Repository | microsoft / NubesGen |
Description | Going to production on Azure is only one `git push` away |
Stars | 278 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 233, Failed checks: 619, Skipped checks: 0
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/main.tf:45-51
Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_163: "Enable vulnerability scanning for container images."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/container-apps/main.tf:20-31
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:41-52
20 | resource "azurerm_container_registry" "container-registry" {
21 | name = azurecaf_name.container_registry.result
22 | resource_group_name = var.resource_group
23 | location = var.location
24 | admin_enabled = true
25 | sku = "Basic"
26 |
27 | tags = {
28 | "environment" = var.environment
29 | "application-name" = var.application_name
30 | }
31 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/container-apps/main.tf:20-31
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:41-52
20 | resource "azurerm_container_registry" "container-registry" {
21 | name = azurecaf_name.container_registry.result
22 | resource_group_name = var.resource_group
23 | location = var.location
24 | admin_enabled = true
25 | sku = "Basic"
26 |
27 | tags = {
28 | "environment" = var.environment
29 | "application-name" = var.application_name
30 | }
31 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/container-apps/main.tf:20-31
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:41-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
20 | resource "azurerm_container_registry" "container-registry" {
21 | name = azurecaf_name.container_registry.result
22 | resource_group_name = var.resource_group
23 | location = var.location
24 | admin_enabled = true
25 | sku = "Basic"
26 |
27 | tags = {
28 | "environment" = var.environment
29 | "application-name" = var.application_name
30 | }
31 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/container-apps/main.tf:20-31
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:41-52
20 | resource "azurerm_container_registry" "container-registry" {
21 | name = azurecaf_name.container_registry.result
22 | resource_group_name = var.resource_group
23 | location = var.location
24 | admin_enabled = true
25 | sku = "Basic"
26 |
27 | tags = {
28 | "environment" = var.environment
29 | "application-name" = var.application_name
30 | }
31 | }
Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/container-apps/main.tf:20-31
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:41-52
Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
20 | resource "azurerm_container_registry" "container-registry" {
21 | name = azurecaf_name.container_registry.result
22 | resource_group_name = var.resource_group
23 | location = var.location
24 | admin_enabled = true
25 | sku = "Basic"
26 |
27 | tags = {
28 | "environment" = var.environment
29 | "application-name" = var.application_name
30 | }
31 | }
Check: CKV_AZURE_163: "Enable vulnerability scanning for container images."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/container-apps/main.tf:20-31
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:41-52
20 | resource "azurerm_container_registry" "container-registry" {
21 | name = azurecaf_name.container_registry.result
22 | resource_group_name = var.resource_group
23 | location = var.location
24 | admin_enabled = true
25 | sku = "Basic"
26 |
27 | tags = {
28 | "environment" = var.environment
29 | "application-name" = var.application_name
30 | }
31 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/container-apps/main.tf:20-31
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:41-52
20 | resource "azurerm_container_registry" "container-registry" {
21 | name = azurecaf_name.container_registry.result
22 | resource_group_name = var.resource_group
23 | location = var.location
24 | admin_enabled = true
25 | sku = "Basic"
26 |
27 | tags = {
28 | "environment" = var.environment
29 | "application-name" = var.application_name
30 | }
31 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:63-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:63-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:63-72
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:63-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:63-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
47 | resource "azurerm_key_vault_secret" "database_username" {
48 | name = "database-username"
49 | value = var.database_username
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:63-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
47 | resource "azurerm_key_vault_secret" "database_username" {
48 | name = "database-username"
49 | value = var.database_username
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:63-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
55 | resource "azurerm_key_vault_secret" "database_password" {
56 | name = "database-password"
57 | value = var.database_password
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:63-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
55 | resource "azurerm_key_vault_secret" "database_password" {
56 | name = "database-password"
57 | value = var.database_password
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_136: "Ensure that PostgreSQL Flexible server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_postgresql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/postgresql/main.tf:28-56
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-postgresql-flexible-server-enables-geo-redundant-backups.html
28 | resource "azurerm_postgresql_flexible_server" "database" {
29 | name = azurecaf_name.postgresql_server.result
30 | resource_group_name = var.resource_group
31 | location = var.location
32 |
33 | administrator_login = var.administrator_login
34 | administrator_password = random_password.password.result
35 |
36 | sku_name = "B_Standard_B1ms"
37 | storage_mb = 32768
38 | backup_retention_days = 7
39 | version = "13"
40 | geo_redundant_backup_enabled = false
41 | dynamic "high_availability" {
42 | for_each = local.feature_flags.high_available_type
43 | content {
44 | mode = high_availability.value
45 | }
46 | }
47 |
48 | tags = {
49 | "environment" = var.environment
50 | "application-name" = var.application_name
51 | }
52 |
53 | lifecycle {
54 | ignore_changes = [ zone, high_availability.0.standby_availability_zone ]
55 | }
56 | }
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/main.tf:45-51
Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_163: "Enable vulnerability scanning for container images."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/modules/container-apps/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "B1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "B1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "B1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/modules/app-service/main.tf:38-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-insights-java/terraform/main.tf:41-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | // Monitoring with Azure Application Insights
64 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
65 |
66 | # These are app specific environment variables
67 | }
68 | }
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_163: "Enable vulnerability scanning for container images."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:36-48
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
36 | resource "azurerm_service_plan" "application" {
37 | name = azurecaf_name.app_service_plan.result
38 | resource_group_name = var.resource_group
39 | location = var.location
40 |
41 | sku_name = "S1"
42 | os_type = "Linux"
43 |
44 | tags = {
45 | "environment" = var.environment
46 | "application-name" = var.application_name
47 | }
48 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:36-48
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
36 | resource "azurerm_service_plan" "application" {
37 | name = azurecaf_name.app_service_plan.result
38 | resource_group_name = var.resource_group
39 | location = var.location
40 |
41 | sku_name = "S1"
42 | os_type = "Linux"
43 |
44 | tags = {
45 | "environment" = var.environment
46 | "application-name" = var.application_name
47 | }
48 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/modules/app-service/main.tf:57-88
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
57 | resource "azurerm_linux_web_app" "application" {
58 | name = azurecaf_name.app_service.result
59 | resource_group_name = var.resource_group
60 | location = var.location
61 | service_plan_id = azurerm_service_plan.application.id
62 | https_only = true
63 |
64 | tags = {
65 | "environment" = var.environment
66 | "application-name" = var.application_name
67 | }
68 |
69 | site_config {
70 | application_stack {
71 | docker_image = "${azurerm_container_registry.container-registry.name}.azurecr.io/${var.application_name}/${var.application_name}"
72 | docker_image_tag = "latest"
73 | }
74 | always_on = true
75 | ftps_state = "FtpsOnly"
76 | }
77 |
78 | app_settings = {
79 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
80 | "DOCKER_REGISTRY_SERVER_URL" = "https://${azurerm_container_registry.container-registry.name}.azurecr.io"
81 | "DOCKER_REGISTRY_SERVER_USERNAME" = azurerm_container_registry.container-registry.admin_username
82 | "DOCKER_REGISTRY_SERVER_PASSWORD" = azurerm_container_registry.container-registry.admin_password
83 | "WEBSITES_PORT" = "8080"
84 |
85 | # These are app specific environment variables
86 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
87 | }
88 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | dotnet_version = "7.0"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 |
61 | # These are app specific environment variables
62 |
63 | "DATABASE_URL" = var.database_url
64 | "DATABASE_USERNAME" = var.database_username
65 | "DATABASE_PASSWORD" = var.database_password
66 | }
67 | }
Check: CKV_AZURE_113: "Ensure that SQL server disables public network access"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/sql-server/main.tf:22-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:57-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-sql-server-disables-public-network-access.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_52: "Ensure MSSQL is using the latest version of TLS encryption"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/sql-server/main.tf:22-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:57-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-mssql-is-using-the-latest-version-of-tls-encryption.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_224: "Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity"
FAILED for resource: module.database.azurerm_mssql_database.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/sql-server/main.tf:43-51
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/main.tf:57-63
43 | resource "azurerm_mssql_database" "database" {
44 | name = azurecaf_name.mssql_database.result
45 | server_id = azurerm_mssql_server.database.id
46 | collation = "SQL_Latin1_General_CP1_CI_AS"
47 |
48 | sku_name = "GP_S_Gen5_1"
49 | min_capacity = 0.5
50 | auto_pause_delay_in_minutes = 60
51 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_136: "Ensure that PostgreSQL Flexible server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_postgresql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/postgresql/main.tf:28-56
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/main.tf:57-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-postgresql-flexible-server-enables-geo-redundant-backups.html
28 | resource "azurerm_postgresql_flexible_server" "database" {
29 | name = azurecaf_name.postgresql_server.result
30 | resource_group_name = var.resource_group
31 | location = var.location
32 |
33 | administrator_login = var.administrator_login
34 | administrator_password = random_password.password.result
35 |
36 | sku_name = "B_Standard_B1ms"
37 | storage_mb = 32768
38 | backup_retention_days = 7
39 | version = "13"
40 | geo_redundant_backup_enabled = false
41 | dynamic "high_availability" {
42 | for_each = local.feature_flags.high_available_type
43 | content {
44 | mode = high_availability.value
45 | }
46 | }
47 |
48 | tags = {
49 | "environment" = var.environment
50 | "application-name" = var.application_name
51 | }
52 |
53 | lifecycle {
54 | ignore_changes = [ zone, high_availability.0.standby_availability_zone ]
