app_function_application_insights_enabled bug resulting in false positives

[b3n-j4m1n]

Steps to Reproduce

prowler azure --check app_function_application_insights_enabled

Expected behavior

check is only looking for APPINSIGHTS_INSTRUMENTATIONKEY environment variable and not APPLICATIONINSIGHTS_CONNECTION_STRING, either or both means Application Insights is enabled, currently if only APPLICATIONINSIGHTS_CONNECTION_STRING exists Prowler will report it as a FAIL when it is actually a PASS.

Actual Result with Screenshots or Logs

n/a

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

workstation

OS used

Windows

Prowler version

5.4.0

Pip version

24.0

Context

suggested updates:

prowler\providers\azure\services\app\app_service.py

...
instrumentation_key=getattr(
    component, "instrumentation_key", "Not Found"
        ),
    connection_string=getattr(
        component, "connection_string", "Not Found"
        ),
...

...
class Component(BaseModel):
    resource_id: str
    resource_name: str
    location: str
    instrumentation_key: str
    connection_string: str
...

prowler\providers\azure\services\app\app_function_application_insights_enabled\app_function_application_insights_enabled.py

...
if function.enviroment_variables.get(
                    "APPINSIGHTS_INSTRUMENTATIONKEY", ""
                ) in [
                    component.instrumentation_key
                    for component in appinsights_client.components[
                        subscription_name
                    ].values()
                ] or function.enviroment_variables.get(
                    "APPLICATIONINSIGHTS_CONNECTION_STRING", ""
                ) in [
                    component.connection_string
                    for component in appinsights_client.components[
                        subscription_name
                    ].values()
...

[HugoPBrito]

Good catch @b3n-j4m1n !

Would you like to open a pull request with those changes?

[puchy22]

Hi @b3n-j4m1n, you were right — we've added support for the APPLICATIONINSIGHTS_CONNECTION_STRING, you can check that changes in the PR #7763. We also realized that we were marking checks as FAIL if the Application Insights instance wasn’t in the same subscription as the App Function. This could lead to false positives when the App is actually connected to an Application Insights component in a different subscription or tenant.

To address this, we’ve now changed the logic to simply check whether either APPINSIGHTS_INSTRUMENTATIONKEY or APPLICATIONINSIGHTS_CONNECTION_STRING is present in the configuration. We understand this isn’t a perfect solution, since those values could point to a non-existent or misconfigured Application Insights resource — but at the moment, we don’t have the resources to validate that.

We’d love to hear your thoughts on this approach. Do you think it’s a reasonable compromise for now?