fix(query): adding missing function_app resources to terraform/azure queries

[cx-andre-pereira]

Closes #6927

Reason for Proposed Changes

• Currently all function app related terraform/azure queries are not taking into account the newer resources "azurerm_linux_function_app" and "azurerm_windows_function_app"; only the legacy "azurerm_function_app" resource is supported for relevant queries:

Query Name	ID	Implementation (KICS 2.1.14)
Function App Not Using Latest TLS Encryption Version	45fc717a-bd86-415c-bdd8-677901be1aa6	query 5
Function App Managed Identity Disabled	c87749b3-ff10-41f5-9df2-c421e8151759	query 6
Function App HTTP2 Disabled	ace823d1-4432-4dee-945b-cdf11a5a6bd0	query 7
Function App FTPS Enforce Disabled	9dab0179-433d-4dff-af8f-0091025691df	query 8
Function App Client Certificates Unrequired	9bb3c639-5edf-458c-8ee5-30c17c7d671d	query 9
Function App Authentication Disabled	e65a0733-94a0-4826-82f4-df529f4c593f	query 10

(Queries 1-4 are handled in the "parent" Pull Request where this issue was first handled for some similar "azurerm_app_service" resource related queries)

Proposed Changes

• ✅Function App Not Using Latest TLS Encryption Version

  • This query is analog to one fixed in the "parent" Pull Request, here all i had to do was add a new CxPolicy for the newer resources; i decided to do this once again since , unlike the legacy resource, these will flag if the field is not defined (because default tls version is 1.2 aka the highest supported in legacy), and the "min_tls_version" is now named "minimum_tls_version".

• ✅Function App Managed Identity Disabled

  • The change to this query was minimal all i did was update the logic to include the new resources as with all queries with nothing particular to note.

• ✅Function App HTTP2 Disabled

  • Again not much to note in this query, i did try to merge all the CxPolicy(s) into one but i could not prevent "multiple output for same input" flags so i decided to keep the implementations pretty much unchanged.

• ✅Function App FTPS Enforce Disabled

  • For this query i decided to add a case for the "site_config" resource missing; although the resource is required for the new resources many of the other queries have this check since the field is technically "Optional" for the legacy "azurerm_function_app".

• ✅Function App Client Certificates Unrequired

  • With this query i included all scenarios in a single CxPolicy and used the new "client_certificate_not_required" auxiliary function to determine the results. Note that the "client_cert_mode" field was renamed to "client_certificate_mode" for the new resources. (minor error in documentation)

• ✅Function App Authentication Disabled

  • This final fix was particularly complex, or it would be if the analog query did not get updated very recently. All i had to do was copy the implementation and change the types array to include the relevant resource types. For details on the analog's implementation : PR7591 and PR7715. Simply put the older resource only has the "auth_settings" field to check while the newly supported ones have that same resource plus the new "auth_settings_v2", and both can be defined concurrently in which case the v2 takes precedence, so the logic for the query and the tests had to be more complex/comprehensive overall.

• Final Note : So as to follow inline with #7759 plenty of != "" and analog != "none" needless bits of query logic have been removed in d2037b0.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-artur-ribeiro]

Great work André, LGTM!