requested changes

cluetrust · Nov 4, 2021 · 21db8a0 · 21db8a0
1 parent ec39c4a
commit 21db8a0
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 31 deletions.
diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Function App FTPS Enforce Disabled",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "Azure Function App should only enforce FTPS",
+  "descriptionText": "Azure Function App should only enforce FTPS when 'ftps_state' is enabled",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#ftps_state",
   "platform": "Terraform",
   "descriptionID": "2144ef13",

diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego
@@ -2,21 +2,6 @@ package Cx
 
 import data.generic.common as common_lib
 
-CxPolicy[result] {
-	function := input.document[i].resource.azurerm_function_app[name]
-
-	not common_lib.valid_key(function, "site_config")
-
-	result := {
-		"documentId": input.document[i].id,
-		"searchKey": sprintf("azurerm_function_app[%s]", [name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config' is defined and not null", [name]),
-		"keyActualValue": sprintf("'azurerm_function_app[%s].site_config' is undefined or null", [name]),
-		"searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []),
-	}
-}
-
 CxPolicy[result] {
 	function := input.document[i].resource.azurerm_function_app[name]
 
@@ -35,14 +20,14 @@ CxPolicy[result] {
 CxPolicy[result] {
 	function := input.document[i].resource.azurerm_function_app[name]
 
-	function.site_config.ftps_state != "FtpsOnly"
+	function.site_config.ftps_state == "AllAllowed"
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("azurerm_function_app[%s].site_config.ftps_state", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is set to 'FtpsOnly'", [name]),
-		"keyActualValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is not set to 'FtpsOnly'", [name]),
+		"keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is not set to 'AllAllowed'", [name]),
+		"keyActualValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is set to 'AllAllowed'", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config", "ftps_state"], []),
 	}
 }
diff --git a/...pp_ftps_enforce_disabled/test/negative.tf → ...p_ftps_enforce_disabled/test/negative1.tf b/...pp_ftps_enforce_disabled/test/negative.tf → ...p_ftps_enforce_disabled/test/negative1.tf
@@ -1,4 +1,4 @@
-resource "azurerm_function_app" "negative" {
+resource "azurerm_function_app" "negative1" {
   name                       = "test-azure-functions"
   location                   = azurerm_resource_group.example.location
   resource_group_name        = azurerm_resource_group.example.name

diff --git a/...p_ftps_enforce_disabled/test/positive3.tf → ...p_ftps_enforce_disabled/test/negative2.tf b/...p_ftps_enforce_disabled/test/positive3.tf → ...p_ftps_enforce_disabled/test/negative2.tf
@@ -1,4 +1,4 @@
-resource "azurerm_function_app" "positive2" {
+resource "azurerm_function_app" "negative2" {
   name                       = "test-azure-functions"
   location                   = azurerm_resource_group.example.location
   resource_group_name        = azurerm_resource_group.example.name
@@ -7,7 +7,6 @@ resource "azurerm_function_app" "positive2" {
   storage_account_access_key = azurerm_storage_account.example.primary_access_key
 
    site_config {
-    http2_enabled = true
-    ftps_state = "AllAllowed"
+    ftps_state = "Disabled"
   }
 }
diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive1.tf b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive1.tf
@@ -1,8 +1,13 @@
-resource "azurerm_function_app" "positive1" {
+resource "azurerm_function_app" "positive2" {
   name                       = "test-azure-functions"
   location                   = azurerm_resource_group.example.location
   resource_group_name        = azurerm_resource_group.example.name
   app_service_plan_id        = azurerm_app_service_plan.example.id
   storage_account_name       = azurerm_storage_account.example.name
   storage_account_access_key = azurerm_storage_account.example.primary_access_key
+
+   site_config {
+    http2_enabled = true
+    ftps_state = "AllAllowed"
+  }
 }
diff --git a/...ies/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json b/...ies/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json
@@ -2,19 +2,13 @@
   {
     "queryName": "Function App FTPS Enforce Disabled",
     "severity": "HIGH",
-    "line": 1,
+    "line": 11,
     "fileName": "positive1.tf"
   },
   {
     "queryName": "Function App FTPS Enforce Disabled",
     "severity": "HIGH",
     "line": 9,
     "fileName": "positive2.tf"
-  },
-  {
-    "queryName": "Function App FTPS Enforce Disabled",
-    "severity": "HIGH",
-    "line": 11,
-    "fileName": "positive3.tf"
   }
 ]