terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the identity block in your appservice.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: appservice-account-identity-registered
    message: Registering the identity used by an App with AD allows it to interact
      with other services without using username and password. Set the
      `identity` block in your appservice.
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "azurerm_app_service" "..." {
          ...
            identity {
              type = "..."
              identity_ids = "..."
            }
          ...
          }
      - pattern-not-inside: |
          resource "azurerm_app_service" "..." {
          ...
            identity {
              type = "SystemAssigned"
            }
          ...
          }
      - pattern-inside: |
          resource "azurerm_app_service" "..." {
          ...
          }
    metadata:
      category: security
      owasp:
        - A02:2017 - Broken Authentication
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-287: Improper Authentication"
      technology:
        - terraform
        - azure
      references:
        - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - hcl
    severity: INFO

Examples

appservice-account-identity-registered.tf

# Pass
# ok: appservice-account-identity-registered
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id

  identity {
    type = "UserAssigned"
    identity_ids = "webapp"
  }
}

# ok: appservice-account-identity-registered
resource "azurerm_app_service" "civiform_app" {
  name                = "${var.application_name}-${random_pet.server.id}"
  location            = data.azurerm_resource_group.rg.location
  resource_group_name = data.azurerm_resource_group.rg.name
  app_service_plan_id = azurerm_app_service_plan.plan.id

  app_settings = local.app_settings

  identity {
    type = "SystemAssigned"
  }

  logs {
    http_logs {
      file_system {
        retention_in_days = 1
        retention_in_mb   = 35
      }
    }
  }

  lifecycle {
    ignore_changes = [
      app_settings["STAGING_HOSTNAME"],
      app_settings["BASE_URL"],
      site_config[0].linux_fx_version
    ]
  }
}

# Fail
# ruleid: appservice-account-identity-registered
resource "azurerm_app_service" "bad_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
}