fix(query): support for new app_service resources - terraform/azure

assets/queries/terraform/azure/app_service_managed_identity_disabled/query.rego

@@ -3,20 +3,22 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.terraform as tf_lib
 
+types := {"azurerm_app_service", "azurerm_linux_web_app", "azurerm_windows_web_app"}
+
 CxPolicy[result] {
-	function := input.document[i].resource.azurerm_app_service[name]
+	function := input.document[i].resource[types[t]][name]
 
 	not common_lib.valid_key(function, "identity")
 
 	result := {
 		"documentId": input.document[i].id,
-		"resourceType": "azurerm_app_service",
+		"resourceType": types[t],
 		"resourceName": tf_lib.get_resource_name(function, name),
-		"searchKey": sprintf("azurerm_app_service[%s]", [name]),
+		"searchKey": sprintf("%s[%s]", [types[t],name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'azurerm_app_service[%s].identity' should be defined and not null", [name]),
-		"keyActualValue": sprintf("'azurerm_app_service[%s].identity' is undefined or null", [name]),
-		"searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name], []),
+		"keyExpectedValue": sprintf("'%s[%s].identity' should be defined and not null", [types[t],name]),
+		"keyActualValue": sprintf("'%s[%s].identity' is undefined or null", [types[t],name]),
+		"searchLine": common_lib.build_search_line(["resource", types[t], name], []),
 	}
 }
 

assets/queries/terraform/azure/app_service_managed_identity_disabled/test/negative1.tf

@@ -1,29 +1,32 @@
-resource "azurerm_app_service" "negative1" {
+resource "azurerm_app_service" "negative1-1" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   app_service_plan_id = azurerm_app_service_plan.example.id
 
-  site_config {
-    dotnet_framework_version = "v4.0"
-    scm_type                 = "LocalGit"
+  identity {
+    type = "SystemAssigned"
   }
+}
 
-  app_settings = {
-    "SOME_KEY" = "some-value"
-  }
+resource "azurerm_linux_web_app" "negative1-2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_app_service_plan.example.id
 
-  auth_settings = {
-    enabled = true
+  identity {
+    type = "SystemAssigned"
   }
+}
 
-  connection_string {
-    name  = "Database"
-    type  = "SQLServer"
-    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
-  }
+resource "azurerm_windows_web_app" "negative1-3" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_app_service_plan.example.id
 
   identity {
     type = "SystemAssigned"
   }
-}
+}

assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive1.tf

@@ -1,25 +1,20 @@
-resource "azurerm_app_service" "positive1" {
+resource "azurerm_app_service" "positive1-1" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   app_service_plan_id = azurerm_app_service_plan.example.id
+}
 
-  site_config {
-    dotnet_framework_version = "v4.0"
-    scm_type                 = "LocalGit"
-  }
-
-  app_settings = {
-    "SOME_KEY" = "some-value"
-  }
-
-  auth_settings = {
-    enabled = true
-  }
+resource "azurerm_linux_web_app" "positive1-2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_app_service_plan.example.id
+}
 
-  connection_string {
-    name  = "Database"
-    type  = "SQLServer"
-    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
-  }
+resource "azurerm_windows_web_app" "positive1-3" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_app_service_plan.example.id
 }

assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json

@@ -4,5 +4,17 @@
     "severity": "LOW",
     "line": 1,
     "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "App Service Managed Identity Disabled",
+    "severity": "LOW",
+    "line": 8,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "App Service Managed Identity Disabled",
+    "severity": "LOW",
+    "line": 15,
+    "fileName": "positive1.tf"
   }
 ]

assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego

@@ -3,48 +3,88 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.terraform as tf_lib
 
-CxPolicy[result] {
+CxPolicy[result] { #legacy support, 1.2 is the "latest" tls
 	app := input.document[i].resource.azurerm_app_service[name]
 
-	is_number(app.site_config.min_tls_version)
-	app.site_config.min_tls_version != 1.3
+	min_tls_version = to_number(app.site_config.min_tls_version)
+	min_tls_version != 1.2
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "azurerm_app_service",
 		"resourceName": tf_lib.get_resource_name(app, name),
 		"searchKey": sprintf("azurerm_app_service[%s].site_config.min_tls_version", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' should be set to '1.3'", [name]),
-		"keyActualValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' is not set to '1.3'", [name]),
+		"keyExpectedValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' should be set to '1.2'", [name]),
+		"keyActualValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' is not set to '1.2'", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "min_tls_version"], []),
 		"remediation": json.marshal({
-			"before": sprintf("%.1f", [app.site_config.min_tls_version]),
-			"after": "1.3"
+			"before": sprintf("%.1f", [min_tls_version]),
+			"after": "1.2"
 		}),
 		"remediationType": "replacement",
 	}
 }
 
-CxPolicy[result] {
-	app := input.document[i].resource.azurerm_app_service[name]
+CxPolicy[result] { # 1.3 is the latest tls 
+	types := {"azurerm_linux_web_app", "azurerm_windows_web_app"}
+	app := input.document[i].resource[types[t]][name]
 
