diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego index 4dd6192d2af..6b9ac94eda2 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego @@ -6,7 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { app := input.document[i].resource.azurerm_function_app[name] - app.site_config.min_tls_version != 1.2 + to_number(app.site_config.min_tls_version) != 1.2 result := { "documentId": input.document[i].id, @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": sprintf("'azurerm_function_app[%s].site_config.min_tls_version' is not set to '1.2'", [name]), "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config", "min_tls_version"], []), "remediation": json.marshal({ - "before": sprintf("%.1f", [app.site_config.min_tls_version]), + "before": sprintf("%.1f", [to_number(app.site_config.min_tls_version)]), "after": "1.2" }), "remediationType": "replacement", diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative4.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative4.tf new file mode 100644 index 00000000000..5e0d20c9df4 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/negative4.tf @@ -0,0 +1,14 @@ +resource "azurerm_function_app" "negative4" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = "1.2" + } +} diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive2.tf b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive2.tf new file mode 100644 index 00000000000..5a0d33d8827 --- /dev/null +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive2.tf @@ -0,0 +1,14 @@ +resource "azurerm_function_app" "positive2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = "1.1" + } +} diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json index fb54995fb90..d5860f898e2 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -4,5 +4,11 @@ "severity": "HIGH", "line": 12, "fileName": "positive1.tf" + }, + { + "queryName": "Function App Not Using Latest TLS Encryption Version", + "severity": "HIGH", + "line": 12, + "fileName": "positive2.tf" } ]