Azure Code Review Demo

[5toCode]

I've created some new Azure resources - please let me know if I've done this correctly!

[bridgecrew]

Bridgecrew has found infrastructure configuration errors in this PR ⬇️

[bridgecrew]

Suggested change

	resource azurerm_app_service "app-service2" {
	resource azurerm_app_service "app-service2" {
	auth_settings {
	enabled = true
	}

  Ensure Azure App Service Web app authentication is on
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_GENERAL_2

Description

Azure App Service Authentication is a feature that prevents anonymous HTTP requests from reaching the API app. Users with tokens are authenticated before they reach the API app. If an anonymous request is received from a browser, App Service redirects to a logon page. To handle the logon process select from a set of identity providers, or implement a custom authentication mechanism.

Enabling App Service Authentication allows every incoming HTTP request to pass through it before being handled by the application code. Authentication of users with specified providers are handled, for example, Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter. It also handles authentication of validation, storing and refreshing of tokens, managing the authenticated sessions, and injecting identity information into request headers.

Benchmarks

• CIS AZURE V1.1 9.1
• CIS AZURE V1.3 9.1

[bridgecrew]

Suggested change

	resource azurerm_app_service "app-service2" {
	resource azurerm_app_service "app-service2" {
	storage_account {
	type = "AzureFiles"
	}

  Ensure app services use Azure files
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_GENERAL_65

Description

TBA

[bridgecrew]

Suggested change

	resource azurerm_app_service "app-service2" {
	resource azurerm_app_service "app-service2" {
	identity = true

  Ensure App Service is registered with an Azure Active Directory account
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_IAM_1

Description

Managed service identity in **App Service** increases security by eliminating secrets from the app, for example, credentials in the connection strings. **App Service** provides a highly-scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to an Azure SQL Database and other Azure services.

We recommend you register the App Service with your Azure Active Directory account ensuring the app will connect securely to other Azure services without the need of usernames and passwords.

Benchmarks

• CIS AZURE V1.1 9.5
• CIS AZURE V1.3 9.5

[bridgecrew]

  Ensure managed identity provider is enabled for app services
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_GENERAL_54

How to Fix

          resource "azurerm_app_service" "example" {
              ...
  +           identity {
  +             type = "SystemAssigned"
                }
              }

Description

TBA

[bridgecrew]

  Ensure Azure resources that support tags have tags
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_GENERAL_81

How to Fix

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_managed_disk" "example" {
  name                 = "acctestmd"
  location             = "West US 2"
  resource_group_name  = azurerm_resource_group.example.name
  storage_account_type = "Standard_LRS"
  create_option        = "Empty"
  disk_size_gb         = "1"

+  tags = {
+    environment = "staging"
  }
}

Description

Many different types of Azure resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.

View Microsoft's recommended tagging best practices here.

[bridgecrew]

Suggested change

	resource azurerm_app_service "app-service2" {
	resource azurerm_app_service "app-service2" {
	client_cert_enabled = true

  Ensure Web App has incoming client certificates enabled
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_NETWORKING_7

Description

Client certificates allow the Web App to require a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.

Benchmarks

• CIS AZURE V1.1 9.4
• FEDRAMP (MODERATE) 9.4
• CIS AZURE V1.3 9.4

[bridgecrew]

Suggested change

	resource azurerm_app_service "app-service2" {
	resource azurerm_app_service "app-service2" {
	logs {
	failed_request_tracing_enabled = true
	}

  Ensure app service enables failed request tracing
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_LOGGING_10

Description

TBA

[bridgecrew]

  Ensure Web App uses the latest version of HTTP
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_NETWORKING_8

How to Fix

resource "azurerm_app_service" "example" {
    ...

+    site_config {
+        http2_enabled = true
    }
}

Description

Periodically, new versions of HTTP are released to address security flaws and include additional functionality. HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of the older HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own more efficient mechanisms for data streaming.

We recommend you use the latest HTTP version for web apps and take advantage of any security fixes and new functionalities featured. With each software installation you can determine if a given update meets your organization's requirements. Organizations should verify the compatibility and support provided for any additional software, assessing the current version against the update revision being considered.

Benchmarks

• CIS AZURE V1.1 9.10
• CIS AZURE V1.3 9.9

[bridgecrew]

  Ensure app service enables HTTP logging
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_LOGGING_8

How to Fix

           resource "azurerm_app_service" "example" {
              name                = "example-app-service"
              location            = azurerm_resource_group.example.location
              resource_group_name = azurerm_resource_group.example.name
              app_service_plan_id = azurerm_app_service_plan.example.id
            
+             logs {
+               http_logs {
                    retention_in_days = 4
                    retention_in_mb = 10
                }
              }
            
              app_settings = {
                "SOME_KEY" = "some-value"
              }
            
              connection_string {
                name  = "Database"
                type  = "SQLServer"
                value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
              }
            }

Description

TBA

[bridgecrew]

Suggested change

	resource azurerm_app_service "app-service2" {
	resource azurerm_app_service "app-service2" {
	https_only = true

  Ensure Azure App Service Web app redirects HTTP to HTTPS
    Resource: azurerm_app_service.app-service2 | ID: BC_AZR_NETWORKING_5

Description

Azure Web Apps by default allows sites to run under both HTTP and HTTPS, and can be accessed by anyone using non-secure HTTP links. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port.

We recommend you enforce HTTPS-only traffic to increase security. This will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.

Benchmarks

• CIS AZURE V1.1 9.2
• CIS AZURE V1.3 9.2