terraform.azure.security.appservice.azure-appservice-identityprovider-enabled.azure-appservice-identityprovider-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that Managed identity provider is enabled for app services

Run Locally

Run in CI

Defintion

rules:
  - id: azure-appservice-identityprovider-enabled
    message: Ensure that Managed identity provider is enabled for app services
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "azurerm_app_service" "..." {
          ...
          identity {
          ...
          type = "SystemAssigned"
          ...
          }
          ...
          }
      - pattern-inside: |
          resource "azurerm_app_service" "..." {
          ...
          }
    metadata:
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

azure-appservice-identityprovider-enabled.tf

# fail
# ruleid: azure-appservice-identityprovider-enabled
resource "azurerm_app_service" "example" {
    name                = "example-app-service"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    app_service_plan_id = azurerm_app_service_plan.example.id

    site_config {
        dotnet_framework_version = "v4.0"
        scm_type                 = "LocalGit"
    }

    app_settings = {
        "SOME_KEY" = "some-value"
    }

    connection_string {
        name  = "Database"
        type  = "SQLServer"
        value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
    }
}

# pass
resource "azurerm_app_service" "example" {
    name                = "example-app-service"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    app_service_plan_id = azurerm_app_service_plan.example.id
    https_only          = true
    site_config {
        dotnet_framework_version = "v5.0"
        scm_type                 = "someValue"
    }
    identity {
        type = "SystemAssigned"
    }
}