55 | }
56 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 |
67 | "DATASOURCES_DEFAULT_URL" = "jdbc:postgresql://${var.database_url}"
68 | "DATASOURCES_DEFAULT_USERNAME" = var.database_username
69 | "DATASOURCES_DEFAULT_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_136: "Ensure that PostgreSQL Flexible server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_postgresql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/postgresql/main.tf:28-56
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/main.tf:57-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-postgresql-flexible-server-enables-geo-redundant-backups.html
28 | resource "azurerm_postgresql_flexible_server" "database" {
29 | name = azurecaf_name.postgresql_server.result
30 | resource_group_name = var.resource_group
31 | location = var.location
32 |
33 | administrator_login = var.administrator_login
34 | administrator_password = random_password.password.result
35 |
36 | sku_name = "B_Standard_B1ms"
37 | storage_mb = 32768
38 | backup_retention_days = 7
39 | version = "13"
40 | geo_redundant_backup_enabled = false
41 | dynamic "high_availability" {
42 | for_each = local.feature_flags.high_available_type
43 | content {
44 | mode = high_availability.value
45 | }
46 | }
47 |
48 | tags = {
49 | "environment" = var.environment
50 | "application-name" = var.application_name
51 | }
52 |
53 | lifecycle {
54 | ignore_changes = [ zone, high_availability.0.standby_availability_zone ]
55 | }
56 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "MICRONAUT_ENVIRONMENTS" = "prod,azure"
65 | "MICRONAUT_SERVER_PORT" = 80
66 | }
67 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | node_version = "18-lts"
53 | }
54 | app_command_line = "npm run start:prod"
55 | always_on = false
56 | ftps_state = "FtpsOnly"
57 | }
58 |
59 | app_settings = {
60 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
61 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
62 | "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
63 |
64 | # These are app specific environment variables
65 | }
66 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/modules/app-service/main.tf:38-64
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | python_version = "3.11"
53 | }
54 | always_on = false
55 | ftps_state = "FtpsOnly"
56 | }
57 |
58 | app_settings = {
59 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
60 | "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
61 |
62 | # These are app specific environment variables
63 | }
64 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/modules/app-service/main.tf:38-67
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-quarkus/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 | }
67 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/modules/app-service/main.tf:38-66
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-spring/terraform/main.tf:41-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 | }
66 | }
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_163: "Enable vulnerability scanning for container images."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:36-48
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
36 | resource "azurerm_service_plan" "application" {
37 | name = azurecaf_name.app_service_plan.result
38 | resource_group_name = var.resource_group
39 | location = var.location
40 |
41 | sku_name = "S1"
42 | os_type = "Linux"
43 |
44 | tags = {
45 | "environment" = var.environment
46 | "application-name" = var.application_name
47 | }
48 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:36-48
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
36 | resource "azurerm_service_plan" "application" {
37 | name = azurecaf_name.app_service_plan.result
38 | resource_group_name = var.resource_group
39 | location = var.location
40 |
41 | sku_name = "S1"
42 | os_type = "Linux"
43 |
44 | tags = {
45 | "environment" = var.environment
46 | "application-name" = var.application_name
47 | }
48 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/app-service/main.tf:57-109
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_132: "Ensure cosmosdb does not allow privileged escalation by restricting management plane changes"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:136-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-4.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_100: "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:136-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-cosmos-db-accounts-have-customer-managed-keys-to-encrypt-data-at-rest.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_101: "Ensure that Azure Cosmos DB disables public network access"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:136-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cosmos-db-disables-public-network-access.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:18-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:18-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:54-60
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
54 | resource "azurerm_key_vault_secret" "database_username" {
55 | name = "database-username"
56 | value = var.database_username
57 | key_vault_id = azurerm_key_vault.application.id
58 |
59 | depends_on = [ azurerm_key_vault_access_policy.client ]
60 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:54-60
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
54 | resource "azurerm_key_vault_secret" "database_username" {
55 | name = "database-username"
56 | value = var.database_username
57 | key_vault_id = azurerm_key_vault.application.id
58 |
59 | depends_on = [ azurerm_key_vault_access_policy.client ]
60 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:62-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
62 | resource "azurerm_key_vault_secret" "database_password" {
63 | name = "database-password"
64 | value = var.database_password
65 | key_vault_id = azurerm_key_vault.application.id
66 |
67 | depends_on = [ azurerm_key_vault_access_policy.client ]
68 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:62-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
62 | resource "azurerm_key_vault_secret" "database_password" {
63 | name = "database-password"
64 | value = var.database_password
65 | key_vault_id = azurerm_key_vault.application.id
66 |
67 | depends_on = [ azurerm_key_vault_access_policy.client ]
68 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.redis_password
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:70-76
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
70 | resource "azurerm_key_vault_secret" "redis_password" {
71 | name = "redis-password"
72 | value = var.redis_password
73 | key_vault_id = azurerm_key_vault.application.id
74 |
75 | depends_on = [ azurerm_key_vault_access_policy.client ]
76 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.redis_password
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:70-76
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
70 | resource "azurerm_key_vault_secret" "redis_password" {
71 | name = "redis-password"
72 | value = var.redis_password
73 | key_vault_id = azurerm_key_vault.application.id
74 |
75 | depends_on = [ azurerm_key_vault_access_policy.client ]
76 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.storage_account_key
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:78-84
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
78 | resource "azurerm_key_vault_secret" "storage_account_key" {
79 | name = "storage-account-key"
80 | value = var.storage_account_key
81 | key_vault_id = azurerm_key_vault.application.id
82 |
83 | depends_on = [ azurerm_key_vault_access_policy.client ]
84 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.storage_account_key
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:78-84
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
78 | resource "azurerm_key_vault_secret" "storage_account_key" {
79 | name = "storage-account-key"
80 | value = var.storage_account_key
81 | key_vault_id = azurerm_key_vault.application.id
82 |
83 | depends_on = [ azurerm_key_vault_access_policy.client ]
84 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.cosmosdb_mongodb_uri
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:86-92
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
86 | resource "azurerm_key_vault_secret" "cosmosdb_mongodb_uri" {
87 | name = "cosmosdb-mongodb-uri"
88 | value = var.cosmosdb_mongodb_uri
89 | key_vault_id = azurerm_key_vault.application.id
90 |
91 | depends_on = [ azurerm_key_vault_access_policy.client ]
92 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.cosmosdb_mongodb_uri
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:86-92
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
86 | resource "azurerm_key_vault_secret" "cosmosdb_mongodb_uri" {
87 | name = "cosmosdb-mongodb-uri"
88 | value = var.cosmosdb_mongodb_uri
89 | key_vault_id = azurerm_key_vault.application.id
90 |
91 | depends_on = [ azurerm_key_vault_access_policy.client ]
92 | }
Check: CKV_AZURE_89: "Ensure that Azure Cache for Redis disables public network access"
FAILED for resource: module.redis.azurerm_redis_cache.redis
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/redis/main.tf:16-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:117-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cache-for-redis-disables-public-network-access.html
16 | resource "azurerm_redis_cache" "redis" {
17 | name = azurecaf_name.redis_cache.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | capacity = 1
21 | family = "P"
22 | sku_name = "Premium"
23 | enable_non_ssl_port = false
24 | minimum_tls_version = "1.2"
25 |
26 | tags = {
27 | "environment" = var.environment
28 | "application-name" = var.application_name
29 | }
30 |
31 | redis_configuration {
32 | }
33 |
34 | subnet_id = var.subnet_id
35 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:126-134
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:126-134
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:126-134
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:126-134
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/main.tf:126-134
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "S1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "S1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/app-service/main.tf:38-77
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:49-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | // Monitoring with Azure Application Insights
68 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
69 |
70 | # These are app specific environment variables
71 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
72 |
73 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
74 | "SPRING_DATASOURCE_USERNAME" = var.database_username
75 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
76 | }
77 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/key-vault/main.tf:18-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:87-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/key-vault/main.tf:18-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:87-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/key-vault/main.tf:54-60
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:87-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
54 | resource "azurerm_key_vault_secret" "database_username" {
55 | name = "database-username"
56 | value = var.database_username
57 | key_vault_id = azurerm_key_vault.application.id
58 |
59 | depends_on = [ azurerm_key_vault_access_policy.client ]
60 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/key-vault/main.tf:54-60
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:87-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
54 | resource "azurerm_key_vault_secret" "database_username" {
55 | name = "database-username"
56 | value = var.database_username
57 | key_vault_id = azurerm_key_vault.application.id
58 |
59 | depends_on = [ azurerm_key_vault_access_policy.client ]
60 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/key-vault/main.tf:62-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:87-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
62 | resource "azurerm_key_vault_secret" "database_password" {
63 | name = "database-password"
64 | value = var.database_password
65 | key_vault_id = azurerm_key_vault.application.id
66 |
