fix(query): support for new app_service resources - terraform/azure

[cx-andre-pereira]

Reason for Proposed Changes

• About half the queries that are related to the legacy "azurerm_app_service" resource do not yet support the newer replacements for it : "azurerm_linux_web_app" and "azurerm_windows_web_app". Query list:

Query Name	ID	Implementation (KICS 2.1.14)
App Service Not Using Latest TLS Encryption Version	b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643	query 1
App Service Managed Identity Disabled	b61cce4b-0cc4-472b-8096-15617a6d769b	query 2
Web App Accepting Traffic Other Than HTTPS	11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe	query 3
Azure App Service Client Certificate Disabled	a81573f9-3691-4d83-88a0-7d4af63e17a3	query 4

• Additionally the queries related to the "azurerm_function_app" resource face a near identical issue that will be fixed through a separate Pull Request.

Proposed Changes

• ✅App Service Not Using Latest TLS Encryption Version

  • For this query some issues beside the lack of resource support stood out. Recently this query was updated to check for tls version 1.3, unfortunately this check was made on the legacy azurerm_app_service resource that does not support this tls version, it can only handle up to version 1.2 as per the documentation.
  • The query's logic itself was redundant since the 2 CxPolicys currently in place can be merged into 1 very easily and so i did.
  • The verification for the newer resources was made with an extra CxPolicy due to 2 reasons, firstly the "min_tls_version" field is now named "minimum_tls_version" and the tls version support for it is actually 1.3 changing the check that must be done; secondly since the default value for missing the "min/minimum_tls_version" field(s) for all resources is 1.2, the newer resources should, in contrast with the legacy counterpart, flag in case the field is undefined. (doc1 / doc2 /doc3 stating the defaulting to 1.2)

• ✅App Service Managed Identity Disabled

  • This query's fix was much more streamlined than the latter, it was as easy as replacing the "azurerm_app_service" with the list of valid "types" with all 3 possible resources and adding new tests analog to the current ones for the new additions.

• ✅Web App Accepting Traffic Other Than HTTPS

  • The query did not require any major changes all i did was update it to account for all resources. Additionally i simplified the tests and added analogs for the two new resources.

• ✅Azure App Service Client Certificate Disabled

  • For this query from the start the implementation was extremely messy, the auxiliary function are used in redundant ways in the current implementation, furthermore these auxiliary functions are not necessary in the first place. I have removed them and incorporated a more thoughtful logic together with some comments.
  • Lines 32/33 it is easy to see that there is no scenarios where both auxiliary functions will flag as false unless the "http2_enabled" is undefined. (one functions checks for == true and the other for == false); on lines 57/58 first it is checked that "http2_enabled" is set to false and then that it is not set to true, which is clearly unnecessary.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-artur-ribeiro]

Hey André, just found a typo but besides that, all good to me 😄

[cx-artur-ribeiro]

LGTM