-	not is_number(app.site_config.min_tls_version)
-	app.site_config.min_tls_version != "1.3"
+	results := minimum_tls_undefined_or_not_latest(app,types[t],name)
+	results != ""
 
 	result := {
 		"documentId": input.document[i].id,
-		"resourceType": "azurerm_app_service",
+		"resourceType": types[t],
 		"resourceName": tf_lib.get_resource_name(app, name),
-		"searchKey": sprintf("azurerm_app_service[%s].site_config.min_tls_version", [name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' should be set to '1.3'", [name]),
-		"keyActualValue": sprintf("'azurerm_app_service[%s].site_config.min_tls_version' is not set to '1.3'", [name]),
-		"searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "min_tls_version"], []),
-		"remediation": json.marshal({
-			"before": sprintf("%s", [app.site_config.min_tls_version]),
+		"searchKey": results.searchKey,
+		"issueType": results.issueType,
+		"keyExpectedValue": results.keyExpectedValue,
+		"keyActualValue": results.keyActualValue,
+		"searchLine": results.searchLine,
+		"remediation": results.remediation,
+		"remediationType": results.remediationType,
+	}
+}
+
+# Case of undefined site_config - tls defaults to 1.2
+minimum_tls_undefined_or_not_latest(app,type,name) = results { 
+	not common_lib.valid_key(app,"site_config")
+	results := {
+		"searchKey" : sprintf("%s[%s]", [type,name]),
+		"issueType" : "MissingAttribute",
+		"keyExpectedValue" : sprintf("'%s[%s].site_config.minimum_tls_version' should be defined and set to '1.3'", [type,name]),
+		"keyActualValue" : sprintf("'%s[%s].site_config' is not defined", [type,name]),
+		"searchLine" : common_lib.build_search_line(["resource", type, name], []),
+		"remediation": null,
+		"remediationType": null,
+	}
+# Case of undefined minimum_tls_version - tls defaults to 1.2
+} else = results { 
+	not common_lib.valid_key(app.site_config,"minimum_tls_version")
+	results := {
+		"searchKey" : sprintf("%s[%s].site_config", [type,name]),
+		"issueType" : "MissingAttribute",
+		"keyExpectedValue" : sprintf("'%s[%s].site_config.minimum_tls_version' should be defined and set to '1.3'", [type,name]),
+		"keyActualValue" : sprintf("'%s[%s].site_config.minimum_tls_version' is not defined", [type,name]),
+		"searchLine" : common_lib.build_search_line(["resource", type, name, "site_config"], []),
+		"remediation": "minimum_tls_version = 1.3",
+		"remediationType": "addition",
+	}
+# Case of minimum_tls_version not set to 1.3
+} else = results { 
+	min_tls_version = to_number(app.site_config.minimum_tls_version)
+	min_tls_version != 1.3
+	results := {
+		"searchKey" : sprintf("%s[%s].site_config.minimum_tls_version", [type,name]),
+		"issueType" : "IncorrectValue",
+		"keyExpectedValue" : sprintf("'%s[%s].site_config.minimum_tls_version' should be set to '1.3'", [type,name]),
+		"keyActualValue" : sprintf("'%s[%s].site_config.minimum_tls_version' is not set to '1.3'", [type,name]),
+		"searchLine" : common_lib.build_search_line(["resource", type, name, "site_config", "minimum_tls_version"], []),
+		"remediation" : json.marshal({
+			"before": sprintf("%.1f", [min_tls_version]),
 			"after": "1.3"
 		}),
-		"remediationType": "replacement",
+		"remediationType" : "replacement",
 	}
-}
+} else = ""

assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/negative1.tf

@@ -1,4 +1,4 @@
-resource "azurerm_app_service" "negative1" {
+resource "azurerm_app_service" "negative1-1" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
@@ -7,6 +7,38 @@ resource "azurerm_app_service" "negative1" {
   site_config {
     dotnet_framework_version = "v4.0"
     scm_type                 = "LocalGit"
-    min_tls_version = 1.3
+    min_tls_version = 1.2
   }
 }
+
+resource "azurerm_app_service" "negative1-2" { # defaults to tls 1.2
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+  }
+}
+
+resource "azurerm_app_service" "negative1-3" { # defaults to tls 1.2
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+}
+
+resource "azurerm_app_service" "negative1-4" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+    min_tls_version = "1.2"
+  }
+}

assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/negative2.tf

@@ -1,11 +1,25 @@
-resource "azurerm_app_service" "negative1" {
+resource "azurerm_linux_web_app" "negative2-1" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
-  app_service_plan_id = azurerm_app_service_plan.example.id
+  service_plan_id     = azurerm_app_service_plan.example.id
 
   site_config {
     dotnet_framework_version = "v4.0"
     scm_type                 = "LocalGit"
+    minimum_tls_version = 1.3
   }
 }
+
+resource "azurerm_linux_web_app" "negative2-2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id     = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+    minimum_tls_version = "1.3"
+  }
+}

assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/negative3.tf

@@ -1,6 +1,25 @@
-resource "azurerm_app_service" "negative3" {
+resource "azurerm_windows_web_app" "negative3-1" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
-  app_service_plan_id = azurerm_app_service_plan.example.id
+  service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+    minimum_tls_version = 1.3
+  }
 }
+
+resource "azurerm_windows_web_app" "negative3-2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+    minimum_tls_version = "1.3"
+  }
+}

assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive1.tf

@@ -1,4 +1,4 @@
-resource "azurerm_app_service" "positive1" {
+resource "azurerm_app_service" "positive1-1" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
@@ -10,3 +10,16 @@ resource "azurerm_app_service" "positive1" {
     min_tls_version = 1.1
   }
 }
+
+resource "azurerm_app_service" "positive1-2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+    min_tls_version = "1.1"
+  }
+}