False positives in storage-queue-services-logging for Azure Storage Accounts that don't use a storage queue #3383
Description
Describe the bug
Any Terraform configuration that defines an Azure Storage Account must declare a queue_properties block, else the pattern storage-queue-services-logging will be matched. The storage analytics log within queue_properties are only relevant for storage queues, one fourth of the functionality offered by Azure Storage Accounts.
To Reproduce
Create a terraform config declaring a storage account without a queue_properties block. E.g:
resource "azurerm_storage_account" "this" {
name = "myazurestorageacc"
resource_group_name = "myazureresourcegroup"
location = "australiaeast"
account_tier = "Standard"
account_replication_type = "GRS"
tags = local.tags
allow_nested_items_to_be_public = false
infrastructure_encryption_enabled = true
min_tls_version = "TLS1_2"
shared_access_key_enabled = false
blob_properties {
delete_retention_policy {
days = 31
}
container_delete_retention_policy {
days = 31
}
versioning_enabled = true
change_feed_enabled = true
}
}
Expected behavior
This warning is not triggered from Terraform configuration that does not use a storage queue
Priority
How important is this to you?
- P0: blocking me from making progress
- P1: this will block me in the near future
- P2: annoying but not blocking me
Additional Context
This rule is providing more noise than value, and will likely be disabled in my environment. Removing the following pattern-inside block will resolve the issue in my expected behavior scenario (tested using semgrep playground), however I recognise that this warning probably should be shown in the event of using an azurerm_storage_queue resource. As the queue_properties is defined on the Storage Account, I am not sure on the appropriate way forward.
- pattern-inside: |
resource "azurerm_storage_account" "..." {
...
}