terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered
semgrep
Author
unknown
Download Count*
License
Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the identity
block in your appservice.
Run Locally
Run in CI
Defintion
rules:
- id: appservice-account-identity-registered
message: Registering the identity used by an App with AD allows it to interact
with other services without using username and password. Set the
`identity` block in your appservice.
patterns:
- pattern: resource
- pattern-not-inside: |
resource "azurerm_app_service" "..." {
...
identity {
type = "..."
identity_ids = "..."
}
...
}
- pattern-not-inside: |
resource "azurerm_app_service" "..." {
...
identity {
type = "SystemAssigned"
}
...
}
- pattern-inside: |
resource "azurerm_app_service" "..." {
...
}
metadata:
category: security
owasp:
- A02:2017 - Broken Authentication
- A07:2021 - Identification and Authentication Failures
cwe:
- "CWE-287: Improper Authentication"
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
languages:
- hcl
severity: INFO
Examples
appservice-account-identity-registered.tf
# Pass
# ok: appservice-account-identity-registered
resource "azurerm_app_service" "good_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
identity {
type = "UserAssigned"
identity_ids = "webapp"
}
}
# ok: appservice-account-identity-registered
resource "azurerm_app_service" "civiform_app" {
name = "${var.application_name}-${random_pet.server.id}"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
app_service_plan_id = azurerm_app_service_plan.plan.id
app_settings = local.app_settings
identity {
type = "SystemAssigned"
}
logs {
http_logs {
file_system {
retention_in_days = 1
retention_in_mb = 35
}
}
}
lifecycle {
ignore_changes = [
app_settings["STAGING_HOSTNAME"],
app_settings["BASE_URL"],
site_config[0].linux_fx_version
]
}
}
# Fail
# ruleid: appservice-account-identity-registered
resource "azurerm_app_service" "bad_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
}
Short Link: https://sg.run/PbXY