test(query): improved testing for Azure App Service Client Certificate Disabled query (#7768)

cx-andre-pereira · cx-ricardo-jesus · web-flow · commit 135b9d152e11 · 2025-10-15T18:45:39.000+01:00
* new resources support for app_service_not_using_latest_tls_encryption_version

* app_service_not_using_latest_tls_encryption_version testing and logic improvement

* new resources support for app_service_managed_identity_disabled

* new resources support for azure_app_service_client_certificate_disabled

* new resources support for azure_app_service_client_certificate_disabled part 2

* new resources support for azure_app_service_client_certificate_disabled part 3

* new resources support for web_app_accepting_traffic_other_than_https

* better logic and tests for app_service_not_using_latest_tls_encryption_version

* fix attempt 1

* fix attempt 2

* fix final

* final fix 2

* final final fix

* minor adjustments

* typo fix

* complete testing for azure_app_service_client_certificate_disbaled

---------

Co-authored-by: Ricardo Jesus &lt;219317970+cx-ricardo-jesus@users.noreply.github.com&gt;
diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego
@@ -26,7 +26,7 @@ CxPolicy[result] { #legacy support, 1.2 is the "latest" tls
 	}
 }
 
-CxPolicy[result] { # 1.3 is the latest tls 
+CxPolicy[result] { # 1.3 is the latest tls
 	types := {"azurerm_linux_web_app", "azurerm_windows_web_app"}
 	app := input.document[i].resource[types[t]][name]
 
@@ -47,7 +47,7 @@ CxPolicy[result] { # 1.3 is the latest tls
 }
 
 # Case of undefined site_config - tls defaults to 1.2
-minimum_tls_undefined_or_not_latest(app,type,name) = results { 
+minimum_tls_undefined_or_not_latest(app,type,name) = results {
 	not common_lib.valid_key(app,"site_config")
 	results := {
 		"searchKey" : sprintf("%s[%s]", [type,name]),
@@ -59,7 +59,7 @@ minimum_tls_undefined_or_not_latest(app,type,name) = results {
 		"remediationType": null,
 	}
 # Case of undefined minimum_tls_version - tls defaults to 1.2
-} else = results { 
+} else = results {
 	not common_lib.valid_key(app.site_config,"minimum_tls_version")
 	results := {
 		"searchKey" : sprintf("%s[%s].site_config", [type,name]),
@@ -71,7 +71,7 @@ minimum_tls_undefined_or_not_latest(app,type,name) = results {
 		"remediationType": "addition",
 	}
 # Case of minimum_tls_version not set to 1.3
-} else = results { 
+} else = results {
 	min_tls_version = to_number(app.site_config.minimum_tls_version)
 	min_tls_version != 1.3
 	results := {
diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego
@@ -8,13 +8,13 @@ types := {"azurerm_app_service", "azurerm_linux_web_app", "azurerm_windows_web_a
 CxPolicy[result] {
     resource := input.document[i].resource[types[t]][name]
 
-	not resource.site_config.http2_enabled  
+	not resource.site_config.http2_enabled
 	results := client_certificate_is_undefined_or_false(resource,name,types[t])
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": types[t],
-		"resourceName": tf_lib.get_resource_name(resource, name), 
+		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": results.searchKey,
 		"issueType": results.issueType,
 		"keyExpectedValue": results.keyExpectedValue,
@@ -25,7 +25,7 @@ CxPolicy[result] {
 	}
 }
 
-client_certificate_is_undefined_or_false(resource,name,type) = results { # case of no "client_cert_enabled" field 
+client_certificate_is_undefined_or_false(resource,name,type) = results { # case of no "client_cert_enabled" field
 	field_name = get_field(type)
 	not common_lib.valid_key(resource, field_name)
 
@@ -38,7 +38,7 @@ client_certificate_is_undefined_or_false(resource,name,type) = results { # case
 		"remediation": sprintf("%s = true",[field_name]),
 		"remediationType": "addition",
 	}
-	
+
 } else = results { # case of both "client_cert_enabled" and "http2_enabled"(explicitly) set to false
 	common_lib.valid_key(resource.site_config, "http2_enabled")
 	resource.site_config.http2_enabled == false
@@ -75,6 +75,6 @@ client_certificate_is_undefined_or_false(resource,name,type) = results { # case
 	}
 }
 
-get_field("azurerm_app_service")     = "client_cert_enabled" 
+get_field("azurerm_app_service")     = "client_cert_enabled"
 get_field("azurerm_linux_web_app")   = "client_certificate_enabled"
-get_field("azurerm_windows_web_app") = "client_certificate_enabled"
+get_field("azurerm_windows_web_app") = "client_certificate_enabled"
diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/negative1.tf b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/negative1.tf
@@ -13,20 +13,55 @@ resource "azurerm_app_service" "negative1-2" {
   resource_group_name = azurerm_resource_group.example.name
   app_service_plan_id = azurerm_app_service_plan.example.id
 