67 | depends_on = [ azurerm_key_vault_access_policy.client ]
68 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/key-vault/main.tf:62-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:87-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
62 | resource "azurerm_key_vault_secret" "database_password" {
63 | name = "database-password"
64 | value = var.database_password
65 | key_vault_id = azurerm_key_vault.application.id
66 |
67 | depends_on = [ azurerm_key_vault_access_policy.client ]
68 | }
Check: CKV_AZURE_136: "Ensure that PostgreSQL Flexible server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_postgresql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/postgresql/main.tf:28-59
Calling File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/main.tf:67-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-postgresql-flexible-server-enables-geo-redundant-backups.html
28 | resource "azurerm_postgresql_flexible_server" "database" {
29 | name = azurecaf_name.postgresql_server.result
30 | resource_group_name = var.resource_group
31 | location = var.location
32 |
33 | administrator_login = var.administrator_login
34 | administrator_password = random_password.password.result
35 |
36 | sku_name = "B_Standard_B1ms"
37 | storage_mb = 32768
38 | backup_retention_days = 7
39 | version = "13"
40 | geo_redundant_backup_enabled = false
41 | dynamic "high_availability" {
42 | for_each = local.feature_flags.high_available_type
43 | content {
44 | mode = high_availability.value
45 | }
46 | }
47 | delegated_subnet_id = var.subnet_id
48 | private_dns_zone_id = azurerm_private_dns_zone.database.id
49 | depends_on = [azurerm_private_dns_zone_virtual_network_link.database]
50 |
51 | tags = {
52 | "environment" = var.environment
53 | "application-name" = var.application_name
54 | }
55 |
56 | lifecycle {
57 | ignore_changes = [ zone, high_availability.0.standby_availability_zone ]
58 | }
59 | }
Check: CKV_AZURE_132: "Ensure cosmosdb does not allow privileged escalation by restricting management plane changes"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/cosmosdb-mongodb/main.tf:16-37
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:99-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-4.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 | }
Check: CKV_AZURE_100: "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/cosmosdb-mongodb/main.tf:16-37
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:99-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-cosmos-db-accounts-have-customer-managed-keys-to-encrypt-data-at-rest.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 | }
Check: CKV_AZURE_101: "Ensure that Azure Cosmos DB disables public network access"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/cosmosdb-mongodb/main.tf:16-37
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:99-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cosmos-db-disables-public-network-access.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 | }
Check: CKV_AZURE_99: "Ensure Cosmos DB accounts have restricted access"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/cosmosdb-mongodb/main.tf:16-37
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:99-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-cosmos-db-accounts-have-restricted-access.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.redis_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
47 | resource "azurerm_key_vault_secret" "redis_password" {
48 | name = "redis-password"
49 | value = var.redis_password
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.redis_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
47 | resource "azurerm_key_vault_secret" "redis_password" {
48 | name = "redis-password"
49 | value = var.redis_password
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.storage_account_key
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
55 | resource "azurerm_key_vault_secret" "storage_account_key" {
56 | name = "storage-account-key"
57 | value = var.storage_account_key
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.storage_account_key
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
55 | resource "azurerm_key_vault_secret" "storage_account_key" {
56 | name = "storage-account-key"
57 | value = var.storage_account_key
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.cosmosdb_mongodb_uri
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:63-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
63 | resource "azurerm_key_vault_secret" "cosmosdb_mongodb_uri" {
64 | name = "cosmosdb-mongodb-uri"
65 | value = var.cosmosdb_mongodb_uri
66 | key_vault_id = azurerm_key_vault.application.id
67 |
68 | depends_on = [ azurerm_key_vault_access_policy.client ]
69 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.cosmosdb_mongodb_uri
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:63-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
63 | resource "azurerm_key_vault_secret" "cosmosdb_mongodb_uri" {
64 | name = "cosmosdb-mongodb-uri"
65 | value = var.cosmosdb_mongodb_uri
66 | key_vault_id = azurerm_key_vault.application.id
67 |
68 | depends_on = [ azurerm_key_vault_access_policy.client ]
69 | }
Check: CKV_AZURE_89: "Ensure that Azure Cache for Redis disables public network access"
FAILED for resource: module.redis.azurerm_redis_cache.redis
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/redis/main.tf:16-33
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:83-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cache-for-redis-disables-public-network-access.html
16 | resource "azurerm_redis_cache" "redis" {
17 | name = azurecaf_name.redis_cache.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | capacity = 0
21 | family = "C"
22 | sku_name = "Standard"
23 | enable_non_ssl_port = false
24 | minimum_tls_version = "1.2"
25 |
26 | tags = {
27 | "environment" = var.environment
28 | "application-name" = var.application_name
29 | }
30 |
31 | redis_configuration {
32 | }
33 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:91-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:91-97
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:91-97
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:91-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/main.tf:91-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:66-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:66-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:66-75
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:66-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:66-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
47 | resource "azurerm_key_vault_secret" "database_username" {
48 | name = "database-username"
49 | value = var.database_username
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:66-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
47 | resource "azurerm_key_vault_secret" "database_username" {
48 | name = "database-username"
49 | value = var.database_username
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:66-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
55 | resource "azurerm_key_vault_secret" "database_password" {
56 | name = "database-password"
57 | value = var.database_password
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:66-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
55 | resource "azurerm_key_vault_secret" "database_password" {
56 | name = "database-password"
57 | value = var.database_password
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_94: "Ensure that My SQL server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_mysql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/mysql/main.tf:22-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/main.tf:58-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-my-sql-server-enables-geo-redundant-backups.html
22 | resource "azurerm_mysql_flexible_server" "database" {
23 | name = azurecaf_name.mysql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 |
27 | administrator_login = var.administrator_login
28 | administrator_password = random_password.password.result
29 |
30 | sku_name = "B_Standard_B1ms"
31 | version = "8.0.21"
32 | backup_retention_days = 7
33 | geo_redundant_backup_enabled = false
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:62-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:62-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:62-71
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:62-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:62-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
47 | resource "azurerm_key_vault_secret" "database_username" {
48 | name = "database-username"
49 | value = var.database_username
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:62-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
47 | resource "azurerm_key_vault_secret" "database_username" {
48 | name = "database-username"
49 | value = var.database_username
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:62-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
55 | resource "azurerm_key_vault_secret" "database_password" {
56 | name = "database-password"
57 | value = var.database_password
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:62-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
55 | resource "azurerm_key_vault_secret" "database_password" {
56 | name = "database-password"
57 | value = var.database_password
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_113: "Ensure that SQL server disables public network access"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/sql-server/main.tf:22-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:54-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-sql-server-disables-public-network-access.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_52: "Ensure MSSQL is using the latest version of TLS encryption"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/sql-server/main.tf:22-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:54-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-mssql-is-using-the-latest-version-of-tls-encryption.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_224: "Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity"
FAILED for resource: module.database.azurerm_mssql_database.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/sql-server/main.tf:43-51
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/main.tf:54-60
43 | resource "azurerm_mssql_database" "database" {
44 | name = azurecaf_name.mssql_database.result
45 | server_id = azurerm_mssql_server.database.id
46 | collation = "SQL_Latin1_General_CP1_CI_AS"
47 |
48 | sku_name = "GP_S_Gen5_1"
49 | min_capacity = 0.5
50 | auto_pause_delay_in_minutes = 60
51 | }
Check: CKV_AZURE_132: "Ensure cosmosdb does not allow privileged escalation by restricting management plane changes"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:135-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-4.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_100: "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:135-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-cosmos-db-accounts-have-customer-managed-keys-to-encrypt-data-at-rest.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_101: "Ensure that Azure Cosmos DB disables public network access"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:135-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cosmos-db-disables-public-network-access.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:18-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:18-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:54-60
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
54 | resource "azurerm_key_vault_secret" "database_username" {
55 | name = "database-username"
56 | value = var.database_username
57 | key_vault_id = azurerm_key_vault.application.id
58 |
59 | depends_on = [ azurerm_key_vault_access_policy.client ]
60 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:54-60
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
54 | resource "azurerm_key_vault_secret" "database_username" {
55 | name = "database-username"
56 | value = var.database_username
57 | key_vault_id = azurerm_key_vault.application.id
58 |
59 | depends_on = [ azurerm_key_vault_access_policy.client ]
60 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:62-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
