tdefise
commented
2 weeks ago Hi @jaywithersbrewin,
Looking at the code of the check, it looks a bit weird.
Open jaywithersbrewin opened 2 weeks ago
tdefise
commented
2 weeks ago Hi @jaywithersbrewin,
Looking at the code of the check, it looks a bit weird.
tdefise
commented
2 weeks ago Tested the following
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_storage_account" "example" {
name = "linuxfunctionappsa"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_service_plan" "example" {
name = "example-app-service-plan"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
os_type = "Linux"
sku_name = "Y1"
}
resource "azurerm_linux_function_app" "example" {
name = "example-linux-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id
site_config {
minimum_tls_version = 1.2
}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_storage_account" "example" {
name = "linuxfunctionappsa"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_service_plan" "example" {
name = "example-app-service-plan"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
os_type = "Linux"
sku_name = "Y1"
}
resource "azurerm_linux_function_app" "example" {
name = "example-linux-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id
site_config {
minimum_tls_version = "1.2"
}
}Both pass on version 3.2.135
jaywithersbrewin
commented
2 weeks ago I also have minimum_tls_version set to 1.2 in a site_config block.
The guide on the failed check is: Azure Function app does not use the latest version of TLS encryption (prismacloud.io)https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-azure-function-app-uses-the-latest-version-of-tls-encryption In this, the "azurerm_function_app" is used and not the "azurerm_linux_function_app" resource.
Thanks,
@.***
From: Thomas Defise @.> Sent: Thursday, June 13, 2024 11:40 AM To: bridgecrewio/checkov @.> Cc: Jay Withers @.>; Mention @.> Subject: Re: [bridgecrewio/checkov] CKV_AZURE_145 incorrectly failing for azurerm_linux_function_app resource (Issue #6439)
Tested the following
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_storage_account" "example" {
name = "linuxfunctionappsa"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_service_plan" "example" {
name = "example-app-service-plan"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
os_type = "Linux"
sku_name = "Y1"
}
resource "azurerm_linux_function_app" "example" {
name = "example-linux-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id
site_config {
minimum_tls_version = 1.2}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_storage_account" "example" {
name = "linuxfunctionappsa"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_service_plan" "example" {
name = "example-app-service-plan"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
os_type = "Linux"
sku_name = "Y1"
}
resource "azurerm_linux_function_app" "example" {
name = "example-linux-function-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
service_plan_id = azurerm_service_plan.example.id
site_config {
minimum_tls_version = "1.2"}
}
Both pass on version 3.2.135
- Reply to this email directly, view it on GitHubhttps://github.com/bridgecrewio/checkov/issues/6439#issuecomment-2165279144, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6BCOHAEQNMT4P2NBFNYZGTZHFZJFAVCNFSM6AAAAABJDX3EQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRVGI3TSMJUGQ. You are receiving this because you were mentioned.Message ID: @.**@.>>
Describe the issue Incorrectly failing on Check: CKV_AZURE_145: "Ensure Function app is using the latest version of TLS encryption" This is on the azurerm_linux_function_app resource.
Examples The following code is used on the azurerm_linux_function_app resource:
minimum_tls_version = 1.2Version (please complete the following information):
Additional context The same (CKV_AZURE_145) check is passing on the azurerm_linux_function_app_slot resource The check doesn't fail when using Checkov version 3.2.74.