diff --git a/checkov/terraform/checks/resource/azure/AppServiceIPResctrictionDefaultActionSCMDeny.py b/checkov/terraform/checks/resource/azure/AppServiceIPResctrictionDefaultActionSCMDeny.py new file mode 100644 index 00000000000..bc927664086 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AppServiceIPResctrictionDefaultActionSCMDeny.py @@ -0,0 +1,23 @@ +from typing import Any + +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class AppServiceIPResctrictionDefaultActionSCMDeny(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure the default IP Restriction action for SCM is set to 'Deny'" + id = "CKV_AZURE_240" + supported_resources = ('azurerm_linux_web_app', 'azurerm_windows_web_app') + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED) + + def get_inspected_key(self) -> str: + return "site_config/[0]/scm_ip_restriction_default_action/[0]" + + def get_expected_value(self) -> Any: + return "Deny" + + +check = AppServiceIPResctrictionDefaultActionSCMDeny() \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/example_AppServiceIPResctrictionDefaultActionSCMDeny/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceIPResctrictionDefaultActionSCMDeny/main.tf new file mode 100644 index 00000000000..c2f12f59bd5 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_AppServiceIPResctrictionDefaultActionSCMDeny/main.tf @@ -0,0 +1,61 @@ +resource "azurerm_linux_web_app" "fail1" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + ftp_publish_basic_authentication_enabled = true + site_config {} +} + +resource "azurerm_linux_web_app" "fail2" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + site_config { + scm_ip_restriction_default_action = "Allow" + } +} + +resource "azurerm_windows_web_app" "fail1" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + ftp_publish_basic_authentication_enabled = true + site_config {} +} + +resource "azurerm_windows_web_app" "fail2" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + site_config { + scm_ip_restriction_default_action = "Allow" + } +} + +resource "azurerm_linux_web_app" "good" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + ftp_publish_basic_authentication_enabled = false + + site_config { + scm_ip_restriction_default_action = "Deny" + } +} + +resource "azurerm_windows_web_app" "good" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + ftp_publish_basic_authentication_enabled = false + + site_config { + scm_ip_restriction_default_action = "Deny" + } +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/test_AppServiceIPResctrictionDefaultActionSCMDeny.py b/tests/terraform/checks/resource/azure/test_AppServiceIPResctrictionDefaultActionSCMDeny.py new file mode 100644 index 00000000000..c1a850f0f45 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AppServiceIPResctrictionDefaultActionSCMDeny.py @@ -0,0 +1,45 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.azure.AppServiceIPResctrictionDefaultActionSCMDeny import check + + +class TestAppServiceIPResctrictionDefaultActionSCMDeny(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_AppServiceIPResctrictionDefaultActionSCMDeny") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'azurerm_linux_web_app.good', + 'azurerm_windows_web_app.good', + } + failing_resources = { + 'azurerm_linux_web_app.fail1', + 'azurerm_windows_web_app.fail1', + 'azurerm_linux_web_app.fail2', + 'azurerm_windows_web_app.fail2', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main()