windows web app |WARNING|✔|
+|[azurerm_windows_web_app_https_only](./rules/azurerm_windows_web_app_https_only.)|Force all traffic over https |WARNING|✔|
+|[azurerm_windows_web_app_minimum_tls_version](./rules/azurerm_windows_web_app_minimum_tls_version.md)|Enforce TLS 1.2 on windows web apps |WARNING|✔|

docs/rules/azurerm_eventhub_namespace_public_network_access_enabled.md

@@ -0,0 +1,53 @@
+# azurerm_eventhub_namespace_public_network_access_enabled
+
+**Severity:** Notice
+
+
+## Example
+
+```hcl
+resource "azurerm_eventhub_namespace" "example" {
+    public_network_access_enabled = true
+}
+```
+or 
+```hcl
+resource "azurerm_eventhub_namespace" "example" {
+    network_rulesets {
+	    default_action = "Allow"
+	}
+}
+```
+
+## Why
+
+Restricting the default action to Deny or disabling public network access prevents unauthorized access to the Event Hub namespace, reducing exposure to potential threats and ensuring only trusted networks can connect.
+
+## How to Fix
+
+There are 2 possible solutions, disable public network access completly or use `network_rulesets` to specify specific firewall rules.
+
+### Disbale public network access
+```hcl
+resource "azurerm_eventhub_namespace" "example" {
+  public_network_access_enabled = true
+}
+```
+
+### Use network_rulesets
+```hcl
+resource "azurerm_eventhub_namespace" "example" {
+	network_rulesets {
+	    default_action = "Deny"
+	}
+}
+```
+
+## How to disable
+
+```hcl
+rule "azurerm_eventhub_namespace_public_network_access_enabled" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_eventhub_namespace_unsecure_tls.md

@@ -0,0 +1,36 @@
+# azurerm_eventhub_namespace_unsecure_tls
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_eventhub_namespace" "example" {
+    min_tls_version = "TLS1_0"
+}
+```
+
+## Why
+
+Enforcing a minimum TLS version of 1.2 ensures secure communication by adhering to modern encryption standards, protecting data in transit from vulnerabilities in older TLS versions, as versions 1.0 and 1.1 are insecure.
+
+## How to Fix
+
+Set the `min_tls_version` to `TLS1_2`
+
+```hcl
+resource "azurerm_eventhub_namespace" "example" {
+    min_tls_version = "TLS1_2"
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_eventhub_namespace_unsecure_tls" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_iothub_endpoint_eventhub_authentication_type.md

@@ -0,0 +1,32 @@
+# azurerm_iothub_endpoint_eventhub_authentication_type
+
+**Severity:** Notice
+
+
+## Example
+
+```hcl
+resource "azurerm_iothub_endpoint_eventhub" "example" {
+    authentication_type = "connectionString"
+}
+```
+
+## Why
+
+Using identityBased authentication with a managed identity enhances security by avoiding hardcoded connection strings, reducing the risk of credential leakage, and leveraging Azure's identity management for secure and scalable access control.
+
+## How to Fix
+
+resource "azurerm_iothub_endpoint_eventhub" "example" {
+    authentication_type = "identityBased"
+}
+
+
+## How to disable
+
+```hcl
+rule "azurerm_iothub_endpoint_eventhub_authentication_type" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_key_vault_network_acls_default_deny.md

@@ -0,0 +1,38 @@
+# azurerm_key_vault_network_acls_default_deny
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_key_vault" "example" {
+    network_acls {
+        default_action = "Allow"
+    }
+}
+```
+
+## Why
+
+Setting default_action to Deny ensures that the Azure Key Vault is not accessible from unauthorized or untrusted networks, improving security by restricting access to explicitly allowed sources only.
+
+## How to Fix
+
+```hcl
+resource "azurerm_key_vault" "example" {
+    network_acls {
+        default_action = "Deny"
+    }
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_key_vault_network_acls_default_deny" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_key_vault_public_network_access_enabled.md

@@ -0,0 +1,34 @@
+# azurerm_key_vault_public_network_access_enabled
+
+**Severity:** Notice
+
+
+## Example
+
+```hcl
+resource "azurerm_key_vault" "example" {
+    public_network_access_enabled = true
+}
+```
+
+## Why
+
+Disabling public_network_access_enabled ensures the keyvault is not accessible from the public internet, reducing exposure to potential security threats and limiting access to trusted, private networks only.
+
+## How to Fix
+
+```hcl
+resource "azurerm_key_vault" "example" {
+    public_network_access_enabled = false
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_key_vault_public_network_access_enabled" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_linux_function_app_ftps_state.md

@@ -0,0 +1,38 @@
+# azurerm_linux_function_app_ftps_state
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_linux_function_app" "example" {
+    site_config {
+        ftps_state = "FtpsOnly"
+    }
+}
+```
+
+## Why
+
+Disabling FTPS ensures that file transfer protocols are not used, reducing the risk of data interception and enhancing the overall security of the Linux Function App.
+
+## How to Fix
+
+```hcl
+resource "azurerm_linux_function_app" "example" {
+    site_config {
+        ftps_state = "Disabled"
+    }
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_linux_function_app_ftps_state" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_linux_function_app_https_only.md

@@ -0,0 +1,34 @@
+# azurerm_linux_function_app_https_only
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_linux_function_app" "example" {
+    https_only = false
+}
+```
+
+## Why
+
+Enforcing https_only ensures all communications with the resource are encrypted, protecting sensitive data in transit and mitigating the risk of man-in-the-middle attacks.
+
+## How to Fix
+
+```hcl
+resource "azurerm_linux_function_app" "example" {
+    https_only = true
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_linux_function_app_https_only" {
+  enabled = false
+}
+```
+