fix(terraform): Accept TLS 1.3 for Azure web apps and web app slots (#…

…6956)

* fix: add expected values for tls 1.2 and 1.3 for app service and app service slots to align with function app checks

* feat: update tests

* feat: update tests

* fix: cleanup

* feat: update web app tls check error message

* feat: add tests for app service slot tls 1.3

* fix: revert app service and app service slot min tls check names

---------

Co-authored-by: Taylor <[email protected]>

checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py

@@ -1,3 +1,5 @@
+from typing import Any, List
+
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
@@ -20,5 +22,8 @@ def get_inspected_key(self):
     def get_expected_value(self):
         return '1.2'
 
+    def get_expected_values(self) -> List[Any]:
+        return ["1.2", 1.2, "1.3", 1.3]
+
 
 check = AppServiceMinTLSVersion()

checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py

@@ -1,3 +1,5 @@
+from typing import Any, List
+
 from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
@@ -17,5 +19,8 @@ def get_inspected_key(self):
     def get_expected_value(self):
         return '1.2'
 
+    def get_expected_values(self) -> List[Any]:
+        return ["1.2", 1.2, "1.3", 1.3]
+
 
 check = AppServiceSlotMinTLS()

tests/terraform/checks/resource/azure/example_AppServiceMinTLSVersion/main.tf

@@ -34,6 +34,24 @@ resource "azurerm_linux_web_app" "pass" {
   }
 }
 
+resource "azurerm_linux_web_app" "pass_tls13" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  https_only          = true
+  site_config {
+    http2_enabled = true
+  }
+  identity {
+    type = "SystemAssigned"
+
+  }
+  site_config {
+    minimum_tls_version = "1.3"
+  }
+}
+
 resource "azurerm_linux_web_app" "fail" {
   name                = "example"
   resource_group_name = azurerm_resource_group.example.name
@@ -63,6 +81,21 @@ resource "azurerm_windows_web_app" "pass" {
   }
 }
 
+resource "azurerm_windows_web_app" "pass_tls13" {
+  name                = "example"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  https_only          = true
+  site_config {
+    http2_enabled       = true
+    minimum_tls_version = "1.3"
+  }
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
 resource "azurerm_windows_web_app" "fail" {
   name                = "example"
   resource_group_name = azurerm_resource_group.example.name

tests/terraform/checks/resource/azure/example_AppServiceSlotMinTLS/main.tf

@@ -78,7 +78,32 @@ resource "azurerm_app_service_slot" "pass2" {
   }
 }
 
+resource "azurerm_app_service_slot" "pass3" {
+  name                = "ned"
+  app_service_name    = azurerm_app_service.example.name
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  https_only = false #thedefault
+
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    min_tls_version          = "1.3" #the default is 1.2
+    remote_debugging_enabled = true  #default is false
+  }
+
+  app_settings = {
+    "SOME_KEY" = "some-value"
+  }
 
+  connection_string {
+    name  = "Database"
+    type  = "SQLServer"
+    value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
+  }
+}
 
 resource "azurerm_resource_group" "example" {
   name     = "example"

tests/terraform/checks/resource/azure/test_AppServiceMinTLSVersion.py

@@ -20,7 +20,9 @@ def test(self):
         passing_resources = {
             'azurerm_app_service.pass',
             'azurerm_windows_web_app.pass',
+            'azurerm_windows_web_app.pass_tls13',
             'azurerm_linux_web_app.pass',
+            'azurerm_linux_web_app.pass_tls13',
             'azurerm_linux_web_app.pass_tfvar',
             'azurerm_linux_web_app.pass_tfvar2',
         }

tests/terraform/checks/resource/azure/test_AppServiceSlotMinTLSVersion.py

@@ -20,6 +20,7 @@ def test(self):
         passing_resources = {
             "azurerm_app_service_slot.pass",
             "azurerm_app_service_slot.pass2",
+            "azurerm_app_service_slot.pass3",
         }
         failing_resources = {
             "azurerm_app_service_slot.fail",
@@ -28,11 +29,11 @@ def test(self):
         passed_check_resources = {c.resource for c in report.passed_checks}
         failed_check_resources = {c.resource for c in report.failed_checks}
 
-        self.assertEqual(summary["passed"], 2)
-        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
-        self.assertEqual(summary["resource_count"], 6)  # 3 unknown
+        self.assertEqual(summary["resource_count"], 7)  # 3 unknown
 
         self.assertEqual(passing_resources, passed_check_resources)
         self.assertEqual(failing_resources, failed_check_resources)