diff --git a/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py b/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py index 6f04fef7ec7..8d32cf1e147 100644 --- a/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py +++ b/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py @@ -9,7 +9,6 @@ def __init__(self) -> None: """ To enhance the resiliency and reliability of business-critical workloads, it's recommended to deploy new App Service Plans with zone-redundancy. - There's no additional cost associated with enabling availability zones. Pricing for a zone redundant App Service is the same as a single zone App Service. """ diff --git a/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py b/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py index 6448c5318c2..b83dfbda114 100644 --- a/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py +++ b/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py @@ -6,16 +6,21 @@ class AppServiceSlotMinTLS(BaseResourceValueCheck): def __init__(self): name = "Ensure the App service slot is using the latest version of TLS encryption" id = "CKV_AZURE_154" - supported_resources = ['azurerm_app_service_slot'] + supported_resources = ["azurerm_app_service_slot", "azurerm_linux_web_app_slot", "azurerm_windows_web_app_slot"] categories = [CheckCategories.NETWORKING] - super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, - missing_block_result=CheckResult.PASSED) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED, + ) def get_inspected_key(self): return "site_config/[0]/min_tls_version/[0]" def get_expected_value(self): - return '1.2' + return "1.2" check = AppServiceSlotMinTLS() diff --git a/tests/terraform/checks/resource/azure/example_AppServiceSlotMinTLS/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceSlotMinTLS/main.tf index 8e8530fb3eb..be287ca16c6 100644 --- a/tests/terraform/checks/resource/azure/example_AppServiceSlotMinTLS/main.tf +++ b/tests/terraform/checks/resource/azure/example_AppServiceSlotMinTLS/main.tf @@ -24,6 +24,58 @@ resource "azurerm_app_service_slot" "fail" { } } +resource "azurerm_linux_web_app_slot" "fail" { + name = "brian" + app_service_name = azurerm_app_service.example.name + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + https_only = false #thedefault + + site_config { + dotnet_framework_version = "v4.0" + min_tls_version = "1.1" + remote_debugging_enabled = true + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +resource "azurerm_windows_web_app_slot" "fail" { + name = "brian" + app_service_name = azurerm_app_service.example.name + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + https_only = false #thedefault + + site_config { + dotnet_framework_version = "v4.0" + min_tls_version = "1.1" + remote_debugging_enabled = true + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + #default resource "azurerm_app_service_slot" "pass" { name = "fred" @@ -51,6 +103,110 @@ resource "azurerm_app_service_slot" "pass" { } } +resource "azurerm_linux_web_app_slot" "pass" { + name = "brian" + app_service_name = azurerm_app_service.example.name + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + https_only = false #thedefault + + site_config { + dotnet_framework_version = "v4.0" + min_tls_version = "1.2" + remote_debugging_enabled = true + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +resource "azurerm_windows_web_app_slot" "pass" { + name = "brian" + app_service_name = azurerm_app_service.example.name + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + https_only = false #thedefault + + site_config { + dotnet_framework_version = "v4.0" + min_tls_version = "1.2" + remote_debugging_enabled = true + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +resource "azurerm_linux_web_app_slot" "pass2" { + name = "brian" + app_service_name = azurerm_app_service.example.name + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + https_only = false #thedefault + + site_config { + dotnet_framework_version = "v4.0" + min_tls_version = "1.2" + remote_debugging_enabled = true + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +resource "azurerm_windows_web_app_slot" "pass2" { + name = "brian" + app_service_name = azurerm_app_service.example.name + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + https_only = false #thedefault + + site_config { + dotnet_framework_version = "v4.0" + min_tls_version = "1.2" + remote_debugging_enabled = true + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + resource "azurerm_app_service_slot" "pass2" { name = "ted" app_service_name = azurerm_app_service.example.name diff --git a/tests/terraform/checks/resource/azure/test_AppServiceSlotMinTLSVersion.py b/tests/terraform/checks/resource/azure/test_AppServiceSlotMinTLSVersion.py index a945910af9f..2e3eeea6ef9 100644 --- a/tests/terraform/checks/resource/azure/test_AppServiceSlotMinTLSVersion.py +++ b/tests/terraform/checks/resource/azure/test_AppServiceSlotMinTLSVersion.py @@ -19,17 +19,23 @@ def test(self): passing_resources = { "azurerm_app_service_slot.pass", + "azurerm_linux_web_app_slot.pass", + "azurerm_windows_web_app_slot.pass", "azurerm_app_service_slot.pass2", + "azurerm_linux_web_app_slot.pass2", + "azurerm_windows_web_app_slot.pass2", } failing_resources = { "azurerm_app_service_slot.fail", + "azurerm_linux_web_app_slot.fail", + "azurerm_windows_web_app_slot.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2) - self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["passed"], passed_check_resources) + self.assertEqual(summary["failed"], failed_check_resources) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(summary["resource_count"], 6) # 3 unknown