Turbot Guardrails Hub 
Hub
Policy Packs
Azure CIS v2.0.0 - Section 9 - App Service
Overview
8
Policy Settings
0
Variables
DevelopersGithub

Policy Setting: Azure > App Service > Web App > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "azure_appservice_webapp_approved_custom" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/azure-appservice#/policy/types/webAppApprovedCustom"
  note           = "Azure CIS v2.0.0 - Control: 9.1, 9.6, 9.7 and 9.8"
  template_input = <<-EOT
    {
      outdatedJavaVersions: constant(value: "['8', '11']")
      outdatedPhpVersions: constant(value: "['5.6', '7.0', '7.1', '7.2', '7.3']")
      outdatedPythonVersions: constant(value: "['2.7', '3.4', '3.5', '3.6']")
      webApp {
        appServiceAuth: get(path:"authSettings.enabled"),
        javaVersion: get(path:"configuration.javaVersion"),
        phpVersion: get(path:"configuration.phpVersion"),
        pythonVersion: get(path:"configuration.pythonVersion")
      }
    }
  EOT
  template       = <<-EOT
    {% set results = [] -%}


    {%- if $.webApp.appServiceAuth == false -%}


      {%- set data = {
          "title": "App Service authentication",
          "result": "Not approved",
          "message": "App Service authentication is disabled"
      } -%}


    {%- elif $.webApp.appServiceAuth == true -%}


      {%- set data = {
          "title": "App Service Authentication",
          "result": "Approved",
          "message": "App Service authentication is enabled"
        } -%}


    {%- else -%}


      {%- set data = {
          "title": "App Service Authentication",
          "result": "Skip",
          "message": "No data for authentication yet"
        } -%}


    {%- endif -%}


    {% set results = results.concat(data) -%}


    {%- if $.webApp.javaVersion in $.outdatedJavaVersions -%}


      {%- set data = {
          "title": "Java Version",
          "result": "Not approved",
          "message": "Web App is running with outdated Java version"
      } -%}


    {%- elif $.webApp.javaVersion -%}


      {%- set data = {
          "title": "Java Version",
          "result": "Approved",
          "message": "Web App is running on a latest Java version"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "Java Version",
          "result": "Skip",
          "message": "No data for web app yet"
      } -%}


    {%- endif -%}


    {% set results = results.concat(data) -%}


    {%- if $.webApp.phpVersion in $.outdatedPhpVersions -%}


      {%- set data = {
          "title": "PHP Version",
          "result": "Not approved",
          "message": "Web App is running with outdated PHP version"
      } -%}


    {%- elif $.webApp.phpVersion -%}


      {%- set data = {
          "title": "PHP Version",
          "result": "Approved",
          "message": "Web App is running on a latest PHP version"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "PHP Version",
          "result": "Skip",
          "message": "No data for web app yet"
      } -%}


    {%- endif -%}


    {% set results = results.concat(data) -%}


    {%- if $.webApp.pythonVersion in $.outdatedPythonVersions -%}


      {%- set data = {
          "title": "Python Version",
          "result": "Not approved",
          "message": "Web App is running with outdated Python version"
      } -%}


    {%- elif $.webApp.pythonVersion -%}


      {%- set data = {
          "title": "Python Version",
          "result": "Approved",
          "message": "Web App is running on a latest Python version"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "Python Version",
          "result": "Skip",
          "message": "No data for web app yet"
      } -%}


    {%- endif -%}


    {% set results = results.concat(data) -%}
    {{ results | json }}
  EOT
}