62 | resource "azurerm_key_vault_secret" "database_password" {
63 | name = "database-password"
64 | value = var.database_password
65 | key_vault_id = azurerm_key_vault.application.id
66 |
67 | depends_on = [ azurerm_key_vault_access_policy.client ]
68 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:62-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
62 | resource "azurerm_key_vault_secret" "database_password" {
63 | name = "database-password"
64 | value = var.database_password
65 | key_vault_id = azurerm_key_vault.application.id
66 |
67 | depends_on = [ azurerm_key_vault_access_policy.client ]
68 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.redis_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:70-76
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
70 | resource "azurerm_key_vault_secret" "redis_password" {
71 | name = "redis-password"
72 | value = var.redis_password
73 | key_vault_id = azurerm_key_vault.application.id
74 |
75 | depends_on = [ azurerm_key_vault_access_policy.client ]
76 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.redis_password
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:70-76
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
70 | resource "azurerm_key_vault_secret" "redis_password" {
71 | name = "redis-password"
72 | value = var.redis_password
73 | key_vault_id = azurerm_key_vault.application.id
74 |
75 | depends_on = [ azurerm_key_vault_access_policy.client ]
76 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.storage_account_key
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:78-84
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
78 | resource "azurerm_key_vault_secret" "storage_account_key" {
79 | name = "storage-account-key"
80 | value = var.storage_account_key
81 | key_vault_id = azurerm_key_vault.application.id
82 |
83 | depends_on = [ azurerm_key_vault_access_policy.client ]
84 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.storage_account_key
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:78-84
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
78 | resource "azurerm_key_vault_secret" "storage_account_key" {
79 | name = "storage-account-key"
80 | value = var.storage_account_key
81 | key_vault_id = azurerm_key_vault.application.id
82 |
83 | depends_on = [ azurerm_key_vault_access_policy.client ]
84 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.cosmosdb_mongodb_uri
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:86-92
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
86 | resource "azurerm_key_vault_secret" "cosmosdb_mongodb_uri" {
87 | name = "cosmosdb-mongodb-uri"
88 | value = var.cosmosdb_mongodb_uri
89 | key_vault_id = azurerm_key_vault.application.id
90 |
91 | depends_on = [ azurerm_key_vault_access_policy.client ]
92 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.cosmosdb_mongodb_uri
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:86-92
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:96-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
86 | resource "azurerm_key_vault_secret" "cosmosdb_mongodb_uri" {
87 | name = "cosmosdb-mongodb-uri"
88 | value = var.cosmosdb_mongodb_uri
89 | key_vault_id = azurerm_key_vault.application.id
90 |
91 | depends_on = [ azurerm_key_vault_access_policy.client ]
92 | }
Check: CKV_AZURE_89: "Ensure that Azure Cache for Redis disables public network access"
FAILED for resource: module.redis.azurerm_redis_cache.redis
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/redis/main.tf:16-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:116-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cache-for-redis-disables-public-network-access.html
16 | resource "azurerm_redis_cache" "redis" {
17 | name = azurecaf_name.redis_cache.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | capacity = 1
21 | family = "P"
22 | sku_name = "Premium"
23 | enable_non_ssl_port = false
24 | minimum_tls_version = "1.2"
25 |
26 | tags = {
27 | "environment" = var.environment
28 | "application-name" = var.application_name
29 | }
30 |
31 | redis_configuration {
32 | }
33 |
34 | subnet_id = var.subnet_id
35 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:125-133
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:125-133
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:125-133
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:125-133
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/main.tf:125-133
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_113: "Ensure that SQL server disables public network access"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/modules/sql-server/main.tf:22-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/main.tf:58-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-sql-server-disables-public-network-access.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_52: "Ensure MSSQL is using the latest version of TLS encryption"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/modules/sql-server/main.tf:22-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/main.tf:58-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-mssql-is-using-the-latest-version-of-tls-encryption.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_224: "Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity"
FAILED for resource: module.database.azurerm_mssql_database.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/modules/sql-server/main.tf:43-49
Calling File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/main.tf:58-66
43 | resource "azurerm_mssql_database" "database" {
44 | name = azurecaf_name.mssql_database.result
45 | server_id = azurerm_mssql_server.database.id
46 | collation = "SQL_Latin1_General_CP1_CI_AS"
47 |
48 | sku_name = "GP_Gen5_2"
49 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/app-service/main.tf:38-69
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATA_MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
67 | "SPRING_DATA_MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
68 | }
69 | }
Check: CKV_AZURE_132: "Ensure cosmosdb does not allow privileged escalation by restricting management plane changes"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/cosmosdb-mongodb/main.tf:16-37
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-4.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 | }
Check: CKV_AZURE_100: "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/cosmosdb-mongodb/main.tf:16-37
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-cosmos-db-accounts-have-customer-managed-keys-to-encrypt-data-at-rest.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 | }
Check: CKV_AZURE_101: "Ensure that Azure Cosmos DB disables public network access"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/cosmosdb-mongodb/main.tf:16-37
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cosmos-db-disables-public-network-access.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 | }
Check: CKV_AZURE_99: "Ensure Cosmos DB accounts have restricted access"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/modules/cosmosdb-mongodb/main.tf:16-37
Calling File: /rest-server/src/test/resources/nubesgen/terraform/cosmosdb-mongodb/terraform/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-cosmos-db-accounts-have-restricted-access.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "Y1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/main.tf:45-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "Y1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/main.tf:45-51
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_221: "Ensure that Azure Function App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_function_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:59-86
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
59 | resource "azurerm_linux_function_app" "application" {
60 | name = azurecaf_name.function_app.result
61 | resource_group_name = var.resource_group
62 | location = var.location
63 | service_plan_id = azurerm_service_plan.application.id
64 | storage_account_name = azurerm_storage_account.application.name
65 | storage_account_access_key = azurerm_storage_account.application.primary_access_key
66 | https_only = true
67 | functions_extension_version = "~4"
68 |
69 | tags = {
70 | "environment" = var.environment
71 | "application-name" = var.application_name
72 | }
73 |
74 | site_config {
75 | application_stack {
76 | java_version = "11"
77 | }
78 | }
79 |
80 | app_settings = {
81 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
82 |
83 | # These are app specific environment variables
84 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
85 | }
86 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "Y1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "Y1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/main.tf:41-51
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_221: "Ensure that Azure Function App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_function_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:59-90
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
59 | resource "azurerm_linux_function_app" "application" {
60 | name = azurecaf_name.function_app.result
61 | resource_group_name = var.resource_group
62 | location = var.location
63 | service_plan_id = azurerm_service_plan.application.id
64 | storage_account_name = azurerm_storage_account.application.name
65 | storage_account_access_key = azurerm_storage_account.application.primary_access_key
66 | https_only = true
67 | functions_extension_version = "~4"
68 |
69 | tags = {
70 | "environment" = var.environment
71 | "application-name" = var.application_name
72 | }
73 |
74 | site_config {
75 | application_stack {
76 | java_version = "11"
77 | }
78 | }
79 |
80 | app_settings = {
81 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
82 |
83 | # These are app specific environment variables
84 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
85 |
86 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
87 | "SPRING_DATASOURCE_USERNAME" = var.database_username
88 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
89 | }
90 | }
Check: CKV_AZURE_94: "Ensure that My SQL server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_mysql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/mysql/main.tf:22-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-my-sql-server-enables-geo-redundant-backups.html
22 | resource "azurerm_mysql_flexible_server" "database" {
23 | name = azurecaf_name.mysql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 |
27 | administrator_login = var.administrator_login
28 | administrator_password = random_password.password.result
29 |
30 | sku_name = "B_Standard_B1ms"
31 | version = "8.0.21"
32 | backup_retention_days = 7
33 | geo_redundant_backup_enabled = false
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_132: "Ensure cosmosdb does not allow privileged escalation by restricting management plane changes"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:136-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-4.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_100: "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:136-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-cosmos-db-accounts-have-customer-managed-keys-to-encrypt-data-at-rest.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_101: "Ensure that Azure Cosmos DB disables public network access"
FAILED for resource: module.cosmosdb-mongodb.azurerm_cosmosdb_account.cosmosdb
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/cosmosdb-mongodb/main.tf:16-43
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:136-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cosmos-db-disables-public-network-access.html
16 | resource "azurerm_cosmosdb_account" "cosmosdb" {
17 | name = azurecaf_name.cosmosdb_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | offer_type = "Standard"
21 | kind = "MongoDB"
22 | enable_free_tier = true
23 |
24 | tags = {
25 | "environment" = var.environment
26 | "application-name" = var.application_name
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = "Session"
31 | }
32 |
33 | geo_location {
34 | failover_priority = 0
35 | location = var.location
36 | }
37 |
38 | is_virtual_network_filter_enabled = true
39 |
40 | virtual_network_rule {
41 | id = var.subnet_id
42 | }
43 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:49-75
