bridgecrewio · tdefise · Mar 22, 2024 · Apr 17, 2024 · Apr 18, 2024 · Apr 18, 2024
diff --git a/checkov/terraform/checks/resource/azure/AppServiceIPResctrictionDefaultActionSCMDeny.py b/checkov/terraform/checks/resource/azure/AppServiceIPResctrictionDefaultActionSCMDeny.py
@@ -0,0 +1,23 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServiceIPResctrictionDefaultActionSCMDeny(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure the default IP Restriction action for SCM is set to 'Deny'"
+        id = "CKV_AZURE_240"
+        supported_resources = ('azurerm_linux_web_app', 'azurerm_windows_web_app')
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.PASSED)
+
+    def get_inspected_key(self) -> str:
+        return "site_config/[0]/scm_ip_restriction_default_action/[0]"
+
+    def get_expected_value(self) -> Any:
+        return "Deny"
+
+
+check = AppServiceIPResctrictionDefaultActionSCMDeny()
diff --git a/...raform/checks/resource/azure/example_AppServiceIPResctrictionDefaultActionSCMDeny/main.tf b/...raform/checks/resource/azure/example_AppServiceIPResctrictionDefaultActionSCMDeny/main.tf
@@ -0,0 +1,61 @@
+resource "azurerm_linux_web_app" "fail1" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  ftp_publish_basic_authentication_enabled = true
+  site_config {}
+}
+
+resource "azurerm_linux_web_app" "fail2" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  site_config {
+    scm_ip_restriction_default_action = "Allow"
+  }
+}
+
+resource "azurerm_windows_web_app" "fail1" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  ftp_publish_basic_authentication_enabled = true
+  site_config {}
+}
+
+resource "azurerm_windows_web_app" "fail2" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  site_config {
+    scm_ip_restriction_default_action = "Allow"
+  }
+}
+
+resource "azurerm_linux_web_app" "good" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  ftp_publish_basic_authentication_enabled = false
+
+  site_config {
+    scm_ip_restriction_default_action = "Deny"
+  }
+}
+
+resource "azurerm_windows_web_app" "good" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  ftp_publish_basic_authentication_enabled = false
+
+  site_config {
+    scm_ip_restriction_default_action = "Deny"
+  }
+}
diff --git a/tests/terraform/checks/resource/azure/test_AppServiceIPResctrictionDefaultActionSCMDeny.py b/tests/terraform/checks/resource/azure/test_AppServiceIPResctrictionDefaultActionSCMDeny.py
@@ -0,0 +1,45 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+from checkov.terraform.checks.resource.azure.AppServiceIPResctrictionDefaultActionSCMDeny import check
+
+
+class TestAppServiceIPResctrictionDefaultActionSCMDeny(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AppServiceIPResctrictionDefaultActionSCMDeny")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'azurerm_linux_web_app.good',
+            'azurerm_windows_web_app.good',
+        }
+        failing_resources = {
+            'azurerm_linux_web_app.fail1',
+            'azurerm_windows_web_app.fail1',
+            'azurerm_linux_web_app.fail2',
+            'azurerm_windows_web_app.fail2',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()