+  site_config {}
+
+  client_cert_enabled = true
+}
+
+resource "azurerm_app_service" "negative1-3" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    http2_enabled            = true
+  }
+}
+
+resource "azurerm_app_service" "negative1-4" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
   site_config {
     http2_enabled            = true
   }
 
   client_cert_enabled = false
 }
 
-resource "azurerm_app_service" "negative1-3" {
+resource "azurerm_app_service" "negative1-5" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   app_service_plan_id = azurerm_app_service_plan.example.id
 
   site_config {
-    http2_enabled            = true
+    http2_enabled            = false
   }
+
+  client_cert_enabled = true
+}
+
+resource "azurerm_app_service" "negative1-6" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {}
+
+  client_cert_enabled = true
 }
diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/negative2.tf b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/negative2.tf
@@ -4,10 +4,23 @@ resource "azurerm_linux_web_app" "negative2-1" {
   resource_group_name = azurerm_resource_group.example.name
   service_plan_id     = azurerm_linux_web_app_plan.example.id
 
+  site_config {}
+
   client_certificate_enabled = true
 }
 
 resource "azurerm_linux_web_app" "negative2-2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    http2_enabled            = true
+  }
+}
+
+resource "azurerm_linux_web_app" "negative2-3" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
@@ -20,13 +33,15 @@ resource "azurerm_linux_web_app" "negative2-2" {
   client_certificate_enabled = false
 }
 
-resource "azurerm_linux_web_app" "negative2-3" {
+resource "azurerm_linux_web_app" "negative2-4" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
-  service_plan_id = azurerm_app_service_plan.example.id
+  service_plan_id     = azurerm_linux_web_app_plan.example.id
 
   site_config {
-    http2_enabled            = true
+    http2_enabled            = false
   }
+
+  client_certificate_enabled = true
 }
diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/negative3.tf b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/negative3.tf
@@ -4,10 +4,23 @@ resource "azurerm_windows_web_app" "negative3-1" {
   resource_group_name = azurerm_resource_group.example.name
   service_plan_id     = azurerm_windows_web_app_plan.example.id
 
+  site_config {}
+
   client_certificate_enabled = true
 }
 
 resource "azurerm_windows_web_app" "negative3-2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    http2_enabled            = true
+  }
+}
+
+resource "azurerm_windows_web_app" "negative3-3" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
@@ -20,13 +33,15 @@ resource "azurerm_windows_web_app" "negative3-2" {
   client_certificate_enabled = false
 }
 
-resource "azurerm_windows_web_app" "negative3-3" {
+resource "azurerm_windows_web_app" "negative3-4" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
-  service_plan_id = azurerm_app_service_plan.example.id
+  service_plan_id     = azurerm_windows_web_app_plan.example.id
 
   site_config {
-    http2_enabled            = true
+    http2_enabled            = false
   }
+
+  client_certificate_enabled = true
 }
diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive1.tf b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive1.tf
@@ -21,10 +21,39 @@ resource "azurerm_app_service" "positive1-3" {
   app_service_plan_id = azurerm_app_service_plan.example.id
 
   site_config {
-    dotnet_framework_version = "v4.0"
-    scm_type                 = "LocalGit"
     http2_enabled            = false
   }
 
   client_cert_enabled = false
 }
+
+resource "azurerm_app_service" "positive1-4" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    http2_enabled            = false
+  }
+}
+
+resource "azurerm_app_service" "positive1-5" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {}
+}
+
+resource "azurerm_app_service" "positive1-6" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {}
+
+  client_cert_enabled = false
+}
diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive2.tf b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive2.tf
@@ -3,6 +3,7 @@ resource "azurerm_linux_web_app" "positive2-1" {
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   service_plan_id = azurerm_linux_web_app_plan.example.id
+  site_config {}
 }
 
 resource "azurerm_linux_web_app" "positive2-2" {
@@ -11,6 +12,8 @@ resource "azurerm_linux_web_app" "positive2-2" {
   resource_group_name = azurerm_resource_group.example.name
   service_plan_id = azurerm_linux_web_app_plan.example.id
 
+  site_config{}
+
   client_certificate_enabled = false
 }
 
@@ -21,10 +24,19 @@ resource "azurerm_linux_web_app" "positive2-3" {
   service_plan_id = azurerm_linux_web_app_plan.example.id
 
   site_config {
-    dotnet_framework_version = "v4.0"
-    scm_type                 = "LocalGit"
     http2_enabled            = false
   }
 
   client_certificate_enabled = false
 }
+
+resource "azurerm_linux_web_app" "positive2-4" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_linux_web_app_plan.example.id
+
+  site_config {
+    http2_enabled            = false
+  }
+}
diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive3.tf b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive3.tf
@@ -3,6 +3,7 @@ resource "azurerm_windows_web_app" "positive3-1" {
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   service_plan_id = azurerm_windows_web_app_plan.example.id
+  site_config{}
 }
 
 resource "azurerm_windows_web_app" "positive3-2" {
@@ -11,6 +12,8 @@ resource "azurerm_windows_web_app" "positive3-2" {
   resource_group_name = azurerm_resource_group.example.name
   service_plan_id = azurerm_windows_web_app_plan.example.id
 
+  site_config{}
+
   client_certificate_enabled = false
 }
 
@@ -21,10 +24,19 @@ resource "azurerm_windows_web_app" "positive3-3" {
   service_plan_id = azurerm_windows_web_app_plan.example.id
 
   site_config {
-    dotnet_framework_version = "v4.0"
-    scm_type                 = "LocalGit"
     http2_enabled            = false
   }
 
   client_certificate_enabled = false
 }
+
+resource "azurerm_windows_web_app" "positive3-4" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_windows_web_app_plan.example.id
+
+  site_config {
+    http2_enabled            = false
+  }
+}
diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json
diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego
