Skip to content

Commit

Permalink
feat(query): added "App Service FTPS Enforce Disabled" for Terraform (#…
Browse files Browse the repository at this point in the history 
…4451)
  • Loading branch information
@rafaela-soares
rafaela-soares authored Nov 4, 2021
1 parent 89eed83 commit 25c995b
Show file tree
Hide file tree
Showing 6 changed files with 73 additions and 0 deletions.
11 changes: 11 additions & 0 deletions assets/queries/terraform/azure/app_service_ftps_enforce_disabled/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"id": "85da374f-b00f-4832-9d44-84a1ca1e89f8",
"queryName": "App Service FTPS Enforce Disabled",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "Azure App Service should only enforce FTPS when 'ftps_state' is enabled",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state",
"platform": "Terraform",
"descriptionID": "a1ada318",
"cloudProvider": "azure"
}
18 changes: 18 additions & 0 deletions assets/queries/terraform/azure/app_service_ftps_enforce_disabled/query.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package Cx

import data.generic.common as common_lib

CxPolicy[result] {
function := input.document[i].resource.azurerm_app_service[name]

function.site_config.ftps_state == "AllAllowed"

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("azurerm_app_service[%s].site_config.ftps_state", [name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("'azurerm_app_service[%s].site_config.ftps_state' is not set to 'AllAllowed'", [name]),
"keyActualValue": sprintf("'azurerm_app_service[%s].site_config.ftps_state' is set to 'AllAllowed'", [name]),
"searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "ftps_state"], []),
}
}
12 changes: 12 additions & 0 deletions assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/negative1.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
resource "azurerm_app_service" "negative1" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
ftps_state = "FtpsOnly"
}
}
12 changes: 12 additions & 0 deletions assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/negative2.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
resource "azurerm_app_service" "negative2" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
ftps_state = "Disabled"
}
}
12 changes: 12 additions & 0 deletions assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive1.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
resource "azurerm_app_service" "positive1" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
ftps_state = "AllAllowed"
}
}
8 changes: 8 additions & 0 deletions ...ries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[
{
"queryName": "App Service FTPS Enforce Disabled",
"severity": "HIGH",
"line": 10,
"fileName": "positive1.tf"
}
]

0 comments on commit 25c995b

Please sign in to comment.