Azure Terraform — Defender for Cloud Compliance Skill

Scope

azurerm

references/storage.md

azurerm_storage_account

references/keyvault.md

azurerm_key_vault

references/databases.md

references/containers.md

references/networking.md

references/appservice.md

references/compute-vms.md

references/identity.md

references/monitoring.md

references/paas-misc.md

references/terraform-patterns.md

references/mdc-full-remediation.md

Mandatory Defaults (All Resources)

Required Tags

tags = {
  environment  = var.environment           # dev | staging | prod
  cost-center  = var.cost_center
  owner        = var.owner_email
  managed-by   = "terraform"
  workload     = var.workload_name
  created-date = formatdate("YYYY-MM-DD", timestamp())
}

Managed Identity on Every Resource

identity {
  type = "SystemAssigned"
}

TLS 1.2 Minimum on All Services

Private Endpoints for All Data Services

public_network_access_enabled = false

Diagnostic Settings for Every PaaS Resource

azurerm_monitor_diagnostic_setting

references/monitoring.md

Quick Defaults by Resource Type

Storage (

azurerm_storage_account

) — see

references/storage.md

https_traffic_only_enabled      = true
min_tls_version                 = "TLS1_2"
allow_nested_items_to_be_public = false
shared_access_key_enabled       = false
cross_tenant_replication_enabled = false
infrastructure_encryption_enabled = true

network_rules {
  default_action = "Deny"
  bypass         = ["AzureServices"]
}

blob_properties {
  delete_retention_policy { days = 30 }
  container_delete_retention_policy { days = 30 }
  versioning_enabled = true
}

Key Vault (

azurerm_key_vault

) — see

references/keyvault.md

soft_delete_retention_days = 90
purge_protection_enabled   = true
enable_rbac_authorization  = true

network_acls {
  default_action = "Deny"
  bypass         = ["AzureServices"]
}

SQL Server (

azurerm_mssql_server

) — see

references/databases.md

minimum_tls_version           = "1.2"
public_network_access_enabled = false

azuread_administrator {
  login_username              = var.aad_admin_login
  object_id                   = var.aad_admin_object_id
  azuread_authentication_only = true
}

azurerm_mssql_server_extended_auditing_policy

azurerm_mssql_server_vulnerability_assessment

PostgreSQL Flexible (

azurerm_postgresql_flexible_server

) — see

references/databases.md

geo_redundant_backup_enabled = true

authentication {
  active_directory_auth_enabled = true
  password_auth_enabled         = false
  tenant_id                     = data.azurerm_client_config.current.tenant_id
}

log_checkpoints

log_connections

log_disconnections

connection_throttling

AKS (

azurerm_kubernetes_cluster

) — see

references/containers.md

role_based_access_control_enabled = true
local_account_disabled            = true
azure_policy_enabled              = true

azure_active_directory_role_based_access_control {
  managed            = true
  azure_rbac_enabled = true
}

microsoft_defender {
  log_analytics_workspace_id = var.log_analytics_workspace_id
}

App Service / Function App — see

references/appservice.md

https_only = true

site_config {
  minimum_tls_version      = "1.2"
  ftps_state               = "Disabled"
  remote_debugging_enabled = false
}

auth_settings_v2 {
  auth_enabled           = true
  require_authentication = true
}

VMs — see

references/compute-vms.md

encryption_at_host_enabled      = true
secure_boot_enabled             = true
vtpm_enabled                    = true
disable_password_authentication = true   # Linux only

Redis, Service Bus, Event Hub, Cosmos DB, API Mgmt, Automation — see

references/paas-misc.md

Prohibited Patterns — Reject and Flag These

1. https_traffic_only_enabled = false

   on any storage account

2. allow_nested_items_to_be_public = true

   on any storage account

3. shared_access_key_enabled = true

   on storage accounts used for state or sensitive data

4. purge_protection_enabled = false

   on any Key Vault

5. soft_delete_retention_days < 7

   on any Key Vault

6. enable_rbac_authorization = false

   on Key Vault in production

7. public_network_access_enabled = true

   on any SQL/PostgreSQL/MySQL/Cosmos DB without explicit CIDR allow-listing AND private endpoint
8. NSG rules:

   access = "Allow"

   +

   direction = "Inbound"

   +

   source_address_prefix = "*"

   or

   "Internet"

   for ports 22, 3389, 5985, 5986

9. role_based_access_control_enabled = false

   on any AKS cluster

10. local_account_disabled = false

    on AKS in production

11. admin_enabled = true

    on any ACR
12. Service principals with

    client_secret

    where Azure managed identity is supported

13. role_definition_name = "Owner"

    in any

    azurerm_role_assignment

    without documented justification
14. Resources deployed without the required tag set

15. https_only = false

    on any App Service or Function App

16. site_config { remote_debugging_enabled = true }

    on any App Service/Function App

17. site_config { ftps_state = "AllAllowed" }

    on any App Service/Function App

18. cors { allowed_origins = ["*"] }

    on any App Service

19. enable_non_ssl_port = true

    on Redis Cache

20. local_auth_enabled = true

    or

    local_authentication_enabled = true

    on Service Bus/Event Hub

21. local_authentication_disabled = false

    on Cosmos DB

22. encrypted = false

    on any

    azurerm_automation_variable_*

23. encryption_at_host_enabled = false

    on any production VM
24. Hardcoded secrets or connection strings in Terraform variables without

    sensitive = true

25. No version constraint on

    azurerm

    provider (must pin to at least

    ~> X.Y

    )

Review Checklist

• HTTPS-only, min TLS 1.2, no public blob access, shared key disabled, network deny-all default
• Soft delete (blob + container), versioning enabled

• Soft delete ≥ 90 days, purge protection, firewall deny-all, RBAC auth
• Key and secret expiry dates set; rotation policy configured
• Diagnostic setting with AuditEvent

• AAD-only admin, auditing policy with 90-day retention, TLS 1.2, no public access
• Vulnerability assessment enabled; threat detection alert policy
• PostgreSQL: log settings (checkpoints, connections, disconnections, throttling)
• Cosmos DB: public access disabled, local auth disabled

• AKS: RBAC, Azure AD integration, Defender profile, Azure Policy, local accounts disabled
• AKS: authorized IP ranges on API server; managed identity
• ACR: admin user disabled, public access disabled, private endpoint

• No wildcard source for management ports (22, 3389, 5985, 5986)
• DDoS Protection on production VNets
• NSG flow logs enabled (version 2, 90-day retention, traffic analytics)
• Azure Bastion deployed; no public IPs on VMs

• HTTPS-only, TLS 1.2, FTPS disabled, remote debugging off, auth enabled
• Managed identity, VNet integration, no CORS wildcard

• Encryption at host, Trusted Launch (Secure Boot + vTPM)
• SSH keys only (Linux), no public IP, MDE extension
• Backup policy enabled, patch management enabled

• Redis: non-SSL port disabled, TLS 1.2, private endpoint
• Service Bus / Event Hub: TLS 1.2, local auth disabled, private endpoint
• API Mgmt: VNet integration, TLS 1.0/1.1 disabled
• Automation: all variables encrypted, no public access, managed identity

• Diagnostic settings on every PaaS resource
• Subscription activity log forwarded to Log Analytics
• CIS 5.2.x activity log alerts for policy, NSG, security, SQL firewall changes
• Log Analytics retention ≥ 365 days

• All Defender plans enabled at subscription level
• No Owner role assignments without justification
• Security contact configured in MDC
• Managed identity on every resource that calls Azure services

• Provider version pinned (

  ~> X.Y

  )

• .terraform.lock.hcl

  committed
• All secrets marked

  sensitive = true

  ; no hardcoded secrets
• State storage account hardened (HTTPS, TLS 1.2, no public access, no SAS keys)

• prevent_destroy

  on critical resources (Key Vault, databases, Log Analytics, state storage)
• Required tags on all resources