This product is not supported for your selected Datadog site. ().

Metadata

Id: b947809d-dd2f-4de9-b724-04d101c515aa

Cloud Provider: azure

Framework: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Configuring an Azure Redis Cache without a regular patch schedule leaves the service vulnerable to missing important security and operational updates, increasing the risk of exploitation by attackers targeting known vulnerabilities. By using the patch_schedule block in Terraform, such as shown below, organizations can ensure updates are applied in a timely manner, minimizing the attack surface and helping maintain service reliability and compliance:

patch_schedule {
    day_of_week     = "Thursday"
    start_hour_utc  = 7
}

Failure to address this may result in exposure to security threats or outages due to unpatched software flaws.

Compliant Code Examples

resource "azurerm_redis_cache" "negative1" {
    name                = "timeout-redis"
    location            = "West Europe"
    resource_group_name = azurerm_resource_group.example_rg.name
    subnet_id           = azurerm_subnet.example_redis_snet.id

    family              = "P"
    capacity            = 1
    sku_name            = "Premium"
    shard_count         = 1

    enable_non_ssl_port = false
    minimum_tls_version = "1.2"

    redis_configuration {
        enable_authentication   = true
        maxmemory_policy        = "volatile-lru"
    }

    patch_schedule {
        day_of_week     = "Thursday"
        start_hour_utc  = 7
    }
}

Non-Compliant Code Examples

resource "azurerm_redis_cache" "positive1" {
    name                = "timeout-redis"
    location            = "West Europe"
    resource_group_name = azurerm_resource_group.example_rg.name
    subnet_id           = azurerm_subnet.example_redis_snet.id

    family              = "P"
    capacity            = 1
    sku_name            = "Premium"
    shard_count         = 1

    enable_non_ssl_port = false
    minimum_tls_version = "1.2"

    redis_configuration {
        enable_authentication   = true
        maxmemory_policy        = "volatile-lru"
    }
}