Merge pull request Checkmarx#4449 from Checkmarx/query/function_app_f…

…tps_enforce_disabled

feat(query): added "Function App FTPS Enforce Disabled" for Terraform

assets/queries/terraform/azure/function_app_ftps_enforce_disabled/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "9dab0179-433d-4dff-af8f-0091025691df",
+  "queryName": "Function App FTPS Enforce Disabled",
+  "severity": "HIGH",
+  "category": "Insecure Configurations",
+  "descriptionText": "Azure Function App should only enforce FTPS when 'ftps_state' is enabled",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#ftps_state",
+  "platform": "Terraform",
+  "descriptionID": "2144ef13",
+  "cloudProvider": "azure"
+}

assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego

@@ -0,0 +1,33 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	function := input.document[i].resource.azurerm_function_app[name]
+
+	not common_lib.valid_key(function.site_config, "ftps_state")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("azurerm_function_app[%s].site_config'", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is defined and not null", [name]),
+		"keyActualValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is undefined or null", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config"], []),
+	}
+}
+
+CxPolicy[result] {
+	function := input.document[i].resource.azurerm_function_app[name]
+
+	function.site_config.ftps_state == "AllAllowed"
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("azurerm_function_app[%s].site_config.ftps_state", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is not set to 'AllAllowed'", [name]),
+		"keyActualValue": sprintf("'azurerm_function_app[%s].site_config.ftps_state' is set to 'AllAllowed'", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config", "ftps_state"], []),
+	}
+}

assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative1.tf

@@ -0,0 +1,12 @@
+resource "azurerm_function_app" "negative1" {
+  name                       = "test-azure-functions"
+  location                   = azurerm_resource_group.example.location
+  resource_group_name        = azurerm_resource_group.example.name
+  app_service_plan_id        = azurerm_app_service_plan.example.id
+  storage_account_name       = azurerm_storage_account.example.name
+  storage_account_access_key = azurerm_storage_account.example.primary_access_key
+
+   site_config {
+    ftps_state = "FtpsOnly"
+  }
+}

assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/negative2.tf

@@ -0,0 +1,12 @@
+resource "azurerm_function_app" "negative2" {
+  name                       = "test-azure-functions"
+  location                   = azurerm_resource_group.example.location
+  resource_group_name        = azurerm_resource_group.example.name
+  app_service_plan_id        = azurerm_app_service_plan.example.id
+  storage_account_name       = azurerm_storage_account.example.name
+  storage_account_access_key = azurerm_storage_account.example.primary_access_key
+
+   site_config {
+    ftps_state = "Disabled"
+  }
+}

assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive1.tf

@@ -0,0 +1,13 @@
+resource "azurerm_function_app" "positive1" {
+  name                       = "test-azure-functions"
+  location                   = azurerm_resource_group.example.location
+  resource_group_name        = azurerm_resource_group.example.name
+  app_service_plan_id        = azurerm_app_service_plan.example.id
+  storage_account_name       = azurerm_storage_account.example.name
+  storage_account_access_key = azurerm_storage_account.example.primary_access_key
+
+   site_config {
+    http2_enabled = true
+    ftps_state = "AllAllowed"
+  }
+}

assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive2.tf

@@ -0,0 +1,12 @@
+resource "azurerm_function_app" "positive2" {
+  name                       = "test-azure-functions"
+  location                   = azurerm_resource_group.example.location
+  resource_group_name        = azurerm_resource_group.example.name
+  app_service_plan_id        = azurerm_app_service_plan.example.id
+  storage_account_name       = azurerm_storage_account.example.name
+  storage_account_access_key = azurerm_storage_account.example.primary_access_key
+
+   site_config {
+    http2_enabled = true
+  }
+}

assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "Function App FTPS Enforce Disabled",
+    "severity": "HIGH",
+    "line": 11,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "Function App FTPS Enforce Disabled",
+    "severity": "HIGH",
+    "line": 9,
+    "fileName": "positive2.tf"
+  }
+]