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "EP1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:49-75
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "EP1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:49-75
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:37-50
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV_AZURE_221: "Ensure that Azure Function App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_function_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:59-107
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:49-75
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
59 | resource "azurerm_linux_function_app" "application" {
60 | name = azurecaf_name.function_app.result
61 | resource_group_name = var.resource_group
62 | location = var.location
63 | service_plan_id = azurerm_service_plan.application.id
64 | storage_account_name = azurerm_storage_account.application.name
65 | storage_account_access_key = azurerm_storage_account.application.primary_access_key
66 | https_only = true
67 | functions_extension_version = "~4"
68 |
69 | tags = {
70 | "environment" = var.environment
71 | "application-name" = var.application_name
72 | }
73 |
74 | site_config {
75 | application_stack {
76 | java_version = "11"
77 | }
78 | }
79 |
80 | identity {
81 | type = "SystemAssigned"
82 | }
83 |
84 | app_settings = {
85 | "WEBSITE_RUN_FROM_PACKAGE" = "1"
86 |
87 | // Monitoring with Azure Application Insights
88 | "APPINSIGHTS_INSTRUMENTATIONKEY" = var.azure_application_insights_instrumentation_key
89 |
90 | # These are app specific environment variables
91 |
92 | "DATABASE_URL" = var.database_url
93 | "DATABASE_USERNAME" = var.database_username
94 | "DATABASE_PASSWORD" = var.database_password
95 |
96 | "REDIS_HOST" = var.azure_redis_host
97 | "REDIS_PASSWORD" = var.azure_redis_password
98 | "REDIS_PORT" = "6380"
99 |
100 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
101 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
102 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
103 |
104 | "MONGODB_DATABASE" = var.azure_cosmosdb_mongodb_database
105 | "MONGODB_URI" = var.azure_cosmosdb_mongodb_uri
106 | }
107 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:18-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:18-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:54-60
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
54 | resource "azurerm_key_vault_secret" "database_username" {
55 | name = "database-username"
56 | value = var.database_username
57 | key_vault_id = azurerm_key_vault.application.id
58 |
59 | depends_on = [ azurerm_key_vault_access_policy.client ]
60 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:54-60
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
54 | resource "azurerm_key_vault_secret" "database_username" {
55 | name = "database-username"
56 | value = var.database_username
57 | key_vault_id = azurerm_key_vault.application.id
58 |
59 | depends_on = [ azurerm_key_vault_access_policy.client ]
60 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:62-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
62 | resource "azurerm_key_vault_secret" "database_password" {
63 | name = "database-password"
64 | value = var.database_password
65 | key_vault_id = azurerm_key_vault.application.id
66 |
67 | depends_on = [ azurerm_key_vault_access_policy.client ]
68 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:62-68
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
62 | resource "azurerm_key_vault_secret" "database_password" {
63 | name = "database-password"
64 | value = var.database_password
65 | key_vault_id = azurerm_key_vault.application.id
66 |
67 | depends_on = [ azurerm_key_vault_access_policy.client ]
68 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.redis_password
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:70-76
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
70 | resource "azurerm_key_vault_secret" "redis_password" {
71 | name = "redis-password"
72 | value = var.redis_password
73 | key_vault_id = azurerm_key_vault.application.id
74 |
75 | depends_on = [ azurerm_key_vault_access_policy.client ]
76 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.redis_password
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:70-76
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
70 | resource "azurerm_key_vault_secret" "redis_password" {
71 | name = "redis-password"
72 | value = var.redis_password
73 | key_vault_id = azurerm_key_vault.application.id
74 |
75 | depends_on = [ azurerm_key_vault_access_policy.client ]
76 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.storage_account_key
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:78-84
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
78 | resource "azurerm_key_vault_secret" "storage_account_key" {
79 | name = "storage-account-key"
80 | value = var.storage_account_key
81 | key_vault_id = azurerm_key_vault.application.id
82 |
83 | depends_on = [ azurerm_key_vault_access_policy.client ]
84 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.storage_account_key
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:78-84
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
78 | resource "azurerm_key_vault_secret" "storage_account_key" {
79 | name = "storage-account-key"
80 | value = var.storage_account_key
81 | key_vault_id = azurerm_key_vault.application.id
82 |
83 | depends_on = [ azurerm_key_vault_access_policy.client ]
84 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.cosmosdb_mongodb_uri
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:86-92
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
86 | resource "azurerm_key_vault_secret" "cosmosdb_mongodb_uri" {
87 | name = "cosmosdb-mongodb-uri"
88 | value = var.cosmosdb_mongodb_uri
89 | key_vault_id = azurerm_key_vault.application.id
90 |
91 | depends_on = [ azurerm_key_vault_access_policy.client ]
92 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.cosmosdb_mongodb_uri
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:86-92
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
86 | resource "azurerm_key_vault_secret" "cosmosdb_mongodb_uri" {
87 | name = "cosmosdb-mongodb-uri"
88 | value = var.cosmosdb_mongodb_uri
89 | key_vault_id = azurerm_key_vault.application.id
90 |
91 | depends_on = [ azurerm_key_vault_access_policy.client ]
92 | }
Check: CKV_AZURE_89: "Ensure that Azure Cache for Redis disables public network access"
FAILED for resource: module.redis.azurerm_redis_cache.redis
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/redis/main.tf:16-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:117-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cache-for-redis-disables-public-network-access.html
16 | resource "azurerm_redis_cache" "redis" {
17 | name = azurecaf_name.redis_cache.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | capacity = 1
21 | family = "P"
22 | sku_name = "Premium"
23 | enable_non_ssl_port = false
24 | minimum_tls_version = "1.2"
25 |
26 | tags = {
27 | "environment" = var.environment
28 | "application-name" = var.application_name
29 | }
30 |
31 | redis_configuration {
32 | }
33 |
34 | subnet_id = var.subnet_id
35 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:126-134
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:126-134
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:126-134
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:126-134
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/main.tf:126-134
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "S1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "S1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/app-service/main.tf:38-74
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:41-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = true
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | identity {
61 | type = "SystemAssigned"
62 | }
63 |
64 | app_settings = {
65 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
66 |
67 | # These are app specific environment variables
68 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
69 |
70 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
71 | "SPRING_DATASOURCE_USERNAME" = var.database_username
72 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
73 | }
74 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:64-73
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:18-32
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
47 | resource "azurerm_key_vault_secret" "database_username" {
48 | name = "database-username"
49 | value = var.database_username
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_username
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:47-53
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
47 | resource "azurerm_key_vault_secret" "database_username" {
48 | name = "database-username"
49 | value = var.database_username
50 | key_vault_id = azurerm_key_vault.application.id
51 |
52 | depends_on = [ azurerm_key_vault_access_policy.client ]
53 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
55 | resource "azurerm_key_vault_secret" "database_password" {
56 | name = "database-password"
57 | value = var.database_password
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.key-vault.azurerm_key_vault_secret.database_password
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:55-61
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
55 | resource "azurerm_key_vault_secret" "database_password" {
56 | name = "database-password"
57 | value = var.database_password
58 | key_vault_id = azurerm_key_vault.application.id
59 |
60 | depends_on = [ azurerm_key_vault_access_policy.client ]
61 | }
Check: CKV_AZURE_136: "Ensure that PostgreSQL Flexible server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_postgresql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/postgresql/main.tf:28-56
Calling File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/main.tf:55-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-postgresql-flexible-server-enables-geo-redundant-backups.html
28 | resource "azurerm_postgresql_flexible_server" "database" {
29 | name = azurecaf_name.postgresql_server.result
30 | resource_group_name = var.resource_group
31 | location = var.location
32 |
33 | administrator_login = var.administrator_login
34 | administrator_password = random_password.password.result
35 |
36 | sku_name = "B_Standard_B1ms"
37 | storage_mb = 32768
38 | backup_retention_days = 7
39 | version = "13"
40 | geo_redundant_backup_enabled = false
41 | dynamic "high_availability" {
42 | for_each = local.feature_flags.high_available_type
43 | content {
44 | mode = high_availability.value
45 | }
46 | }
47 |
48 | tags = {
49 | "environment" = var.environment
50 | "application-name" = var.application_name
51 | }
52 |
53 | lifecycle {
54 | ignore_changes = [ zone, high_availability.0.standby_availability_zone ]
55 | }
56 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "QUARKUS_HTTP_PORT" = 80
65 | "QUARKUS_PROFILE" = "prod"
66 |
67 | "QUARKUS_DATASOURCE_JDBC_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
68 | "QUARKUS_DATASOURCE_USERNAME" = var.database_username
69 | "QUARKUS_DATASOURCE_PASSWORD" = var.database_password
70 | }
71 | }
Check: CKV_AZURE_94: "Ensure that My SQL server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_mysql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/modules/mysql/main.tf:22-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql-quarkus/terraform/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-my-sql-server-enables-geo-redundant-backups.html
22 | resource "azurerm_mysql_flexible_server" "database" {
23 | name = azurecaf_name.mysql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 |
27 | administrator_login = var.administrator_login
28 | administrator_password = random_password.password.result
29 |
30 | sku_name = "B_Standard_B1ms"
31 | version = "8.0.21"
32 | backup_retention_days = 7
33 | geo_redundant_backup_enabled = false
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:mysql://${var.database_url}?useUnicode=true&characterEncoding=utf8&useSSL=true&useLegacyDatetimeCode=false&serverTimezone=UTC"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_94: "Ensure that My SQL server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_mysql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/modules/mysql/main.tf:22-39
