feat(misconf): Add AppService checks (#503)

* add appService checks

* fix python version check

* fix php check

---------

Co-authored-by: simar7 <[email protected]>
Co-authored-by: Nikita Pivkin <[email protected]>

Author: 3 people

avd_docs/azure/appservice/AVD-AZU-0069/Terraform.md

@@ -0,0 +1,31 @@
+
+Update to a supported PHP version (8.1 or higher). Consider migrating from azurerm_app_service to azurerm_linux_web_app for access to modern PHP versions.
+
+```hcl
+resource "azurerm_app_service" "good_example" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    php_version = "8.2"
+  }
+}
+```
+```hcl
+resource "azurerm_app_service" "good_example_no_php" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    # No PHP version specified - not using PHP
+  }
+}
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#php_version
+

avd_docs/azure/appservice/AVD-AZU-0069/docs.md

@@ -0,0 +1,15 @@
+
+Using an unsupported PHP runtime in Azure App Service may expose applications to security vulnerabilities
+as these versions no longer receive security patches. This check ensures PHP versions are still supported.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#php_version
+
+

avd_docs/azure/appservice/AVD-AZU-0070/Terraform.md

@@ -0,0 +1,63 @@
+
+Update to a supported Python version (3.9 or higher). Consider migrating from azurerm_app_service to azurerm_linux_web_app for access to modern Python versions.
+
+```hcl
+# Supported Python version (3.9 or higher)
+resource "azurerm_app_service" "good_example_supported" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    python_version = "3.9"
+  }
+}
+```
+```hcl
+# Current stable version
+resource "azurerm_app_service" "good_example_current" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    python_version = "3.12"
+  }
+}
+```
+```hcl
+# No Python version specified - not using Python
+resource "azurerm_app_service" "good_example_no_python" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    # No Python version specified - not using Python
+  }
+}
+```
+```hcl
+# Modern Linux Web App with latest Python (recommended approach)
+resource "azurerm_linux_web_app" "good_example_modern" {
+  name                = "example-linux-webapp"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  service_plan_id     = azurerm_service_plan.example.id
+
+  site_config {
+    application_stack {
+      python_version = "3.12"
+    }
+  }
+}
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#python_version
+
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app#python_version
+

avd_docs/azure/appservice/AVD-AZU-0070/docs.md

@@ -0,0 +1,19 @@
+
+Using an unsupported Python runtime in Azure App Service may expose applications to security vulnerabilities
+as these versions no longer receive security patches. This check ensures Python versions are still supported by the Python Foundation.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#python_version
+
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app#python_version
+
+- https://peps.python.org/pep-0602/
+
+

avd_docs/azure/appservice/AVD-AZU-0071/Terraform.md

@@ -0,0 +1,31 @@
+
+Set FTPS state to 'FTPS Only' in App Service settings to prevent plaintext FTP.
+
+```hcl
+resource "azurerm_app_service" "good_example" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    ftps_state = "FtpsOnly"
+  }
+}
+```
+```hcl
+resource "azurerm_app_service" "good_example_disabled" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    ftps_state = "Disabled"
+  }
+}
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state
+

avd_docs/azure/appservice/AVD-AZU-0071/docs.md

@@ -0,0 +1,14 @@
+
+Allowing plain FTP risks credentials and data being transmitted unencrypted.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state
+
+

avd_docs/azure/appservice/AVD-AZU-0072/Terraform.md

@@ -0,0 +1,16 @@
+
+Set 'HTTPS Only' to true in App Service TLS settings to force encrypted transport.
+
+```hcl
+resource "azurerm_app_service" "good_example" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+  https_only          = true
+}
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only
+

avd_docs/azure/appservice/AVD-AZU-0072/docs.md

@@ -0,0 +1,14 @@
+
+Allowing HTTP undermines transport encryption and exposes user data.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only
+
+

checks/cloud/azure/appservice/enforce_ftps.rego

@@ -0,0 +1,46 @@
+# METADATA
+# title: App Service FTPS Enforce Disabled
+# description: |
+#   Allowing plain FTP risks credentials and data being transmitted unencrypted.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state
+# custom:
+#   id: AVD-AZU-0071
+#   avd_id: AVD-AZU-0071
+#   provider: azure
+#   service: appservice
+#   severity: MEDIUM
+#   minimum_trivy_version: 0.68.0
+#   short_code: enforce-ftps
+#   recommended_action: Set FTPS state to 'FTPS Only' in App Service settings to prevent plaintext FTP.
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: appservice
+#             provider: azure
+#   examples: checks/cloud/azure/appservice/enforce_ftps.yaml
+package builtin.azure.appservice.azure0071
+
+import rego.v1
+
+import data.lib.cloud.metadata
+
+secure_ftps_states := {"FtpsOnly", "Disabled"}
+
+deny contains res if {
+	some service in input.azure.appservice.services
+	isManaged(service)
+	not is_secure_ftps_state(service)
+	res := result.new(
+		sprintf("App service allows insecure FTP access. FTPS state is set to '%s' but should be 'FtpsOnly' or 'Disabled'", [service.site.ftpsstate.value]),
+		metadata.obj_by_path(service, ["site", "ftpsstate"]),
+	)
+}
+
+is_secure_ftps_state(service) if {
+	service.site.ftpsstate.value in secure_ftps_states
+}

checks/cloud/azure/appservice/enforce_ftps.yaml

@@ -0,0 +1,49 @@
+terraform:
+  links:
+    - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state
+  good:
+    - |-
+      resource "azurerm_app_service" "good_example" {
+        name                = "example-app-service"
+        location            = azurerm_resource_group.example.location
+        resource_group_name = azurerm_resource_group.example.name
+        app_service_plan_id = azurerm_app_service_plan.example.id
+
+        site_config {
+          ftps_state = "FtpsOnly"
+        }
+      }
+    - |-
+      resource "azurerm_app_service" "good_example_disabled" {
+        name                = "example-app-service"
+        location            = azurerm_resource_group.example.location
+        resource_group_name = azurerm_resource_group.example.name
+        app_service_plan_id = azurerm_app_service_plan.example.id
+
+        site_config {
+          ftps_state = "Disabled"
+        }
+      }
+  bad:
+    - |-
+      resource "azurerm_app_service" "bad_example" {
+        name                = "example-app-service"
+        location            = azurerm_resource_group.example.location
+        resource_group_name = azurerm_resource_group.example.name
+        app_service_plan_id = azurerm_app_service_plan.example.id
+
+        site_config {
+          ftps_state = "AllAllowed"
+        }
+      }
+    - |-
+      resource "azurerm_app_service" "bad_example_default" {
+        name                = "example-app-service"
+        location            = azurerm_resource_group.example.location
+        resource_group_name = azurerm_resource_group.example.name
+        app_service_plan_id = azurerm_app_service_plan.example.id
+
+        site_config {
+          # No ftps_state specified - defaults to insecure
+        }
+      }