From 6e03ac1c25eb332ec4dea63a0fae192598e8a2ab Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 12:37:12 +0100 Subject: [PATCH 01/14] adding new resources to function_app_not_using_latest_tls_encruption_version --- .../query.rego | 64 ++++++++++++++++++- .../test/negative1.tf | 34 ++++++++-- .../test/negative2.tf | 20 ++++-- .../test/negative3.tf | 25 ++++++-- .../test/negative4.tf | 14 ---- .../test/positive1.tf | 17 +++-- .../test/positive2.tf | 39 +++++++++-- .../test/positive3.tf | 41 ++++++++++++ .../test/positive_expected_result.json | 52 ++++++++++++++- 9 files changed, 265 insertions(+), 41 deletions(-) delete mode 100644 assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative4.tf create mode 100644 assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive3.tf diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego index 6b9ac94eda2..877b1bed4bc 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -CxPolicy[result] { +CxPolicy[result] { #legacy support, 1.2 is the latest tls app := input.document[i].resource.azurerm_function_app[name] to_number(app.site_config.min_tls_version) != 1.2 @@ -24,3 +24,65 @@ CxPolicy[result] { "remediationType": "replacement", } } + +CxPolicy[result] { # 1.3 is the latest tls + types := {"azurerm_linux_function_app", "azurerm_windows_function_app"} + app := input.document[i].resource[types[t]][name] + + results := minimum_tls_undefined_or_not_latest(app,types[t],name) + results != "" + + result := { + "documentId": input.document[i].id, + "resourceType": types[t], + "resourceName": tf_lib.get_resource_name(app, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": results.keyExpectedValue, + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine, + "remediation": results.remediation, + "remediationType": results.remediationType, + } +} + +# Case of undefined site_config - tls defaults to 1.2 +minimum_tls_undefined_or_not_latest(app,type,name) = results { + not common_lib.valid_key(app,"site_config") + results := { + "searchKey" : sprintf("%s[%s]", [type,name]), + "issueType" : "MissingAttribute", + "keyExpectedValue" : sprintf("'%s[%s].site_config.minimum_tls_version' should be defined and set to '1.3'", [type,name]), + "keyActualValue" : sprintf("'%s[%s].site_config' is not defined", [type,name]), + "searchLine" : common_lib.build_search_line(["resource", type, name], []), + "remediation" : null, + "remediationType" : null, + } +# Case of undefined minimum_tls_version - tls defaults to 1.2 +} else = results { + not common_lib.valid_key(app.site_config,"minimum_tls_version") + results := { + "searchKey" : sprintf("%s[%s].site_config", [type,name]), + "issueType" : "MissingAttribute", + "keyExpectedValue" : sprintf("'%s[%s].site_config.minimum_tls_version' should be defined and set to '1.3'", [type,name]), + "keyActualValue" : sprintf("'%s[%s].site_config.minimum_tls_version' is not defined", [type,name]), + "searchLine" : common_lib.build_search_line(["resource", type, name, "site_config"], []), + "remediation": "minimum_tls_version = 1.3", + "remediationType": "addition", + } +# Case of minimum_tls_version not set to 1.3 +} else = results { + to_number(app.site_config.minimum_tls_version) != 1.3 + results := { + "searchKey" : sprintf("%s[%s].site_config.minimum_tls_version", [type,name]), + "issueType" : "IncorrectValue", + "keyExpectedValue" : sprintf("'%s[%s].site_config.minimum_tls_version' should be set to '1.3'", [type,name]), + "keyActualValue" : sprintf("'%s[%s].site_config.minimum_tls_version' is not set to '1.3'", [type,name]), + "searchLine" : common_lib.build_search_line(["resource", type, name, "site_config", "minimum_tls_version"], []), + "remediation" : json.marshal({ + "before": sprintf("%.1f", [app.site_config.minimum_tls_version]), + "after": "1.3" + }), + "remediationType" : "replacement", + } +} else = "" diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative1.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative1.tf index 6fef58640a2..2b91cf3d199 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative1.tf +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative1.tf @@ -1,10 +1,7 @@ -resource "azurerm_function_app" "negative1" { +resource "azurerm_function_app" "negative1-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key site_config { dotnet_framework_version = "v4.0" @@ -12,3 +9,32 @@ resource "azurerm_function_app" "negative1" { min_tls_version = 1.2 } } + +resource "azurerm_function_app" "negative1-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +resource "azurerm_function_app" "negative1-3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + app_service_plan_id = azurerm_app_service_plan.example.id +} + +resource "azurerm_function_app" "negative1-4" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = "1.2" + } +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative2.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative2.tf index 1b5d4c724b5..92a7680a259 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative2.tf +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative2.tf @@ -1,13 +1,23 @@ -resource "azurerm_function_app" "negative2" { +resource "azurerm_linux_function_app" "negative2-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id site_config { dotnet_framework_version = "v4.0" scm_type = "LocalGit" + minimum_tls_version = 1.3 } } + +resource "azurerm_linux_function_app" "negative2-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + minimum_tls_version = "1.3" + } +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative3.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative3.tf index 50f69c3b25f..a86543734b0 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative3.tf +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative3.tf @@ -1,8 +1,23 @@ -resource "azurerm_function_app" "negative3" { +resource "azurerm_windows_function_app" "negative3-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + minimum_tls_version = 1.3 + } } + +resource "azurerm_windows_function_app" "negative3-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + minimum_tls_version = "1.3" + } +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative4.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative4.tf deleted file mode 100644 index 5e0d20c9df4..00000000000 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative4.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "azurerm_function_app" "negative4" { - name = "test-azure-functions" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key - - site_config { - dotnet_framework_version = "v4.0" - scm_type = "LocalGit" - min_tls_version = "1.2" - } -} diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive1.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive1.tf index 877055b78ec..72b1de2c962 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive1.tf +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive1.tf @@ -1,10 +1,7 @@ -resource "azurerm_function_app" "positive1" { +resource "azurerm_function_app" "positive1-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key site_config { dotnet_framework_version = "v4.0" @@ -12,3 +9,15 @@ resource "azurerm_function_app" "positive1" { min_tls_version = 1.1 } } + +resource "azurerm_function_app" "positive1-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = "1.1" + } +} diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive2.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive2.tf index 5a0d33d8827..9558bf638c2 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive2.tf +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive2.tf @@ -1,14 +1,41 @@ -resource "azurerm_function_app" "positive2" { +resource "azurerm_linux_function_app" "positive2-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id site_config { dotnet_framework_version = "v4.0" scm_type = "LocalGit" - min_tls_version = "1.1" + minimum_tls_version = 1.1 } } + +resource "azurerm_linux_function_app" "positive2-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + minimum_tls_version = "1.1" + } +} + + +resource "azurerm_linux_function_app" "positive2-3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +resource "azurerm_linux_function_app" "positive2-4" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id +} diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive3.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive3.tf new file mode 100644 index 00000000000..fd1ed0e8245 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive3.tf @@ -0,0 +1,41 @@ +resource "azurerm_windows_function_app" "positive3-1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + minimum_tls_version = 1.1 + } +} + +resource "azurerm_windows_function_app" "positive3-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + minimum_tls_version = "1.1" + } +} + + +resource "azurerm_windows_function_app" "positive3-3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +resource "azurerm_windows_function_app" "positive3-4" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + service_plan_id = azurerm_service_plan.example.id +} diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 3b645f29dba..ba44ed4278c 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -2,13 +2,61 @@ { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 12, + "line": 9, "fileName": "positive1.tf" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", - "line": 12, + "line": 21, + "fileName": "positive1.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 31, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 37, "fileName": "positive2.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 31, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 37, + "fileName": "positive3.tf" } ] \ No newline at end of file From a11ff06beb709cbe1c42fa5d72329276bdf37379 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 13:36:29 +0100 Subject: [PATCH 02/14] fix results --- .../query.rego | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego index 877b1bed4bc..3c98e94547c 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego @@ -72,7 +72,8 @@ minimum_tls_undefined_or_not_latest(app,type,name) = results { } # Case of minimum_tls_version not set to 1.3 } else = results { - to_number(app.site_config.minimum_tls_version) != 1.3 + tls_version := to_number(app.site_config.minimum_tls_version) + tls_version != 1.3 results := { "searchKey" : sprintf("%s[%s].site_config.minimum_tls_version", [type,name]), "issueType" : "IncorrectValue", @@ -80,7 +81,7 @@ minimum_tls_undefined_or_not_latest(app,type,name) = results { "keyActualValue" : sprintf("'%s[%s].site_config.minimum_tls_version' is not set to '1.3'", [type,name]), "searchLine" : common_lib.build_search_line(["resource", type, name, "site_config", "minimum_tls_version"], []), "remediation" : json.marshal({ - "before": sprintf("%.1f", [app.site_config.minimum_tls_version]), + "before": sprintf("%.1f", [tls_version]), "after": "1.3" }), "remediationType" : "replacement", From c5c02ac7f64ac33515427348cb7b7a98b9c81c1b Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 13:45:49 +0100 Subject: [PATCH 03/14] new resources added to function_app_managed_identity_disabled --- .../query.rego | 16 +++++++------ .../test/negative.tf | 23 ++++++++++++++++--- .../test/positive.tf | 20 ++++++++++++++++ .../test/positive1.tf | 8 ------- .../test/positive_expected_result.json | 13 +++++++++-- 5 files changed, 60 insertions(+), 20 deletions(-) create mode 100644 assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive.tf delete mode 100644 assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive1.tf diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego b/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego index 7151f4f905c..85b0cf7d783 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego @@ -3,19 +3,21 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +types := {"azurerm_function_app","azurerm_linux_function_app", "azurerm_windows_function_app"} + CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + function := input.document[i].resource[types[t]][name] not common_lib.valid_key(function, "identity") result := { "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", + "resourceType": types[t], "resourceName": tf_lib.get_resource_name(function, name), - "searchKey": sprintf("azurerm_function_app[%s]", [name]), + "searchKey": sprintf("%s[%s]", [types[t],name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].identity' should be defined and not null", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].identity' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), + "keyExpectedValue": sprintf("'%s[%s].identity' should be defined and not null", [types[t],name]), + "keyActualValue": sprintf("'%s[%s].identity' is undefined or null", [types[t],name]), + "searchLine": common_lib.build_search_line(["resource", types[t], name], []), } -} +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/negative.tf b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/negative.tf index 2445d2728b1..607398bd462 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/negative.tf +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/negative.tf @@ -1,12 +1,29 @@ -resource "azurerm_function_app" "negative" { +resource "azurerm_function_app" "negative1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key + identity { + type = "SystemAssigned" + } +} +resource "azurerm_linux_function_app" "negative2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id identity { type = "SystemAssigned" } } + +resource "azurerm_windows_function_app" "negative3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + identity { + type = "SystemAssigned" + } +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive.tf b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive.tf new file mode 100644 index 00000000000..2dae8158636 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive.tf @@ -0,0 +1,20 @@ +resource "azurerm_function_app" "positive1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id +} + +resource "azurerm_linux_function_app" "positive2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id +} + +resource "azurerm_windows_function_app" "positive3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive1.tf b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive1.tf deleted file mode 100644 index 5f029a2bffc..00000000000 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive1.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "azurerm_function_app" "positive1" { - name = "test-azure-functions" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key -} diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json index 53bf724798e..260582022d7 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json @@ -2,7 +2,16 @@ { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 1 + }, + { + "queryName": "Function App Managed Identity Disabled", + "severity": "MEDIUM", + "line": 8 + }, + { + "queryName": "Function App Managed Identity Disabled", + "severity": "MEDIUM", + "line": 15 } ] From 55b06f5f94d4ab2cbb37583d27868528ef651b04 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 14:00:47 +0100 Subject: [PATCH 04/14] added new resources to function_app_http2_disabled --- .../function_app_http2_disabled/query.rego | 38 +++++++++--------- .../test/{negative.tf => negative1.tf} | 5 +-- .../test/negative2.tf | 12 ++++++ .../test/negative3.tf | 12 ++++++ .../test/positive1.tf | 29 ++++++++++++-- .../test/positive2.tf | 27 ++++++++++--- .../test/positive3.tf | 24 +++++++++-- .../test/positive_expected_result.json | 40 ++++++++++++++++++- 8 files changed, 151 insertions(+), 36 deletions(-) rename assets/queries/terraform/azure/function_app_http2_disabled/test/{negative.tf => negative1.tf} (63%) create mode 100644 assets/queries/terraform/azure/function_app_http2_disabled/test/negative2.tf create mode 100644 assets/queries/terraform/azure/function_app_http2_disabled/test/negative3.tf diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego index dc6babd4894..3258c19f77b 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego @@ -3,58 +3,60 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"} + CxPolicy[result] { - app := input.document[i].resource.azurerm_function_app[name] + app := input.document[i].resource[types[t]][name] not common_lib.valid_key(app, "site_config") result := { "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", + "resourceType": types[t], "resourceName": tf_lib.get_resource_name(app, name), - "searchKey": sprintf("azurerm_function_app[%s]", [name]), + "searchKey": sprintf("%s[%s]", [types[t], name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config' should be defined and not null", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].site_config' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), + "keyExpectedValue": sprintf("'%s[%s].site_config' should be defined and not null", [types[t], name]), + "keyActualValue": sprintf("'%s[%s].site_config' is undefined or null", [types[t], name]), + "searchLine": common_lib.build_search_line(["resource", types[t], name], []), "remediation": "site_config {\n\t\thttp2_enabled = true\n\t}\n", "remediationType": "addition", } } CxPolicy[result] { - app := input.document[i].resource.azurerm_function_app[name] + app := input.document[i].resource[types[t]][name] not common_lib.valid_key(app.site_config, "http2_enabled") result := { "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", + "resourceType": types[t], "resourceName": tf_lib.get_resource_name(app, name), - "searchKey": sprintf("azurerm_function_app[%s].site_config", [name]), + "searchKey": sprintf("%s[%s].site_config", [types[t], name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.http2_enabled' should be defined and not null", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].site_config.http2_enabled' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config"], []), + "keyExpectedValue": sprintf("'%s[%s].site_config.http2_enabled' should be defined and not null", [types[t], name]), + "keyActualValue": sprintf("'%s[%s].site_config.http2_enabled' is undefined or null", [types[t], name]), + "searchLine": common_lib.build_search_line(["resource", types[t], name, "site_config"], []), "remediation": "http2_enabled = true", "remediationType": "addition", } } CxPolicy[result] { - app := input.document[i].resource.azurerm_function_app[name] + app := input.document[i].resource[types[t]][name] app.site_config.http2_enabled == false result := { "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", + "resourceType": types[t], "resourceName": tf_lib.get_resource_name(app, name), - "searchKey": sprintf("azurerm_function_app[%s].site_config.http2_enabled", [name]), + "searchKey": sprintf("%s[%s].site_config.http2_enabled", [types[t], name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.http2_enabled' should be set to true", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].site_config.http2_enabled' is set to false", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config", "http2_enabled"], []), + "keyExpectedValue": sprintf("'%s[%s].site_config.http2_enabled' should be set to true", [types[t], name]), + "keyActualValue": sprintf("'%s[%s].site_config.http2_enabled' is set to false", [types[t], name]), + "searchLine": common_lib.build_search_line(["resource", types[t], name, "site_config", "http2_enabled"], []), "remediation": json.marshal({ "before": "false", "after": "true" diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/negative.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative1.tf similarity index 63% rename from assets/queries/terraform/azure/function_app_http2_disabled/test/negative.tf rename to assets/queries/terraform/azure/function_app_http2_disabled/test/negative1.tf index 01c6dad9713..230e01a996c 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/negative.tf +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative1.tf @@ -1,15 +1,12 @@ -resource "azurerm_function_app" "negative" { +resource "azurerm_function_app" "negative1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key site_config { dotnet_framework_version = "v4.0" scm_type = "LocalGit" - min_tls_version = 1.2 http2_enabled = true } } diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/negative2.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative2.tf new file mode 100644 index 00000000000..500b283f5c4 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative2.tf @@ -0,0 +1,12 @@ +resource "azurerm_linux_function_app" "negative2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + http2_enabled = true + } +} diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/negative3.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative3.tf new file mode 100644 index 00000000000..300fe9b4b14 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative3.tf @@ -0,0 +1,12 @@ +resource "azurerm_windows_function_app" "negative3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + http2_enabled = true + } +} diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive1.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive1.tf index 5f029a2bffc..ef65ca50e91 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive1.tf +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive1.tf @@ -1,8 +1,31 @@ -resource "azurerm_function_app" "positive1" { +resource "azurerm_function_app" "positive1-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key +} + +resource "azurerm_function_app" "positive1-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +resource "azurerm_function_app" "positive1-3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + http2_enabled = false + } } diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive2.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive2.tf index 250ec99adfc..b08630f47da 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive2.tf +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive2.tf @@ -1,14 +1,31 @@ -resource "azurerm_function_app" "positive2" { +resource "azurerm_linux_function_app" "positive2-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_app_service_plan.example.id +} + +resource "azurerm_linux_function_app" "positive2-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +resource "azurerm_linux_function_app" "positive2-3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id site_config { dotnet_framework_version = "v4.0" scm_type = "LocalGit" - min_tls_version = 1.2 + http2_enabled = false } } diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive3.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive3.tf index 2f21bf5d3b6..07323dca955 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive3.tf +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive3.tf @@ -1,15 +1,31 @@ -resource "azurerm_function_app" "positive3" { +resource "azurerm_windows_function_app" "positive3-1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id +} + +resource "azurerm_windows_function_app" "positive3-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +resource "azurerm_windows_function_app" "positive3-3" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key site_config { dotnet_framework_version = "v4.0" scm_type = "LocalGit" - min_tls_version = 1.2 http2_enabled = false } } diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json index 2f23d404c9f..d82199717ca 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json @@ -8,13 +8,49 @@ { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", - "line": 9, + "line": 14, + "fileName": "positive1.tf" + }, + { + "queryName": "Function App HTTP2 Disabled", + "severity": "MEDIUM", + "line": 29, + "fileName": "positive1.tf" + }, + { + "queryName": "Function App HTTP2 Disabled", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App HTTP2 Disabled", + "severity": "MEDIUM", + "line": 14, "fileName": "positive2.tf" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", - "line": 13, + "line": 29, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App HTTP2 Disabled", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App HTTP2 Disabled", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App HTTP2 Disabled", + "severity": "MEDIUM", + "line": 29, "fileName": "positive3.tf" } ] \ No newline at end of file From e864597bac816ec51d5cd8ade412986863405310 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 14:43:08 +0100 Subject: [PATCH 05/14] added new resources to function_app_http2_disabled 2 --- .../terraform/azure/function_app_http2_disabled/query.rego | 1 + 1 file changed, 1 insertion(+) diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego index 3258c19f77b..05a13423033 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego @@ -9,6 +9,7 @@ CxPolicy[result] { app := input.document[i].resource[types[t]][name] not common_lib.valid_key(app, "site_config") + result := { "documentId": input.document[i].id, From 334b792d0b49ae68b72694af5ed62b71667f1cd5 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 14:44:31 +0100 Subject: [PATCH 06/14] fix --- .../terraform/azure/function_app_http2_disabled/query.rego | 1 - 1 file changed, 1 deletion(-) diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego index 05a13423033..3258c19f77b 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego @@ -9,7 +9,6 @@ CxPolicy[result] { app := input.document[i].resource[types[t]][name] not common_lib.valid_key(app, "site_config") - result := { "documentId": input.document[i].id, From 586708ad378632aa0ad39c43b3d568e9e3bae22e Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 15:11:22 +0100 Subject: [PATCH 07/14] added new resources to function_app_ftps_enforce_disabled --- .../query.rego | 37 ++++++++++++----- .../test/negative1.tf | 15 +++++-- .../test/negative2.tf | 36 +++++++++++++++-- .../test/negative3.tf | 40 +++++++++++++++++++ .../test/positive1.tf | 22 ++++++++-- .../test/positive2.tf | 9 ++--- .../test/positive3.tf | 11 +++++ .../test/positive_expected_result.json | 20 +++++++++- 8 files changed, 164 insertions(+), 26 deletions(-) create mode 100644 assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative3.tf create mode 100644 assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive3.tf diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego index 14988ab3938..a93c1c2b6c9 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego @@ -3,39 +3,56 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -CxPolicy[result] { +types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"} + +CxPolicy[result] { # only for legacy "azurerm_function_app" because ftps_state defaults to "AllAllowed" function := input.document[i].resource.azurerm_function_app[name] - not common_lib.valid_key(function.site_config, "ftps_state") + results := get_path(function,name) + results != "" result := { "documentId": input.document[i].id, "resourceType": "azurerm_function_app", "resourceName": tf_lib.get_resource_name(function, name), - "searchKey": sprintf("azurerm_function_app[%s].site_config'", [name]), + "searchKey": results.searchKey, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' should be defined and not null", [name]), "keyActualValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config"], []), + "searchLine": results.searchLine, "remediation": "ftps_state = \"FtpsOnly\"", "remediationType": "addition", } } +get_path(function,name) = results { + not common_lib.valid_key(function, "site_config") + results := { + "searchKey": sprintf("azurerm_function_app[%s]'", [name]), + "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), + } +} else = results { + not common_lib.valid_key(function.site_config, "ftps_state") + results := { + "searchKey": sprintf("azurerm_function_app[%s].site_config'", [name]), + "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config"], []), + } +} else = "" + CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + function := input.document[i].resource[types[t]][name] function.site_config.ftps_state == "AllAllowed" result := { "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", + "resourceType": types[t], "resourceName": tf_lib.get_resource_name(function, name), - "searchKey": sprintf("azurerm_function_app[%s].site_config.ftps_state", [name]), + "searchKey": sprintf("%s[%s].site_config.ftps_state", [types[t], name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' should not be set to 'AllAllowed'", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is set to 'AllAllowed'", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config", "ftps_state"], []), + "keyExpectedValue": sprintf("'%s[%s].site_config.ftps_state' should not be set to 'AllAllowed'", [types[t], name]), + "keyActualValue": sprintf("'%s[%s].site_config.ftps_state' is set to 'AllAllowed'", [types[t], name]), + "searchLine": common_lib.build_search_line(["resource", types[t], name, "site_config", "ftps_state"], []), "remediation": json.marshal({ "before": "AllAllowed", "after": "FtpsOnly" diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative1.tf b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative1.tf index 67aef5e76ee..d3f568b57b4 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative1.tf +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative1.tf @@ -1,12 +1,21 @@ -resource "azurerm_function_app" "negative1" { +resource "azurerm_function_app" "negative1-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key site_config { ftps_state = "FtpsOnly" } } + +resource "azurerm_function_app" "negative1-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + ftps_state = "Disabled" + } +} diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative2.tf b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative2.tf index 09295e95e4e..c1bc97998ad 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative2.tf +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative2.tf @@ -1,12 +1,40 @@ -resource "azurerm_function_app" "negative2" { +resource "azurerm_linux_function_app" "negative2-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + ftps_state = "FtpsOnly" + } +} + +resource "azurerm_linux_function_app" "negative2-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id site_config { ftps_state = "Disabled" } } + +resource "azurerm_linux_function_app" "negative2-3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + http2_enabled = true + } +} + +resource "azurerm_linux_function_app" "negative2-4" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id +} + diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative3.tf b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative3.tf new file mode 100644 index 00000000000..9f5b1a96d41 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative3.tf @@ -0,0 +1,40 @@ +resource "azurerm_windows_function_app" "negative3-1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + ftps_state = "FtpsOnly" + } +} + +resource "azurerm_windows_function_app" "negative3-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + ftps_state = "Disabled" + } +} + +resource "azurerm_windows_function_app" "negative3-3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + http2_enabled = true + } +} + +resource "azurerm_windows_function_app" "negative3-4" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id +} + diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive1.tf b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive1.tf index bd37bb75961..1fe3a523ae7 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive1.tf +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive1.tf @@ -1,13 +1,29 @@ -resource "azurerm_function_app" "positive1" { +resource "azurerm_function_app" "positive1-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key site_config { http2_enabled = true ftps_state = "AllAllowed" } } + +resource "azurerm_function_app" "positive1-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + http2_enabled = true + } +} + +resource "azurerm_function_app" "positive1-3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id +} diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive2.tf b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive2.tf index 0b199a259c1..60e0334648b 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive2.tf +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive2.tf @@ -1,12 +1,11 @@ -resource "azurerm_function_app" "positive2" { +resource "azurerm_linux_function_app" "positive2" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_app_service_plan.example.id site_config { http2_enabled = true + ftps_state = "AllAllowed" } -} +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive3.tf b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive3.tf new file mode 100644 index 00000000000..efe55f06375 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive3.tf @@ -0,0 +1,11 @@ +resource "azurerm_windows_function_app" "positive3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + service_plan_id = azurerm_app_service_plan.example.id + + site_config { + http2_enabled = true + ftps_state = "AllAllowed" + } +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json index 81b90db9d90..add34a22f4a 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json @@ -2,7 +2,19 @@ { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", - "line": 11, + "line": 9, + "fileName": "positive1.tf" + }, + { + "queryName": "Function App FTPS Enforce Disabled", + "severity": "MEDIUM", + "line": 19, + "fileName": "positive1.tf" + }, + { + "queryName": "Function App FTPS Enforce Disabled", + "severity": "MEDIUM", + "line": 24, "fileName": "positive1.tf" }, { @@ -10,5 +22,11 @@ "severity": "MEDIUM", "line": 9, "fileName": "positive2.tf" + }, + { + "queryName": "Function App FTPS Enforce Disabled", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.tf" } ] \ No newline at end of file From de206604fac0b3c0facfcd8f0b6bf5f82f794c17 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 15:45:29 +0100 Subject: [PATCH 08/14] remediation fix --- .../azure/function_app_ftps_enforce_disabled/query.rego | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego index a93c1c2b6c9..2546fb58ccb 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego @@ -20,8 +20,8 @@ CxPolicy[result] { # only for legacy "azurerm_function_app" because ftps_state d "keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' should be defined and not null", [name]), "keyActualValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is undefined or null", [name]), "searchLine": results.searchLine, - "remediation": "ftps_state = \"FtpsOnly\"", - "remediationType": "addition", + "remediation": results.remediation, + "remediationType": results.remediationType, } } @@ -30,12 +30,16 @@ get_path(function,name) = results { results := { "searchKey": sprintf("azurerm_function_app[%s]'", [name]), "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), + "remediation": null, + "remediationType": null, } } else = results { not common_lib.valid_key(function.site_config, "ftps_state") results := { "searchKey": sprintf("azurerm_function_app[%s].site_config'", [name]), "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config"], []), + "remediation": "ftps_state = \"FtpsOnly\"", + "remediationType": "addition", } } else = "" From 517b0991cf69a098a7320602d6e083555cb062f9 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 16:22:39 +0100 Subject: [PATCH 09/14] resource support for function_app_client_certificates_unrequired 1 --- .../query.rego | 53 ++++++++++++------- .../test/{negative.tf => negative1.tf} | 2 - .../test/negative2.tf | 8 +++ .../test/negative3.tf | 8 +++ .../test/positive1.tf | 13 +++-- .../test/positive2.tf | 11 ++-- .../test/positive3.tf | 15 ++++++ 7 files changed, 84 insertions(+), 26 deletions(-) rename assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/{negative.tf => negative1.tf} (69%) create mode 100644 assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative2.tf create mode 100644 assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative3.tf create mode 100644 assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive3.tf diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego index ca2dc5858e6..9a9e67b0e96 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego @@ -3,34 +3,47 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"} + CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + function := input.document[i].resource.azurerm_function_app[name] - not common_lib.valid_key(function, "client_cert_mode") + results := client_certificate_not_required(function,name,types[t]) + results != "" result := { "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", - "resourceName": tf_lib.get_resource_name(function, name), - "searchKey": sprintf("azurerm_function_app[%s]", [name]), + "resourceType": types[t], + "resourceName": tf_lib.get_resource_name(function, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": results.keyExpectedValue, + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine, + "remediation": results.remediation, + "remediationType": results.remediationType, + } +} + +client_certificate_not_required(function,name,type) = results { + field_name = get_field(type) + not common_lib.valid_key(function, field_name) + + results := { + "searchKey": sprintf("%s[%s]", [type, name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].client_cert_mode' should be defined and not null", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].client_cert_mode' is undefined or null", [name]), + "keyExpectedValue": sprintf("'%s[%s].client_cert_mode' should be defined and not null", [type, name]), + "keyActualValue": sprintf("'%s[%s].client_cert_mode' is undefined or null", [type, name]), "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), "remediation": "client_cert_mode = \"Required\"", "remediationType": "addition", } -} + +} else = results { + field_name = get_field(type) + function[field_name] != "Required" -CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] - - function.client_cert_mode != "Required" - - result := { - "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", - "resourceName": tf_lib.get_resource_name(function, name), + results := { "searchKey": sprintf("azurerm_function_app[%s].client_cert_mode", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_function_app[%s].client_cert_mode' should be set to 'Required'", [name]), @@ -42,4 +55,8 @@ CxPolicy[result] { }), "remediationType": "replacement", } -} +} else = "" + +get_field("azurerm_function_app") = "client_cert_mode" +get_field("azurerm_linux_function_app") = "client_certificate_mode" +get_field("azurerm_windows_function_app") = "client_certificate_mode" \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative1.tf similarity index 69% rename from assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative.tf rename to assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative1.tf index 81f10bff571..101a1011111 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative.tf +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative1.tf @@ -3,8 +3,6 @@ resource "azurerm_function_app" "negative" { location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key client_cert_mode = "Required" } diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative2.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative2.tf new file mode 100644 index 00000000000..101a1011111 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative2.tf @@ -0,0 +1,8 @@ +resource "azurerm_function_app" "negative" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + client_cert_mode = "Required" +} diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative3.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative3.tf new file mode 100644 index 00000000000..101a1011111 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative3.tf @@ -0,0 +1,8 @@ +resource "azurerm_function_app" "negative" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + client_cert_mode = "Required" +} diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive1.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive1.tf index 5f029a2bffc..1035d6bfa94 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive1.tf +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive1.tf @@ -1,8 +1,15 @@ -resource "azurerm_function_app" "positive1" { +resource "azurerm_function_app" "positive1-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key +} + +resource "azurerm_function_app" "positive1-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + client_cert_mode = "Optional" } diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive2.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive2.tf index b0da28f47b9..1035d6bfa94 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive2.tf +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive2.tf @@ -1,10 +1,15 @@ -resource "azurerm_function_app" "positive2" { +resource "azurerm_function_app" "positive1-1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id +} + +resource "azurerm_function_app" "positive1-2" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key client_cert_mode = "Optional" } diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive3.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive3.tf new file mode 100644 index 00000000000..1035d6bfa94 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive3.tf @@ -0,0 +1,15 @@ +resource "azurerm_function_app" "positive1-1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id +} + +resource "azurerm_function_app" "positive1-2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + client_cert_mode = "Optional" +} From 5272fa99aeb7df6bc8e4d82a8ab5222dfdde7d17 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 16:31:04 +0100 Subject: [PATCH 10/14] resource support for function_app_client_certificates_unrequired 2 --- .../query.rego | 22 ++++++++-------- .../test/negative1.tf | 2 +- .../test/negative2.tf | 6 ++--- .../test/negative3.tf | 6 ++--- .../test/positive2.tf | 10 +++---- .../test/positive3.tf | 10 +++---- .../test/positive_expected_result.json | 26 ++++++++++++++++++- 7 files changed, 53 insertions(+), 29 deletions(-) diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego index 9a9e67b0e96..76f3edbce98 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego @@ -6,7 +6,7 @@ import data.generic.terraform as tf_lib types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"} CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + function := input.document[i].resource[types[t]][name] results := client_certificate_not_required(function,name,types[t]) results != "" @@ -32,10 +32,10 @@ client_certificate_not_required(function,name,type) = results { results := { "searchKey": sprintf("%s[%s]", [type, name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'%s[%s].client_cert_mode' should be defined and not null", [type, name]), - "keyActualValue": sprintf("'%s[%s].client_cert_mode' is undefined or null", [type, name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), - "remediation": "client_cert_mode = \"Required\"", + "keyExpectedValue": sprintf("'%s[%s].%s' should be defined and not null", [type, name, field_name]), + "keyActualValue": sprintf("'%s[%s].%s' is undefined or null", [type, name, field_name]), + "searchLine": common_lib.build_search_line(["resource", type, name], []), + "remediation": sprintf("%s = \"Required\"",[field_name]), "remediationType": "addition", } @@ -44,19 +44,19 @@ client_certificate_not_required(function,name,type) = results { function[field_name] != "Required" results := { - "searchKey": sprintf("azurerm_function_app[%s].client_cert_mode", [name]), + "searchKey": sprintf("%s[%s].%s", [type, name, field_name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].client_cert_mode' should be set to 'Required'", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].client_cert_mode' is not set to 'Required'", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "client_cert_mode"], []), + "keyExpectedValue": sprintf("'%s[%s].%s' should be set to 'Required'", [type, name, field_name]), + "keyActualValue": sprintf("'%s[%s].%s' is not set to 'Required'", [type, name, field_name]), + "searchLine": common_lib.build_search_line(["resource", type, name, field_name], []), "remediation": json.marshal({ - "before": sprintf("%s", [function.client_cert_mode]), + "before": sprintf("%s", [function[field_name]]), "after": "Required" }), "remediationType": "replacement", } } else = "" -get_field("azurerm_function_app") = "client_cert_mode" +get_field("azurerm_function_app") = "client_cert_mode" get_field("azurerm_linux_function_app") = "client_certificate_mode" get_field("azurerm_windows_function_app") = "client_certificate_mode" \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative1.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative1.tf index 101a1011111..ca80bae57bf 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative1.tf +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative1.tf @@ -1,4 +1,4 @@ -resource "azurerm_function_app" "negative" { +resource "azurerm_function_app" "negative1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative2.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative2.tf index 101a1011111..be0346244c3 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative2.tf +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative2.tf @@ -1,8 +1,8 @@ -resource "azurerm_function_app" "negative" { +resource "azurerm_linux_function_app" "negative2" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id - client_cert_mode = "Required" + client_certificate_mode = "Required" } diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative3.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative3.tf index 101a1011111..f7bc387987f 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative3.tf +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/negative3.tf @@ -1,8 +1,8 @@ -resource "azurerm_function_app" "negative" { +resource "azurerm_windows_function_app" "negative3" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id - client_cert_mode = "Required" + client_certificate_mode = "Required" } diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive2.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive2.tf index 1035d6bfa94..74cef030322 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive2.tf +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive2.tf @@ -1,15 +1,15 @@ -resource "azurerm_function_app" "positive1-1" { +resource "azurerm_linux_function_app" "positive2-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id } -resource "azurerm_function_app" "positive1-2" { +resource "azurerm_linux_function_app" "positive2-2" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id - client_cert_mode = "Optional" + client_certificate_mode = "Optional" } diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive3.tf b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive3.tf index 1035d6bfa94..32c31101512 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive3.tf +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive3.tf @@ -1,15 +1,15 @@ -resource "azurerm_function_app" "positive1-1" { +resource "azurerm_windows_function_app" "positive3-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id } -resource "azurerm_function_app" "positive1-2" { +resource "azurerm_windows_function_app" "positive3-2" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id - client_cert_mode = "Optional" + client_certificate_mode = "Optional" } diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json index 35c837eb1d3..08a4877d02b 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json @@ -8,7 +8,31 @@ { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", - "line": 9, + "line": 14, + "fileName": "positive1.tf" + }, + { + "queryName": "Function App Client Certificates Unrequired", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Client Certificates Unrequired", + "severity": "MEDIUM", + "line": 14, "fileName": "positive2.tf" + }, + { + "queryName": "Function App Client Certificates Unrequired", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Client Certificates Unrequired", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive3.tf" } ] From 41f2931d22c9f58c066be451ef8d48fef6f8431f Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 17:05:37 +0100 Subject: [PATCH 11/14] added support for new resources to function_app_authentication_disabled --- .../query.rego | 109 +++++++++++++----- .../test/negative.tf | 12 -- .../test/negative1.tf | 11 ++ .../test/negative2.tf | 37 ++++++ .../test/negative3.tf | 37 ++++++ .../test/positive1.tf | 31 ++++- .../test/positive2.tf | 77 +++++++++++-- .../test/positive3.tf | 71 ++++++++++++ .../test/positive_expected_result.json | 74 +++++++++++- 9 files changed, 402 insertions(+), 57 deletions(-) delete mode 100644 assets/queries/terraform/azure/function_app_authentication_disabled/test/negative.tf create mode 100644 assets/queries/terraform/azure/function_app_authentication_disabled/test/negative1.tf create mode 100644 assets/queries/terraform/azure/function_app_authentication_disabled/test/negative2.tf create mode 100644 assets/queries/terraform/azure/function_app_authentication_disabled/test/negative3.tf create mode 100644 assets/queries/terraform/azure/function_app_authentication_disabled/test/positive3.tf diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego index e25da9bfbb8..a14944237e3 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego @@ -3,43 +3,94 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"} + CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] + doc := input.document[i] + resource := doc.resource[types[t]][name] - not common_lib.valid_key(function, "auth_settings") + res := prepare_issues(resource, types[t], name) result := { - "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", - "resourceName": tf_lib.get_resource_name(function, name), - "searchKey": sprintf("azurerm_function_app[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].auth_settings' should be defined and not null", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].auth_settings' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), - "remediation": "\nauth_settings {\n\t\tenabled = true\n\t}\n", - "remediationType": "addition", + "documentId": doc.id, + "resourceType": types[t], + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": res["sk"], + "searchLine": res["sl"], + "issueType": res["it"], + "keyExpectedValue": res["kev"], + "keyActualValue": res["kav"], + "remediation": res["rem"], + "remediationType": res["rt"], } } -CxPolicy[result] { - function := input.document[i].resource.azurerm_function_app[name] - - function.auth_settings.enabled != true - - result := { - "documentId": input.document[i].id, - "resourceType": "azurerm_function_app", - "resourceName": tf_lib.get_resource_name(function, name), - "searchKey": sprintf("azurerm_function_app[%s].auth_settings.enabled", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'azurerm_function_app[%s].auth_settings.enabled' should be set to true", [name]), - "keyActualValue": sprintf("'azurerm_function_app[%s].auth_settings.enabled' is not set to true", [name]), - "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "auth_settings", "enabled"], []), - "remediation": json.marshal({ +prepare_issues(resource, type, name) = res { # auth_settings not defined for azurerm_function_app (legacy) + not common_lib.valid_key(resource, "auth_settings") + type == "azurerm_function_app" + res := { + "sk": sprintf("%s[%s]", [type, name]), + "sl": common_lib.build_search_line(["resource", type, name], []), + "it": "MissingAttribute", + "kev": sprintf("'%s[%s].auth_settings' should be defined", [type, name]), + "kav": sprintf("'%s[%s].auth_settings' is not defined", [type, name]), + "rem": "auth_settings {\n\t\tenabled = true\n\t}", + "rt": "addition", + } +} else = res{ # auth_settings and auth_settings_v2 not defined + not common_lib.valid_key(resource, "auth_settings") + not common_lib.valid_key(resource, "auth_settings_v2") + res := { + "sk": sprintf("%s[%s]", [type, name]), + "sl": common_lib.build_search_line(["resource", type, name], []), + "it": "MissingAttribute", + "kev": sprintf("'%s[%s].auth_settings' or '%s[%s].auth_settings_v2' should be defined", [type, name, type, name]), + "kav": sprintf("'%s[%s].auth_settings' and '%s[%s].auth_settings_v2' are not defined", [type, name, type, name]), + "rem": "auth_settings {\n\t\tenabled = true\n\t}", + "rt": "addition", + } +} else = res { # auth_settings field defined and auth_settings.enabled defined to false + not common_lib.valid_key(resource, "auth_settings_v2") + common_lib.valid_key(resource, "auth_settings") + resource.auth_settings.enabled == false + res := { + "sk": sprintf("'%s[%s].auth_settings.enabled'", [type, name]), + "sl": common_lib.build_search_line(["resource", type, name, "auth_settings", "enabled"], []), + "it": "IncorrectValue", + "kev": sprintf("'%s[%s].auth_settings.enabled' should be defined to 'true'", [type, name]), + "kav": sprintf("'%s[%s].auth_settings.enabled' is defined to 'false'", [type, name]), + "rem": json.marshal({ "before": "false", "after": "true" }), - "remediationType": "replacement", + "rt": "replacement", } -} +} else = res { # auth_settings_v2 field defined with the field auth_enabled defined to false + common_lib.valid_key(resource, "auth_settings_v2") + common_lib.valid_key(resource.auth_settings_v2, "auth_enabled") + resource.auth_settings_v2.auth_enabled == false + res := { + "sk": sprintf("%s[%s].auth_settings_v2.auth_enabled", [type, name]), + "sl": common_lib.build_search_line(["resource", type, name, "auth_settings_v2", "auth_enabled"], []), + "it": "IncorrectValue", + "kev": sprintf("'%s[%s].auth_settings_v2.auth_enabled' should be defined to 'true'", [type, name]), + "kav": sprintf("'%s[%s].auth_settings_v2.auth_enabled' is defined to 'false'", [type, name]), + "rem": json.marshal({ + "before": "false", + "after": "true" + }), + "rt": "replacement", + } +} else = res { # auth_settings_v2 field defined but without the field auth_enabled defined + common_lib.valid_key(resource, "auth_settings_v2") + not common_lib.valid_key(resource.auth_settings_v2, "auth_enabled") + res := { + "sk": sprintf("%s[%s].auth_settings_v2", [type, name]), + "sl": common_lib.build_search_line(["resource", type, name, "auth_settings_v2"], []), + "it": "MissingAttribute", + "kev": sprintf("'%s[%s].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", [type, name]), + "kav": sprintf("'%s[%s].auth_settings_v2.auth_enabled' is not defined", [type, name]), + "rem": "auth_enabled = true", + "rt": "addition", + } +} diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative.tf deleted file mode 100644 index 7cee0e2ed53..00000000000 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative.tf +++ /dev/null @@ -1,12 +0,0 @@ -resource "azurerm_function_app" "negative" { - name = "test-azure-functions" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key - - auth_settings { - enabled = true - } -} diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative1.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative1.tf new file mode 100644 index 00000000000..59f276bbd0e --- /dev/null +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative1.tf @@ -0,0 +1,11 @@ +resource "azurerm_function_app" "negative1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + auth_settings { + enabled = true + } +} + diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative2.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative2.tf new file mode 100644 index 00000000000..8889192f813 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative2.tf @@ -0,0 +1,37 @@ +resource "azurerm_linux_function_app" "negative2" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = true + } + site_config {} +} + +resource "azurerm_linux_function_app" "negative3" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings_v2 { + login {} + auth_enabled = true + } + site_config {} +} + +resource "azurerm_linux_function_app" "negative7" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = false + } + auth_settings_v2 { + login {} + auth_enabled = true + } + site_config {} +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative3.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative3.tf new file mode 100644 index 00000000000..2b395b277a1 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative3.tf @@ -0,0 +1,37 @@ +resource "azurerm_windows_function_app" "negative4" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = true + } + site_config {} +} + +resource "azurerm_windows_function_app" "negative5" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings_v2 { + login {} + auth_enabled = true + } + site_config {} +} + +resource "azurerm_windows_function_app" "negative6" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = false + } + auth_settings_v2 { + login {} + auth_enabled = true + } + site_config {} +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive1.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive1.tf index 5f029a2bffc..abe4a3cebab 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive1.tf +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive1.tf @@ -1,8 +1,27 @@ resource "azurerm_function_app" "positive1" { - name = "test-azure-functions" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +resource "azurerm_function_app" "positive2" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + auth_settings { + enabled = false + } } diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive2.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive2.tf index 38a1e34828b..5fb1e4ce0b4 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive2.tf +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive2.tf @@ -1,12 +1,71 @@ -resource "azurerm_function_app" "positive2" { - name = "test-azure-functions" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id - storage_account_name = azurerm_storage_account.example.name - storage_account_access_key = azurerm_storage_account.example.primary_access_key - - auth_settings { +resource "azurerm_linux_function_app" "positive3" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config {} +} + +resource "azurerm_linux_function_app" "positive4" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { enabled = false } + site_config {} +} + +resource "azurerm_linux_function_app" "positive5" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings_v2 { + login {} + } + site_config {} +} + +resource "azurerm_linux_function_app" "positive6" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings_v2 { + login {} + auth_enabled = false + } + site_config {} +} + +resource "azurerm_linux_function_app" "positive13" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = true + } + auth_settings_v2 { + login {} + } + site_config {} } + +resource "azurerm_linux_function_app" "positive14" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = true + } + auth_settings_v2 { + login {} + auth_enabled = false + } + site_config {} +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive3.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive3.tf new file mode 100644 index 00000000000..6ea6fa8fc06 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive3.tf @@ -0,0 +1,71 @@ +resource "azurerm_windows_function_app" "positive7" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config {} +} + +resource "azurerm_windows_function_app" "positive8" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = false + } + site_config {} +} + +resource "azurerm_windows_function_app" "positive9" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings_v2 { + login {} + } + site_config {} +} + +resource "azurerm_windows_function_app" "positive10" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings_v2 { + login {} + auth_enabled = false + } + site_config {} +} + +resource "azurerm_windows_function_app" "positive11" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = true + } + auth_settings_v2 { + login {} + } + site_config {} +} + +resource "azurerm_windows_function_app" "positive12" { + name = "example-app-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + auth_settings { + enabled = true + } + auth_settings_v2 { + login {} + auth_enabled = false + } + site_config {} +} \ No newline at end of file diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json index 12684fc8c4e..fa06e87e1af 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json @@ -8,7 +8,79 @@ { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", - "line": 10, + "line": 25, + "fileName": "positive1.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 39, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 52, + "fileName": "positive2.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 68, "fileName": "positive2.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 39, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 52, + "fileName": "positive3.tf" + }, + { + "queryName": "Function App Authentication Disabled", + "severity": "MEDIUM", + "line": 68, + "fileName": "positive3.tf" } ] \ No newline at end of file From 81f829b0ccc1e17696dcc0cdd890e2b19c7986c4 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 29 Sep 2025 17:14:56 +0100 Subject: [PATCH 12/14] test improvement --- .../test/negative2.tf | 6 +++--- .../test/negative3.tf | 6 +++--- .../test/positive1.tf | 4 ++-- .../test/positive2.tf | 12 ++++++------ .../test/positive3.tf | 12 ++++++------ 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative2.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative2.tf index 8889192f813..87b22a8f739 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative2.tf +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative2.tf @@ -1,4 +1,4 @@ -resource "azurerm_linux_function_app" "negative2" { +resource "azurerm_linux_function_app" "negative2-1" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -9,7 +9,7 @@ resource "azurerm_linux_function_app" "negative2" { site_config {} } -resource "azurerm_linux_function_app" "negative3" { +resource "azurerm_linux_function_app" "negative2-2" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -21,7 +21,7 @@ resource "azurerm_linux_function_app" "negative3" { site_config {} } -resource "azurerm_linux_function_app" "negative7" { +resource "azurerm_linux_function_app" "negative2-3" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative3.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative3.tf index 2b395b277a1..36126b2157b 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative3.tf +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/negative3.tf @@ -1,4 +1,4 @@ -resource "azurerm_windows_function_app" "negative4" { +resource "azurerm_windows_function_app" "negative3-1" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -9,7 +9,7 @@ resource "azurerm_windows_function_app" "negative4" { site_config {} } -resource "azurerm_windows_function_app" "negative5" { +resource "azurerm_windows_function_app" "negative3-2" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -21,7 +21,7 @@ resource "azurerm_windows_function_app" "negative5" { site_config {} } -resource "azurerm_windows_function_app" "negative6" { +resource "azurerm_windows_function_app" "negative3-3" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive1.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive1.tf index abe4a3cebab..2f8c23b992e 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive1.tf +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive1.tf @@ -1,4 +1,4 @@ -resource "azurerm_function_app" "positive1" { +resource "azurerm_function_app" "positive1-1" { name = "example-app-service" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name @@ -10,7 +10,7 @@ resource "azurerm_function_app" "positive1" { } } -resource "azurerm_function_app" "positive2" { +resource "azurerm_function_app" "positive1-2" { name = "example-app-service" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive2.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive2.tf index 5fb1e4ce0b4..20b32945a50 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive2.tf +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive2.tf @@ -1,4 +1,4 @@ -resource "azurerm_linux_function_app" "positive3" { +resource "azurerm_linux_function_app" "positive2-1" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -7,7 +7,7 @@ resource "azurerm_linux_function_app" "positive3" { site_config {} } -resource "azurerm_linux_function_app" "positive4" { +resource "azurerm_linux_function_app" "positive2-2" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -18,7 +18,7 @@ resource "azurerm_linux_function_app" "positive4" { site_config {} } -resource "azurerm_linux_function_app" "positive5" { +resource "azurerm_linux_function_app" "positive2-3" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -29,7 +29,7 @@ resource "azurerm_linux_function_app" "positive5" { site_config {} } -resource "azurerm_linux_function_app" "positive6" { +resource "azurerm_linux_function_app" "positive2-4" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -41,7 +41,7 @@ resource "azurerm_linux_function_app" "positive6" { site_config {} } -resource "azurerm_linux_function_app" "positive13" { +resource "azurerm_linux_function_app" "positive2-5" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -55,7 +55,7 @@ resource "azurerm_linux_function_app" "positive13" { site_config {} } -resource "azurerm_linux_function_app" "positive14" { +resource "azurerm_linux_function_app" "positive2-6" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive3.tf b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive3.tf index 6ea6fa8fc06..6e839538ac8 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive3.tf +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive3.tf @@ -1,4 +1,4 @@ -resource "azurerm_windows_function_app" "positive7" { +resource "azurerm_windows_function_app" "positive3-1" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -7,7 +7,7 @@ resource "azurerm_windows_function_app" "positive7" { site_config {} } -resource "azurerm_windows_function_app" "positive8" { +resource "azurerm_windows_function_app" "positive3-2" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -18,7 +18,7 @@ resource "azurerm_windows_function_app" "positive8" { site_config {} } -resource "azurerm_windows_function_app" "positive9" { +resource "azurerm_windows_function_app" "positive3-3" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -29,7 +29,7 @@ resource "azurerm_windows_function_app" "positive9" { site_config {} } -resource "azurerm_windows_function_app" "positive10" { +resource "azurerm_windows_function_app" "positive3-4" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -41,7 +41,7 @@ resource "azurerm_windows_function_app" "positive10" { site_config {} } -resource "azurerm_windows_function_app" "positive11" { +resource "azurerm_windows_function_app" "positive3-5" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location @@ -55,7 +55,7 @@ resource "azurerm_windows_function_app" "positive11" { site_config {} } -resource "azurerm_windows_function_app" "positive12" { +resource "azurerm_windows_function_app" "positive3-6" { name = "example-app-service" resource_group_name = azurerm_resource_group.example.name location = azurerm_service_plan.example.location From 21cde84c7f4dbb650022fab2ef8cb242cfc7cc12 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 30 Sep 2025 10:42:37 +0100 Subject: [PATCH 13/14] minor adjustments --- .../azure/function_app_ftps_enforce_disabled/query.rego | 2 +- .../azure/function_app_http2_disabled/test/negative2.tf | 2 +- .../azure/function_app_http2_disabled/test/negative3.tf | 2 +- .../azure/function_app_http2_disabled/test/positive3.tf | 6 +++--- .../azure/function_app_managed_identity_disabled/query.rego | 2 +- .../query.rego | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego index 2546fb58ccb..e928dd5a530 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"} -CxPolicy[result] { # only for legacy "azurerm_function_app" because ftps_state defaults to "AllAllowed" +CxPolicy[result] { # for legacy "azurerm_function_app" -- ftps_state defaults to "AllAllowed" function := input.document[i].resource.azurerm_function_app[name] results := get_path(function,name) diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/negative2.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative2.tf index 500b283f5c4..198fdbae8bb 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/negative2.tf +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative2.tf @@ -2,7 +2,7 @@ resource "azurerm_linux_function_app" "negative2" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id site_config { dotnet_framework_version = "v4.0" diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/negative3.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative3.tf index 300fe9b4b14..57d7f107efe 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/negative3.tf +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/negative3.tf @@ -2,7 +2,7 @@ resource "azurerm_windows_function_app" "negative3" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id site_config { dotnet_framework_version = "v4.0" diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive3.tf b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive3.tf index 07323dca955..93d1740cdf7 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive3.tf +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive3.tf @@ -2,14 +2,14 @@ resource "azurerm_windows_function_app" "positive3-1" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id } resource "azurerm_windows_function_app" "positive3-2" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id site_config { dotnet_framework_version = "v4.0" @@ -21,7 +21,7 @@ resource "azurerm_windows_function_app" "positive3-3" { name = "test-azure-functions" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name - app_service_plan_id = azurerm_app_service_plan.example.id + service_plan_id = azurerm_app_service_plan.example.id site_config { dotnet_framework_version = "v4.0" diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego b/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego index 85b0cf7d783..085b21f1af7 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -types := {"azurerm_function_app","azurerm_linux_function_app", "azurerm_windows_function_app"} +types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"} CxPolicy[result] { function := input.document[i].resource[types[t]][name] diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego index 3c98e94547c..91496fd2025 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -CxPolicy[result] { #legacy support, 1.2 is the latest tls +CxPolicy[result] { #legacy support, 1.2 is the "latest" tls app := input.document[i].resource.azurerm_function_app[name] to_number(app.site_config.min_tls_version) != 1.2 From d2037b07ed1df2acc8025b0add4998cd41f789e9 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 9 Oct 2025 12:32:51 +0100 Subject: [PATCH 14/14] removed unnecessary '' and 'none' values --- .../aws/iam_policy_allows_for_data_exfiltration/query.rego | 4 +--- .../api_gateway_with_cloudwatch_logging_disabled/query.rego | 1 - .../terraform/aws/elb_v2_lb_access_log_disabled/query.rego | 1 - .../aws/iam_policy_allows_for_data_exfiltration/query.rego | 6 +----- .../terraform/aws/postgres_rds_logging_disabled/query.rego | 5 ++--- .../query.rego | 3 +-- .../query.rego | 3 +-- .../function_app_client_certificates_unrequired/query.rego | 3 +-- .../azure/function_app_ftps_enforce_disabled/query.rego | 3 +-- .../query.rego | 3 +-- .../web_app_accepting_traffic_other_than_https/query.rego | 1 - 11 files changed, 9 insertions(+), 24 deletions(-) diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego index 588bc79b6a0..ee51226065e 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego @@ -17,7 +17,6 @@ CxPolicy[result] { common_lib.is_allow_effect(statement) ilegal_action := is_ilegal(statement.Action) - ilegal_action != "none" result := { "documentId": input.document[i].id, @@ -42,7 +41,6 @@ CxPolicy[result] { common_lib.is_allow_effect(statement) ilegal_action := is_ilegal(statement.Action) - ilegal_action != "none" result := { "documentId": input.document[i].id, @@ -67,4 +65,4 @@ is_ilegal(Action) = Action { ] res := concat(", ", illegal_actions_list) res != "" -} else = "none" \ No newline at end of file +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego index cf260520bfd..cd63c33ab81 100644 --- a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego @@ -26,7 +26,6 @@ get_results(resource,doc,name) = results { results := does_not_have_valid_stage_name(resource,doc,name) } else = results { r2 := does_not_have_valid_stage_name(resource,doc,name) - r2 != "" results := does_not_have_valid_destination_arn(resource,doc,name) } diff --git a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/query.rego b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/query.rego index 63b50acec5a..01f86520b8b 100644 --- a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/query.rego +++ b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/query.rego @@ -5,7 +5,6 @@ import data.generic.terraform as tf_lib CxPolicy[result] { load_balancer := get_load_balancer(input.document[i].resource) - load_balancer != "" resource := input.document[i].resource[load_balancer][name] not common_lib.valid_key(resource, "access_logs") diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego index efc3109c24c..5845592d962 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego @@ -14,7 +14,6 @@ CxPolicy[result] { # resources statement := st[st_index] common_lib.is_allow_effect(statement) illegal_action := is_illegal(statement.Action) - illegal_action != "none" result := { "documentId": input.document[i].id, @@ -38,7 +37,6 @@ CxPolicy[result] { # modules statement := st[st_index] common_lib.is_allow_effect(statement) illegal_action := is_illegal(statement.Action) - illegal_action != "none" result := { "documentId": input.document[i].id, @@ -76,7 +74,6 @@ prepare_issue_data_source(statement, name, index, is_unique_element) = res { not is_unique_element common_lib.is_allow_effect(statement) illegal_action := is_illegal(statement.actions) - illegal_action != "none" res := { "sk": sprintf("aws_iam_policy_document[%s].statement[%d].actions", [name, index]), @@ -89,7 +86,6 @@ prepare_issue_data_source(statement, name, index, is_unique_element) = res { is_unique_element common_lib.is_allow_effect(statement) illegal_action := is_illegal(statement.actions) - illegal_action != "none" res := { "sk": sprintf("aws_iam_policy_document[%s].statement.actions", [name]), @@ -124,4 +120,4 @@ is_illegal(Action) = Action { ] res := concat(", ", illegal_actions_list) res != "" -} else = "none" +} diff --git a/assets/queries/terraform/aws/postgres_rds_logging_disabled/query.rego b/assets/queries/terraform/aws/postgres_rds_logging_disabled/query.rego index d506099dc45..9b2cf3c610f 100644 --- a/assets/queries/terraform/aws/postgres_rds_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/postgres_rds_logging_disabled/query.rego @@ -8,7 +8,6 @@ CxPolicy[result] { resource := input.document[i].resource.aws_db_parameter_group[name] undefined_parameters_message = get_undefined_parameters(resource) - undefined_parameters_message != "none" result := { "documentId": input.document[i].id, @@ -70,7 +69,7 @@ get_undefined_parameters(resource) = "log_statement and log_min_duration_stateme not log_statement_defined(resource.parameter) } else = "log_min_duration_statement is" { not log_min_duration_statement_defined(resource.parameter) -} else = "none" +} log_statement_defined(parameters) { parameters[_].name == "log_statement" @@ -92,7 +91,7 @@ get_wrong_values(parameters) = "both"{ } else = "log_min_duration_statement has" { parameters[i2].name == "log_min_duration_statement" parameters[i2].value != "1" -} else = "none" +} get_extra_path(statement,parameters) = path { diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego index f204791aaea..595e1e163bb 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego @@ -31,7 +31,6 @@ CxPolicy[result] { # 1.3 is the latest tls app := input.document[i].resource[types[t]][name] results := minimum_tls_undefined_or_not_latest(app,types[t],name) - results != "" result := { "documentId": input.document[i].id, @@ -87,4 +86,4 @@ minimum_tls_undefined_or_not_latest(app,type,name) = results { }), "remediationType" : "replacement", } -} else = "" +} diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego index 6cf42b9283d..a2ec6874cbf 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego @@ -10,7 +10,6 @@ CxPolicy[result] { not resource.site_config.http2_enabled results := client_certificate_is_undefined_or_false(resource,name,types[t]) - results != "" result := { "documentId": input.document[i].id, @@ -74,7 +73,7 @@ client_certificate_is_undefined_or_false(resource,name,type) = results { # case }), "remediationType": "replacement", } -} else = "" +} get_field("azurerm_app_service") = "client_cert_enabled" get_field("azurerm_linux_web_app") = "client_certificate_enabled" diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego index 76f3edbce98..87868a72bff 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego @@ -9,7 +9,6 @@ CxPolicy[result] { function := input.document[i].resource[types[t]][name] results := client_certificate_not_required(function,name,types[t]) - results != "" result := { "documentId": input.document[i].id, @@ -55,7 +54,7 @@ client_certificate_not_required(function,name,type) = results { }), "remediationType": "replacement", } -} else = "" +} get_field("azurerm_function_app") = "client_cert_mode" get_field("azurerm_linux_function_app") = "client_certificate_mode" diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego index e928dd5a530..2110525522e 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego @@ -9,7 +9,6 @@ CxPolicy[result] { # for legacy "azurerm_function_app" -- ftps_state defaults to function := input.document[i].resource.azurerm_function_app[name] results := get_path(function,name) - results != "" result := { "documentId": input.document[i].id, @@ -41,7 +40,7 @@ get_path(function,name) = results { "remediation": "ftps_state = \"FtpsOnly\"", "remediationType": "addition", } -} else = "" +} CxPolicy[result] { function := input.document[i].resource[types[t]][name] diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego index 91496fd2025..dbb72865c1c 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego @@ -30,7 +30,6 @@ CxPolicy[result] { # 1.3 is the latest tls app := input.document[i].resource[types[t]][name] results := minimum_tls_undefined_or_not_latest(app,types[t],name) - results != "" result := { "documentId": input.document[i].id, @@ -86,4 +85,4 @@ minimum_tls_undefined_or_not_latest(app,type,name) = results { }), "remediationType" : "replacement", } -} else = "" +} diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego index b4b69b3bcdd..cbf3e723fe3 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego @@ -9,7 +9,6 @@ CxPolicy[result] { resource := input.document[i].resource[types[t]][name] results := https_undefined_or_false(resource,name,types[t]) - results != "" result := { "documentId": input.document[i].id,