Calling File: /rest-server/src/test/resources/nubesgen/terraform/mysql/terraform/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-my-sql-server-enables-geo-redundant-backups.html
22 | resource "azurerm_mysql_flexible_server" "database" {
23 | name = azurecaf_name.mysql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 |
27 | administrator_login = var.administrator_login
28 | administrator_password = random_password.password.result
29 |
30 | sku_name = "B_Standard_B1ms"
31 | version = "8.0.21"
32 | backup_retention_days = 7
33 | geo_redundant_backup_enabled = false
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:postgresql://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_136: "Ensure that PostgreSQL Flexible server enables geo-redundant backups"
FAILED for resource: module.database.azurerm_postgresql_flexible_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/postgresql/main.tf:28-56
Calling File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/main.tf:53-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-postgresql-flexible-server-enables-geo-redundant-backups.html
28 | resource "azurerm_postgresql_flexible_server" "database" {
29 | name = azurecaf_name.postgresql_server.result
30 | resource_group_name = var.resource_group
31 | location = var.location
32 |
33 | administrator_login = var.administrator_login
34 | administrator_password = random_password.password.result
35 |
36 | sku_name = "B_Standard_B1ms"
37 | storage_mb = 32768
38 | backup_retention_days = 7
39 | version = "13"
40 | geo_redundant_backup_enabled = false
41 | dynamic "high_availability" {
42 | for_each = local.feature_flags.high_available_type
43 | content {
44 | mode = high_availability.value
45 | }
46 | }
47 |
48 | tags = {
49 | "environment" = var.environment
50 | "application-name" = var.application_name
51 | }
52 |
53 | lifecycle {
54 | ignore_changes = [ zone, high_availability.0.standby_availability_zone ]
55 | }
56 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/app-service/main.tf:38-71
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:41-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_REDIS_HOST" = var.azure_redis_host
67 | "SPRING_REDIS_PASSWORD" = var.azure_redis_password
68 | "SPRING_REDIS_PORT" = "6380"
69 | "SPRING_REDIS_SSL" = "true"
70 | }
71 | }
Check: CKV_AZURE_89: "Ensure that Azure Cache for Redis disables public network access"
FAILED for resource: module.redis.azurerm_redis_cache.redis
File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/modules/redis/main.tf:16-33
Calling File: /rest-server/src/test/resources/nubesgen/terraform/redis/terraform/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cache-for-redis-disables-public-network-access.html
16 | resource "azurerm_redis_cache" "redis" {
17 | name = azurecaf_name.redis_cache.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | capacity = 0
21 | family = "C"
22 | sku_name = "Standard"
23 | enable_non_ssl_port = false
24 | minimum_tls_version = "1.2"
25 |
26 | tags = {
27 | "environment" = var.environment
28 | "application-name" = var.application_name
29 | }
30 |
31 | redis_configuration {
32 | }
33 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "SPRING_DATASOURCE_URL" = "jdbc:sqlserver://${var.database_url}"
67 | "SPRING_DATASOURCE_USERNAME" = var.database_username
68 | "SPRING_DATASOURCE_PASSWORD" = var.database_password
69 | }
70 | }
Check: CKV_AZURE_113: "Ensure that SQL server disables public network access"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/sql-server/main.tf:22-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-sql-server-disables-public-network-access.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_52: "Ensure MSSQL is using the latest version of TLS encryption"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/sql-server/main.tf:22-35
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-mssql-is-using-the-latest-version-of-tls-encryption.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_224: "Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity"
FAILED for resource: module.database.azurerm_mssql_database.database
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/sql-server/main.tf:43-51
Calling File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/main.tf:53-59
43 | resource "azurerm_mssql_database" "database" {
44 | name = azurecaf_name.mssql_database.result
45 | server_id = azurerm_mssql_server.database.id
46 | collation = "SQL_Latin1_General_CP1_CI_AS"
47 |
48 | sku_name = "GP_S_Gen5_1"
49 | min_capacity = 0.5
50 | auto_pause_delay_in_minutes = 60
51 | }
Check: CKV_AZURE_211: "Ensure App Service plan suitable for production use"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_225: "Ensure the App Service Plan is zone redundant"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_212: "Ensure App Service has a minimum number of instances for failover"
FAILED for resource: module.application.azurerm_service_plan.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:17-29
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
17 | resource "azurerm_service_plan" "application" {
18 | name = azurecaf_name.app_service_plan.result
19 | resource_group_name = var.resource_group
20 | location = var.location
21 |
22 | sku_name = "F1"
23 | os_type = "Linux"
24 |
25 | tags = {
26 | "environment" = var.environment
27 | "application-name" = var.application_name
28 | }
29 | }
Check: CKV_AZURE_213: "Ensure that App Service configures health check"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_214: "Ensure App Service is set to be always on"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_71: "Ensure that Managed identity provider is enabled for app services"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_222: "Ensure that Azure Web App public network access is disabled"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/azr-networking-63
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: module.application.azurerm_linux_web_app.application
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/app-service/main.tf:38-70
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
38 | resource "azurerm_linux_web_app" "application" {
39 | name = azurecaf_name.app_service.result
40 | resource_group_name = var.resource_group
41 | location = var.location
42 | service_plan_id = azurerm_service_plan.application.id
43 | https_only = true
44 |
45 | tags = {
46 | "environment" = var.environment
47 | "application-name" = var.application_name
48 | }
49 |
50 | site_config {
51 | application_stack {
52 | java_server = "JAVA"
53 | java_server_version = "17"
54 | java_version = "17"
55 | }
56 | always_on = false
57 | ftps_state = "FtpsOnly"
58 | }
59 |
60 | app_settings = {
61 | "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
62 |
63 | # These are app specific environment variables
64 | "SPRING_PROFILES_ACTIVE" = "prod,azure"
65 |
66 | "AZURE_STORAGE_ACCOUNT_NAME" = var.azure_storage_account_name
67 | "AZURE_STORAGE_BLOB_ENDPOINT" = var.azure_storage_blob_endpoint
68 | "AZURE_STORAGE_ACCOUNT_KEY" = var.azure_storage_account_key
69 | }
70 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:53-59
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:53-59
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:16-27
Calling File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /terraform/modules/container-apps/main.tf:16-27
Calling File: /terraform/main.tf:45-58
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /terraform/modules/container-apps/main.tf:16-27
Calling File: /terraform/main.tf:45-58
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /terraform/modules/container-apps/main.tf:16-27
Calling File: /terraform/main.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /terraform/modules/container-apps/main.tf:16-27
Calling File: /terraform/main.tf:45-58
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /terraform/modules/container-apps/main.tf:16-27
Calling File: /terraform/main.tf:45-58
Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_163: "Enable vulnerability scanning for container images."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /terraform/modules/container-apps/main.tf:16-27
Calling File: /terraform/main.tf:45-58
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.application.azurerm_container_registry.container-registry
File: /terraform/modules/container-apps/main.tf:16-27
Calling File: /terraform/main.tf:45-58
16 | resource "azurerm_container_registry" "container-registry" {
17 | name = azurecaf_name.container_registry.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | admin_enabled = true
21 | sku = "Basic"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /terraform/modules/storage-blob/main.tf:16-27
Calling File: /terraform/main.tf:60-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /terraform/modules/storage-blob/main.tf:16-27
Calling File: /terraform/main.tf:60-66
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /terraform/modules/storage-blob/main.tf:16-27
Calling File: /terraform/main.tf:60-66
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /terraform/modules/storage-blob/main.tf:16-27
Calling File: /terraform/main.tf:60-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /terraform/modules/storage-blob/main.tf:16-27
Calling File: /terraform/main.tf:60-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:37-50
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:37-50
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:37-50
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage-blob.azurerm_storage_container.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
43 | resource "azurerm_storage_container" "storage-blob" {
44 | name = azurecaf_name.storage_container.result
45 | storage_account_name = azurerm_storage_account.storage-blob.name
46 | container_access_type = "private"
47 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage-blob.azurerm_storage_container.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:35-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
35 | resource "azurerm_storage_container" "storage-blob" {
36 | name = azurecaf_name.storage_container.result
37 | storage_account_name = azurerm_storage_account.storage-blob.name
38 | container_access_type = "private"
39 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage-blob.azurerm_storage_container.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
43 | resource "azurerm_storage_container" "storage-blob" {
44 | name = azurecaf_name.storage_container.result
45 | storage_account_name = azurerm_storage_account.storage-blob.name
46 | container_access_type = "private"
47 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage-blob.azurerm_storage_container.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
43 | resource "azurerm_storage_container" "storage-blob" {
44 | name = azurecaf_name.storage_container.result
45 | storage_account_name = azurerm_storage_account.storage-blob.name
46 | container_access_type = "private"
47 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage-blob.azurerm_storage_container.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:35-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
35 | resource "azurerm_storage_container" "storage-blob" {
36 | name = azurecaf_name.storage_container.result
37 | storage_account_name = azurerm_storage_account.storage-blob.name
38 | container_access_type = "private"
39 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage-blob.azurerm_storage_container.storage-blob
File: /terraform/modules/storage-blob/main.tf:35-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
35 | resource "azurerm_storage_container" "storage-blob" {
36 | name = azurecaf_name.storage_container.result
37 | storage_account_name = azurerm_storage_account.storage-blob.name
38 | container_access_type = "private"
39 | }
Check: CKV2_AZURE_23: "Ensure Azure spring cloud is configured with Virtual network (Vnet)"
FAILED for resource: module.application.azurerm_spring_cloud_service.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/spring-apps/main.tf:10-23
10 | resource "azurerm_spring_cloud_service" "application" {
11 | name = local.spring_apps_service_name
12 | resource_group_name = var.resource_group
13 | location = var.location
14 | sku_name = "B0"
15 |
16 | tags = {
17 | "environment" = var.environment
18 | "application-name" = var.application_name
19 | }
20 | trace {
21 | connection_string = var.azure_application_insights_connection_string
22 | }
23 | }
Check: CKV2_AZURE_23: "Ensure Azure spring cloud is configured with Virtual network (Vnet)"
FAILED for resource: module.application.azurerm_spring_cloud_service.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-insights-java/terraform/modules/spring-apps/main.tf:8-21
8 | resource "azurerm_spring_cloud_service" "application" {
9 | name = local.spring_apps_service_name
10 | resource_group_name = var.resource_group
11 | location = var.location
12 | sku_name = "B0"
13 |
14 | tags = {
15 | "environment" = var.environment
16 | "application-name" = var.application_name
17 | }
18 | trace {
19 | connection_string = var.azure_application_insights_connection_string
20 | }
21 | }
Check: CKV2_AZURE_23: "Ensure Azure spring cloud is configured with Virtual network (Vnet)"
FAILED for resource: module.application.azurerm_spring_cloud_service.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/spring-apps/main.tf:8-18
8 | resource "azurerm_spring_cloud_service" "application" {
9 | name = local.spring_apps_service_name
10 | resource_group_name = var.resource_group
11 | location = var.location
12 | sku_name = "B0"
13 |
14 | tags = {
15 | "environment" = var.environment
16 | "application-name" = var.application_name
17 | }
18 | }
Check: CKV2_AZURE_23: "Ensure Azure spring cloud is configured with Virtual network (Vnet)"
FAILED for resource: module.application.azurerm_spring_cloud_service.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-public-java/terraform/modules/spring-apps/main.tf:8-18
8 | resource "azurerm_spring_cloud_service" "application" {
9 | name = local.spring_apps_service_name
10 | resource_group_name = var.resource_group
11 | location = var.location
12 | sku_name = "B0"
13 |
14 | tags = {
15 | "environment" = var.environment
16 | "application-name" = var.application_name
17 | }
18 | }
Check: CKV2_AZURE_23: "Ensure Azure spring cloud is configured with Virtual network (Vnet)"
FAILED for resource: module.application.azurerm_spring_cloud_service.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/spring-apps/main.tf:8-18
8 | resource "azurerm_spring_cloud_service" "application" {
9 | name = local.spring_apps_service_name
10 | resource_group_name = var.resource_group
11 | location = var.location
12 | sku_name = "B0"
13 |
14 | tags = {
15 | "environment" = var.environment
16 | "application-name" = var.application_name
17 | }
18 | }
Check: CKV2_AZURE_27: "Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/azr-general-85
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV2_AZURE_27: "Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/azr-general-85
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV2_AZURE_27: "Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/azr-general-85
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV2_AZURE_27: "Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/azr-general-85
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_24: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-3.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_24: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-3.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_24: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-3.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_24: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-3.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:37-50
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:37-50
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:37-50
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /terraform/modules/storage-blob/main.tf:16-27
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_26: "Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access"
FAILED for resource: module.database.azurerm_postgresql_flexible_server_firewall_rule.database
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/postgresql/main.tf:78-83
78 | resource "azurerm_postgresql_flexible_server_firewall_rule" "database" {
79 | name = azurecaf_name.postgresql_firewall_rule.result
80 | server_id = azurerm_postgresql_flexible_server.database.id
81 | start_ip_address = "0.0.0.0"
82 | end_ip_address = "0.0.0.0"
83 | }
Check: CKV2_AZURE_26: "Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access"
FAILED for resource: module.database.azurerm_postgresql_flexible_server_firewall_rule.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/terraform/modules/postgresql/main.tf:78-83
78 | resource "azurerm_postgresql_flexible_server_firewall_rule" "database" {
79 | name = azurecaf_name.postgresql_firewall_rule.result
80 | server_id = azurerm_postgresql_flexible_server.database.id
81 | start_ip_address = "0.0.0.0"
82 | end_ip_address = "0.0.0.0"
83 | }
Check: CKV2_AZURE_26: "Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access"
FAILED for resource: module.database.azurerm_postgresql_flexible_server_firewall_rule.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/terraform/modules/postgresql/main.tf:78-83
78 | resource "azurerm_postgresql_flexible_server_firewall_rule" "database" {
79 | name = azurecaf_name.postgresql_firewall_rule.result
80 | server_id = azurerm_postgresql_flexible_server.database.id
81 | start_ip_address = "0.0.0.0"
82 | end_ip_address = "0.0.0.0"
83 | }
Check: CKV2_AZURE_26: "Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access"
FAILED for resource: module.database.azurerm_postgresql_flexible_server_firewall_rule.database
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/postgresql/main.tf:78-83
78 | resource "azurerm_postgresql_flexible_server_firewall_rule" "database" {
79 | name = azurecaf_name.postgresql_firewall_rule.result
80 | server_id = azurerm_postgresql_flexible_server.database.id
81 | start_ip_address = "0.0.0.0"
82 | end_ip_address = "0.0.0.0"
83 | }
Check: CKV2_AZURE_26: "Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access"
FAILED for resource: module.database.azurerm_postgresql_flexible_server_firewall_rule.database
File: /rest-server/src/test/resources/nubesgen/terraform/postgresql/terraform/modules/postgresql/main.tf:78-83
78 | resource "azurerm_postgresql_flexible_server_firewall_rule" "database" {
79 | name = azurecaf_name.postgresql_firewall_rule.result
80 | server_id = azurerm_postgresql_flexible_server.database.id
81 | start_ip_address = "0.0.0.0"
82 | end_ip_address = "0.0.0.0"
83 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/storage-blob/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/storage-blob/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/storage-blob/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/terraform/modules/function/main.tf:37-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-mysql/terraform/modules/function/main.tf:37-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.application.azurerm_storage_account.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/function/main.tf:37-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
37 | resource "azurerm_storage_account" "application" {
38 | name = azurecaf_name.storage_account.result
39 | resource_group_name = var.resource_group
40 | location = var.location
41 | account_tier = "Standard"
42 | account_replication_type = "LRS"
43 | enable_https_traffic_only = true
44 | allow_nested_items_to_be_public = false
45 |
46 | tags = {
47 | "environment" = var.environment
48 | "application-name" = var.application_name
49 | }
50 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/storage-blob/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /rest-server/src/test/resources/nubesgen/terraform/storage-blob/terraform/modules/storage-blob/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.storage-blob.azurerm_storage_account.storage-blob
File: /terraform/modules/storage-blob/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
16 | resource "azurerm_storage_account" "storage-blob" {
17 | name = azurecaf_name.storage_account.result
18 | resource_group_name = var.resource_group
19 | location = var.location
20 | account_tier = "Standard"
21 | account_replication_type = "LRS"
22 |
23 | tags = {
24 | "environment" = var.environment
25 | "application-name" = var.application_name
26 | }
27 | }
Check: CKV_AZURE_23: "Ensure that 'Auditing' is set to 'On' for SQL servers"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-2.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_23: "Ensure that 'Auditing' is set to 'On' for SQL servers"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-2.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_23: "Ensure that 'Auditing' is set to 'On' for SQL servers"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-2.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV_AZURE_23: "Ensure that 'Auditing' is set to 'On' for SQL servers"
FAILED for resource: module.database.azurerm_mssql_server.database
File: /rest-server/src/test/resources/nubesgen/terraform/sql-server/terraform/modules/sql-server/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-2.html
22 | resource "azurerm_mssql_server" "database" {
23 | name = azurecaf_name.mssql_server.result
24 | resource_group_name = var.resource_group
25 | location = var.location
26 | version = "12.0"
27 |
28 | administrator_login = var.administrator_login
29 | administrator_login_password = random_password.password.result
30 |
31 | tags = {
32 | "environment" = var.environment
33 | "application-name" = var.application_name
34 | }
35 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.app_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/virtual-network/main.tf:34-48
34 | resource "azurerm_subnet" "app_subnet" {
35 | name = azurecaf_name.app_subnet.result
36 | resource_group_name = var.resource_group
37 | virtual_network_name = azurerm_virtual_network.virtual_network.name
38 | address_prefixes = [var.app_subnet_prefix]
39 | service_endpoints = var.service_endpoints
40 | delegation {
41 | name = "${var.application_name}-delegation"
42 |
43 | service_delegation {
44 | name = "Microsoft.Web/serverFarms"
45 | actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
46 | }
47 | }
48 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.database_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/virtual-network/main.tf:56-69
56 | resource "azurerm_subnet" "database_subnet" {
57 | name = azurecaf_name.database_subnet.result
58 | resource_group_name = var.resource_group
59 | virtual_network_name = azurerm_virtual_network.virtual_network.name
60 | address_prefixes = [var.database_subnet_prefix]
61 | service_endpoints = ["Microsoft.Storage"]
62 | delegation {
63 | name = "fs"
64 | service_delegation {
65 | name = "Microsoft.DBforPostgreSQL/flexibleServers"
66 | actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
67 | }
68 | }
69 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.redis_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/virtual-network/main.tf:77-82
77 | resource "azurerm_subnet" "redis_subnet" {
78 | name = azurecaf_name.redis_subnet.result
79 | resource_group_name = var.resource_group
80 | virtual_network_name = azurerm_virtual_network.virtual_network.name
81 | address_prefixes = [var.redis_subnet_prefix]
82 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.app_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/virtual-network/main.tf:34-48
34 | resource "azurerm_subnet" "app_subnet" {
35 | name = azurecaf_name.app_subnet.result
36 | resource_group_name = var.resource_group
37 | virtual_network_name = azurerm_virtual_network.virtual_network.name
38 | address_prefixes = [var.app_subnet_prefix]
39 | service_endpoints = var.service_endpoints
40 | delegation {
41 | name = "${var.application_name}-delegation"
42 |
43 | service_delegation {
44 | name = "Microsoft.Web/serverFarms"
45 | actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
46 | }
47 | }
48 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.database_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/virtual-network/main.tf:56-69
56 | resource "azurerm_subnet" "database_subnet" {
57 | name = azurecaf_name.database_subnet.result
58 | resource_group_name = var.resource_group
59 | virtual_network_name = azurerm_virtual_network.virtual_network.name
60 | address_prefixes = [var.database_subnet_prefix]
61 | service_endpoints = ["Microsoft.Storage"]
62 | delegation {
63 | name = "fs"
64 | service_delegation {
65 | name = "Microsoft.DBforPostgreSQL/flexibleServers"
66 | actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
67 | }
