fix(terraform): Adding both azurerm_linux_web_app_slot & azurerm_wind…

…ows_web_app_slot in scope of the test CKV_AZURE_153 (bridgecrewio#5687) * Created check CKV_AZURE_228 * Updating "CKV_AZURE_153" * Removing file not applicable to this PR * Removing file not applicable for the PR * Made file PEP8 compliant * Restore to how it was before * Fixing syntax issue * Adjusted test_app_service_linux_web_resources() * Adjusted PR reference * Adapted test_app_service_linux_web_resources * adjust test value --------- Co-authored-by: Thomas Defise <[email protected]> Co-authored-by: Anton Grübel <[email protected]>
praveen-panw · Nov 8, 2023 · 91500b7 · 91500b7
1 parent f28edf7
commit 91500b7
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 7 deletions.
diff --git a/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py b/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py
@@ -6,12 +6,12 @@ class AppServiceSlotHTTPSOnly(BaseResourceValueCheck):
     def __init__(self):
         name = "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot"
         id = "CKV_AZURE_153"
-        supported_resources = ['azurerm_app_service_slot']
+        supported_resources = ["azurerm_app_service_slot", "azurerm_linux_web_app_slot", "azurerm_windows_web_app_slot"]
         categories = [CheckCategories.NETWORKING]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def get_inspected_key(self):
-        return 'https_only/[0]'
+        return "https_only/[0]"
 
 
 check = AppServiceSlotHTTPSOnly()
diff --git a/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf
@@ -26,6 +26,23 @@ resource "azurerm_app_service_slot" "fail" {
 }
 
 
+resource "azurerm_linux_web_app_slot" "fail" {
+  name           = "fail-slot"
+  app_service_id = azurerm_linux_web_app.fail.id
+  https_only     = false
+
+  site_config {}
+}
+
+resource "azurerm_windows_web_app_slot" "fail" {
+  name           = "fail-slot"
+  app_service_id = azurerm_windows_web_app.fail.id
+  https_only     = false
+
+  site_config {}
+}
+
+
 resource "azurerm_app_service_slot" "fail2" {
   name                = random_id.server.hex
   app_service_name    = azurerm_app_service.example.name
@@ -77,3 +94,19 @@ resource "azurerm_app_service_slot" "pass" {
     value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
   }
 }
+
+resource "azurerm_linux_web_app_slot" "pass" {
+  name           = "pass-slot"
+  app_service_id = azurerm_linux_web_app.pass.id
+  https_only     = true
+
+  site_config {}
+}
+
+resource "azurerm_windows_web_app_slot" "pass" {
+  name           = "pass-slot"
+  app_service_id = azurerm_windows_web_app.pass.id
+  https_only     = true
+
+  site_config {}
+}
diff --git a/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py b/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py
@@ -20,18 +20,23 @@ def test(self):
 
         passing_resources = {
             "azurerm_app_service_slot.pass",
+            "azurerm_linux_web_app_slot.pass",
+            "azurerm_windows_web_app_slot.pass",
         }
         failing_resources = {
             "azurerm_app_service_slot.fail",
             "azurerm_app_service_slot.fail2",
+            "azurerm_linux_web_app_slot.fail",
+            "azurerm_windows_web_app_slot.fail",
         }
+        skipped_resources = {}
 
         passed_check_resources = {c.resource for c in report.passed_checks}
         failed_check_resources = {c.resource for c in report.failed_checks}
 
-        self.assertEqual(summary["passed"], 1)
-        self.assertEqual(summary["failed"], 2)
-        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
         self.assertEqual(summary["parsing_errors"], 0)
 
         self.assertEqual(passing_resources, passed_check_resources)

diff --git a/tests/terraform/image_referencer/test_runner_azure_resources.py b/tests/terraform/image_referencer/test_runner_azure_resources.py
@@ -182,7 +182,7 @@ def test_app_service_linux_web_resources(mocker: MockerFixture, graph_framework)
 
     assert len(tf_report.resources) == 2
     assert len(tf_report.passed_checks) == 4
-    assert len(tf_report.failed_checks) == 13
+    assert len(tf_report.failed_checks) == 14
     assert len(tf_report.skipped_checks) == 0
     assert len(tf_report.parsing_errors) == 0
 
@@ -271,7 +271,8 @@ def test_app_service_windows_web_resources(mocker: MockerFixture, graph_framewor
 
     assert len(tf_report.resources) == 2
     assert len(tf_report.passed_checks) == 4
-    assert len(tf_report.failed_checks) == 13
+    # Changed from 13 to 14 due to PR #5687
+    assert len(tf_report.failed_checks) == 14
     assert len(tf_report.skipped_checks) == 0
     assert len(tf_report.parsing_errors) == 0