Skip to content

Commit

Permalink
fix(terraform): Added applicable resources for CKV_AZURE_72 (#6144)
Browse files Browse the repository at this point in the history 
* reformated main.tf

* Added missing resources

* Added new tests

* Added new tests

* Lint the file

* Adapted unittests

* Missing commas

* Other tests

---------

Co-authored-by: Thomas Defise <[email protected]>
Co-authored-by: Taylor <[email protected]>
Co-authored-by: Taylor <[email protected]>
  • Loading branch information
@tdefise @tsmithv11
4 people authored Oct 16, 2024
1 parent 9e99247 commit cae981d
Show file tree
Hide file tree
Showing 4 changed files with 294 additions and 80 deletions.
11 changes: 10 additions & 1 deletion checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,16 @@ class AppServiceRemoteDebuggingNotEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that remote debugging is not enabled for app services"
id = "CKV_AZURE_72"
supported_resources = ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app')
supported_resources = ('azurerm_app_service',
'azurerm_linux_function_app',
'azurerm_linux_function_app_slot',
'azurerm_linux_web_app',
'azurerm_linux_web_app_slot',
'azurerm_windows_function_app',
'azurerm_windows_function_app_slot',
'azurerm_windows_web_app',
'azurerm_windows_web_app_slot'
)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)
Expand Down
339 changes: 263 additions & 76 deletions tests/terraform/checks/resource/azure/example_AppServiceRemoteDebuggingNotEnabled/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,72 +1,149 @@

resource "azurerm_app_service" "fail" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
remote_debugging_enabled = true
}

app_settings = {
"SOME_KEY" = "some-value"
}

connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}

resource "azurerm_app_service" "pass" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
}

app_settings = {
"SOME_KEY" = "some-value"
}

connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}

resource "azurerm_app_service" "pass2" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
remote_debugging_enabled = false
}

app_settings = {
"SOME_KEY" = "some-value"
}

connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}

}
resource "azurerm_app_service" "fail" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
remote_debugging_enabled = true
}

app_settings = {
"SOME_KEY" = "some-value"
}

connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}

resource "azurerm_app_service" "pass" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
}

app_settings = {
"SOME_KEY" = "some-value"
}

connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}

resource "azurerm_app_service" "pass2" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id

site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
remote_debugging_enabled = false
}

app_settings = {
"SOME_KEY" = "some-value"
}

connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}

}


resource "azurerm_linux_function_app" "fail" {
name = "example-linux-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location

storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id

site_config {
remote_debugging_enabled = true
}
}

resource "azurerm_linux_function_app" "pass" {
name = "example-linux-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location

storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id

site_config {
remote_debugging_enabled = false
}
}

resource "azurerm_linux_function_app" "pass2" {
name = "example-linux-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location

storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id

site_config {
}
}

resource "azurerm_linux_web_app_slot" "fail" {
name = "example-slot"
app_service_id = azurerm_linux_web_app.example.id
site_config {
remote_debugging_enabled = true
}
}

resource "azurerm_linux_web_app_slot" "pass" {
name = "example-slot"
app_service_id = azurerm_linux_web_app.example.id

site_config {
remote_debugging_enabled = false
}
}

resource "azurerm_linux_web_app_slot" "pass2" {
name = "example-slot"
app_service_id = azurerm_linux_web_app.example.id

site_config {}
}

resource "azurerm_linux_web_app" "fail" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id

site_config {
remote_debugging_enabled = true
}
}

resource "azurerm_linux_web_app" "pass" {
name = "example"
Expand All @@ -89,7 +166,103 @@ resource "azurerm_linux_web_app" "pass2" {
}
}

resource "azurerm_linux_web_app" "fail" {
resource "azurerm_linux_function_app_slot" "fail" {
name = "example-linux-function-app-slot"
function_app_id = azurerm_linux_function_app.example.id
storage_account_name = azurerm_storage_account.example.name

site_config {
remote_debugging_enabled = true
}
}

resource "azurerm_linux_function_app_slot" "pass" {
name = "example-linux-function-app-slot"
function_app_id = azurerm_linux_function_app.example.id
storage_account_name = azurerm_storage_account.example.name

site_config {}
}

resource "azurerm_linux_function_app_slot" "pass2" {
name = "example-linux-function-app-slot"
function_app_id = azurerm_linux_function_app.example.id
storage_account_name = azurerm_storage_account.example.name

site_config {
remote_debugging_enabled = false
}
}

resource "azurerm_windows_function_app" "fail" {
name = "example-windows-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location

storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id

site_config {
remote_debugging_enabled = true
}
}

resource "azurerm_windows_function_app" "pass" {
name = "example-windows-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location

storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id

site_config {
remote_debugging_enabled = false
}
}

resource "azurerm_windows_function_app" "pass2" {
name = "example-windows-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location

storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id

site_config {}
}

resource "azurerm_windows_function_app_slot" "fail" {
name = "example-slot"
function_app_id = azurerm_windows_function_app.example.id
storage_account_name = azurerm_storage_account.example.name

site_config {
remote_debugging_enabled = true
}
}

resource "azurerm_windows_function_app_slot" "pass" {
name = "example-slot"
function_app_id = azurerm_windows_function_app.example.id
storage_account_name = azurerm_storage_account.example.name

site_config {}
}

resource "azurerm_windows_function_app_slot" "pass2" {
name = "example-slot"
function_app_id = azurerm_windows_function_app.example.id
storage_account_name = azurerm_storage_account.example.name

site_config {
remote_debugging_enabled = false
}
}

resource "azurerm_windows_web_app" "fail" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
Expand All @@ -100,7 +273,7 @@ resource "azurerm_linux_web_app" "pass2" {
}
}

resource "azurerm_windows_web_app" "pass" {
resource "azurerm_windows_web_app" "pass" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
Expand All @@ -109,7 +282,7 @@ resource "azurerm_linux_web_app" "pass2" {
site_config {}
}

resource "azurerm_windows_web_app" "pass2" {
resource "azurerm_windows_web_app" "pass2" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
Expand All @@ -120,13 +293,27 @@ resource "azurerm_linux_web_app" "pass2" {
}
}

resource "azurerm_windows_web_app" "fail" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
resource "azurerm_windows_web_app_slot" "fail" {
name = "example-slot"
app_service_id = azurerm_windows_web_app.example.id

site_config {
remote_debugging_enabled = true
}
}

resource "azurerm_windows_web_app_slot" "pass" {
name = "example-slot"
app_service_id = azurerm_windows_web_app.example.id

site_config {
remote_debugging_enabled = false
}
}

resource "azurerm_windows_web_app_slot" "pass2" {
name = "example-slot"
app_service_id = azurerm_windows_web_app.example.id

site_config {}
}
Loading

0 comments on commit cae981d

Please sign in to comment.