68 | }
69 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.service_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/virtual-network/main.tf:34-39
34 | resource "azurerm_subnet" "service_subnet" {
35 | name = azurecaf_name.service_subnet.result
36 | resource_group_name = var.resource_group
37 | virtual_network_name = azurerm_virtual_network.virtual_network.name
38 | address_prefixes = [var.service_subnet_prefix]
39 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.app_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/virtual-network/main.tf:47-53
47 | resource "azurerm_subnet" "app_subnet" {
48 | name = azurecaf_name.app_subnet.result
49 | resource_group_name = var.resource_group
50 | virtual_network_name = azurerm_virtual_network.virtual_network.name
51 | address_prefixes = [var.app_subnet_prefix]
52 | service_endpoints = var.service_endpoints
53 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.database_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/virtual-network/main.tf:61-74
61 | resource "azurerm_subnet" "database_subnet" {
62 | name = azurecaf_name.database_subnet.result
63 | resource_group_name = var.resource_group
64 | virtual_network_name = azurerm_virtual_network.virtual_network.name
65 | address_prefixes = [var.database_subnet_prefix]
66 | service_endpoints = ["Microsoft.Storage"]
67 | delegation {
68 | name = "fs"
69 | service_delegation {
70 | name = "Microsoft.DBforPostgreSQL/flexibleServers"
71 | actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
72 | }
73 | }
74 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.redis_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/virtual-network/main.tf:82-87
82 | resource "azurerm_subnet" "redis_subnet" {
83 | name = azurecaf_name.redis_subnet.result
84 | resource_group_name = var.resource_group
85 | virtual_network_name = azurerm_virtual_network.virtual_network.name
86 | address_prefixes = [var.redis_subnet_prefix]
87 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.service_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-java/terraform/modules/virtual-network/main.tf:34-39
34 | resource "azurerm_subnet" "service_subnet" {
35 | name = azurecaf_name.service_subnet.result
36 | resource_group_name = var.resource_group
37 | virtual_network_name = azurerm_virtual_network.virtual_network.name
38 | address_prefixes = [var.service_subnet_prefix]
39 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.app_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-java/terraform/modules/virtual-network/main.tf:47-52
47 | resource "azurerm_subnet" "app_subnet" {
48 | name = azurecaf_name.app_subnet.result
49 | resource_group_name = var.resource_group
50 | virtual_network_name = azurerm_virtual_network.virtual_network.name
51 | address_prefixes = [var.app_subnet_prefix]
52 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.service_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/modules/virtual-network/main.tf:34-39
34 | resource "azurerm_subnet" "service_subnet" {
35 | name = azurecaf_name.service_subnet.result
36 | resource_group_name = var.resource_group
37 | virtual_network_name = azurerm_virtual_network.virtual_network.name
38 | address_prefixes = [var.service_subnet_prefix]
39 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.app_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mssql-java/terraform/modules/virtual-network/main.tf:47-53
47 | resource "azurerm_subnet" "app_subnet" {
48 | name = azurecaf_name.app_subnet.result
49 | resource_group_name = var.resource_group
50 | virtual_network_name = azurerm_virtual_network.virtual_network.name
51 | address_prefixes = [var.app_subnet_prefix]
52 | service_endpoints = var.service_endpoints
53 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.service_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mysql-java/terraform/modules/virtual-network/main.tf:34-39
34 | resource "azurerm_subnet" "service_subnet" {
35 | name = azurecaf_name.service_subnet.result
36 | resource_group_name = var.resource_group
37 | virtual_network_name = azurerm_virtual_network.virtual_network.name
38 | address_prefixes = [var.service_subnet_prefix]
39 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.app_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mysql-java/terraform/modules/virtual-network/main.tf:47-53
47 | resource "azurerm_subnet" "app_subnet" {
48 | name = azurecaf_name.app_subnet.result
49 | resource_group_name = var.resource_group
50 | virtual_network_name = azurerm_virtual_network.virtual_network.name
51 | address_prefixes = [var.app_subnet_prefix]
52 | service_endpoints = var.service_endpoints
53 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.database_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-mysql-java/terraform/modules/virtual-network/main.tf:61-74
61 | resource "azurerm_subnet" "database_subnet" {
62 | name = azurecaf_name.database_subnet.result
63 | resource_group_name = var.resource_group
64 | virtual_network_name = azurerm_virtual_network.virtual_network.name
65 | address_prefixes = [var.database_subnet_prefix]
66 | service_endpoints = ["Microsoft.Storage"]
67 | delegation {
68 | name = "fs"
69 | service_delegation {
70 | name = "Microsoft.DBforMySQL/flexibleServers"
71 | actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
72 | }
73 | }
74 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.app_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/virtual-network/main.tf:34-48
34 | resource "azurerm_subnet" "app_subnet" {
35 | name = azurecaf_name.app_subnet.result
36 | resource_group_name = var.resource_group
37 | virtual_network_name = azurerm_virtual_network.virtual_network.name
38 | address_prefixes = [var.app_subnet_prefix]
39 | service_endpoints = var.service_endpoints
40 | delegation {
41 | name = "${var.application_name}-delegation"
42 |
43 | service_delegation {
44 | name = "Microsoft.Web/serverFarms"
45 | actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
46 | }
47 | }
48 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.database_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/virtual-network/main.tf:56-69
56 | resource "azurerm_subnet" "database_subnet" {
57 | name = azurecaf_name.database_subnet.result
58 | resource_group_name = var.resource_group
59 | virtual_network_name = azurerm_virtual_network.virtual_network.name
60 | address_prefixes = [var.database_subnet_prefix]
61 | service_endpoints = ["Microsoft.Storage"]
62 | delegation {
63 | name = "fs"
64 | service_delegation {
65 | name = "Microsoft.DBforPostgreSQL/flexibleServers"
66 | actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
67 | }
68 | }
69 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network.azurerm_subnet.redis_subnet
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/virtual-network/main.tf:77-82
77 | resource "azurerm_subnet" "redis_subnet" {
78 | name = azurecaf_name.redis_subnet.result
79 | resource_group_name = var.resource_group
80 | virtual_network_name = azurerm_virtual_network.virtual_network.name
81 | address_prefixes = [var.redis_subnet_prefix]
82 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring-keyvault/terraform/modules/key-vault/main.tf:18-32
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-docker/terraform/modules/key-vault/main.tf:18-39
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-vnet-spring/terraform/modules/key-vault/main.tf:18-39
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/key-vault/main.tf:18-32
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/key-vault/main.tf:18-32
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/key-vault/main.tf:18-32
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/key-vault/main.tf:18-39
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/function-vnet-java/terraform/modules/key-vault/main.tf:18-39
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | network_acls {
29 | default_action = "Deny"
30 | bypass = "None"
31 | virtual_network_subnet_ids = [var.subnet_id]
32 | ip_rules = [var.myip]
33 | }
34 |
35 | tags = {
36 | "environment" = var.environment
37 | "application-name" = var.application_name
38 | }
39 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key-vault.azurerm_key_vault.application
File: /rest-server/src/test/resources/nubesgen/terraform/key-vault/terraform/modules/key-vault/main.tf:18-32
18 | resource "azurerm_key_vault" "application" {
19 | name = azurecaf_name.key_vault.result
20 | resource_group_name = var.resource_group
21 | location = var.location
22 |
23 | tenant_id = data.azurerm_client_config.current.tenant_id
24 | soft_delete_retention_days = 90
25 |
26 | sku_name = "standard"
27 |
28 | tags = {
29 | "environment" = var.environment
30 | "application-name" = var.application_name
31 | }
32 | }
dockerfile scan results:
Passed checks: 25, Failed checks: 1, Skipped checks: 0
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /rest-server/src/main/docker/Dockerfile.native.
File: /rest-server/src/main/docker/Dockerfile.native:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM ubuntu:22.10
2 | WORKDIR /work/
3 | RUN chown 1001 /work \
4 | && chmod "g+rwX" /work \
5 | && chown 1001:root /work
6 | COPY --chown=1001:root target/nubesgen /work/application
7 |
8 | EXPOSE 8080
9 | USER 1001
10 |
11 | CMD ["./application"]
secrets scan results:
Passed checks: 0, Failed checks: 4, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 271245a2e4f029ddab3d198c93e963e60bc15c87
File: /rest-server/src/test/resources/nubesgen/terraform/asa-addons-java/terraform/modules/spring-apps/main.tf:56-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
56 | "SPRING_REDIS_PASSWORD" = "stored*******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 271245a2e4f029ddab3d198c93e963e60bc15c87
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/terraform/modules/spring-apps/main.tf:52-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
52 | "SPRING_DATASOURCE_PASSWORD" = "stored*******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 271245a2e4f029ddab3d198c93e963e60bc15c87
File: /rest-server/src/test/resources/nubesgen/terraform/asa-sqlserver-java/terraform/modules/spring-apps/main.tf:52-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
52 | "SPRING_DATASOURCE_PASSWORD" = "stored*******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 271245a2e4f029ddab3d198c93e963e60bc15c87
File: /rest-server/src/test/resources/nubesgen/terraform/asa-vnet-addons-java/terraform/modules/spring-apps/main.tf:110-111
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
110 | "SPRING_DATASOURCE_PASSWORD" = "stored*******************"
github_actions scan results:
Passed checks: 714, Failed checks: 18, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/aca-docker/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-docker/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-gradle-gitops-postgres/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-dotnet/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-nodejs/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/function-maven-gitops/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-python/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/asa-mysql-java/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-micronaut-maven-gitops-postgres/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-maven-gitops/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/aca-spring/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GitOps)
File: /rest-server/src/test/resources/nubesgen/terraform/app-service-gradle-gitops/.github/workflows/gitops.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(📗 Documentation Build)
File: /.github/workflows/documentation.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(REST Server - Deployment - main branch)
File: /.github/workflows/rest-server-continuous-deployment-main.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(REST Server - Create a release)
File: /.github/workflows/rest-server-release.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(REST Server - Continuous Integration)
File: /.github/workflows/rest-server-continuous-integration.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(⌨️ CLI - Continuous Integration)
File: /.github/workflows/cli-continuous-integration.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(⌨️ CLI - Create a release)
File: /.github/workflows/cli-release.yml:0-1
bicep scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools