feat(queries): implemented queries that checks if the tls encryption version is set to '1.2' or higher for terrraform/azure (#7852)

* implemented queries that checks if the tls encryption version is set to 1.2 or higher

* added all the queries to the similarityID_transition yaml files for terraform/azure

* fixed positive expected results

* fix remediation

Author: cx-ricardo-jesus

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "03928f0d-bff0-4feb-a31a-615d093e6026",
+  "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version",
+  "severity": "MEDIUM",
+  "category": "Encryption",
+  "descriptionText": "Ensure Function App Deployment Slot is using the latest version of TLS encryption",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app_slot",
+  "platform": "Terraform",
+  "descriptionID": "03928f0d",
+  "cloudProvider": "azure",
+  "cwe": "326",
+  "riskScore": "3.0",
+  "experimental": "true"
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/query.rego

@@ -0,0 +1,30 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+    supported_resources := {"azurerm_linux_function_app_slot", "azurerm_windows_function_app_slot"}
+    resource := input.document[i].resource[supported_resources[resource_index]][name]
+
+    common_lib.valid_key(resource.site_config, "minimum_tls_version")
+    resource.site_config.minimum_tls_version != "1.2"
+    resource.site_config.minimum_tls_version != "1.3"
+    tls_version_val := resource.site_config.minimum_tls_version
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": supported_resources[resource_index],
+		"resourceName": tf_lib.get_resource_name(resource,name),
+		"searchKey": sprintf("%s[%s].site_config.minimum_tls_version", [supported_resources[resource_index], name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher",
+		"keyActualValue": sprintf("'site_config.minimum_tls_version' is defined to '%s'", [tls_version_val]),
+		"searchLine": common_lib.build_search_line(["resource", supported_resources[resource_index], name, "site_config", "minimum_tls_version"], []),
+		"remediation": json.marshal({
+			"before": tls_version_val,
+			"after": "1.3",
+		}),
+		"remediationType": "replacement",
+	}
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/negative1.tf

@@ -0,0 +1,7 @@
+resource "azurerm_linux_function_app_slot" "negative1" {
+  name                 = "example-linux-function-app-slot"
+  function_app_id      = azurerm_linux_function_app.example.id
+  storage_account_name = azurerm_storage_account.example.name
+
+  site_config {}
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/negative2.tf

@@ -0,0 +1,9 @@
+resource "azurerm_linux_function_app_slot" "negative2" {
+  name                 = "example-linux-function-app-slot"
+  function_app_id      = azurerm_linux_function_app.example.id
+  storage_account_name = azurerm_storage_account.example.name
+
+  site_config {
+    minimum_tls_version = "1.2"
+  }
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/negative3.tf

@@ -0,0 +1,9 @@
+resource "azurerm_linux_function_app_slot" "negative3" {
+  name                 = "example-linux-function-app-slot"
+  function_app_id      = azurerm_linux_function_app.example.id
+  storage_account_name = azurerm_storage_account.example.name
+
+  site_config {
+    minimum_tls_version = "1.3"
+  }
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/negative4.tf

@@ -0,0 +1,7 @@
+resource "azurerm_windows_function_app_slot" "negative4" {
+  name                 = "example-slot"
+  function_app_id      = azurerm_windows_function_app.example.id
+  storage_account_name = azurerm_storage_account.example.name
+
+  site_config {}
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/negative5.tf

@@ -0,0 +1,9 @@
+resource "azurerm_windows_function_app_slot" "negative5" {
+  name                 = "example-slot"
+  function_app_id      = azurerm_windows_function_app.example.id
+  storage_account_name = azurerm_storage_account.example.name
+
+  site_config {
+    minimum_tls_version = "1.2"
+  }
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/negative6.tf

@@ -0,0 +1,9 @@
+resource "azurerm_windows_function_app_slot" "negative6" {
+  name                 = "example-slot"
+  function_app_id      = azurerm_windows_function_app.example.id
+  storage_account_name = azurerm_storage_account.example.name
+
+  site_config {
+    minimum_tls_version = "1.3"
+  }
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive1.tf

@@ -0,0 +1,9 @@
+resource "azurerm_linux_function_app_slot" "positive1" {
+  name                 = "example-linux-function-app-slot"
+  function_app_id      = azurerm_linux_function_app.example.id
+  storage_account_name = azurerm_storage_account.example.name
+
+  site_config {
+    minimum_tls_version = "1.1"
+  }
+}

assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive2.tf

@@ -0,0 +1,9 @@
+resource "azurerm_windows_function_app_slot" "positive2" {
+  name                 = "example-slot"
+  function_app_id      = azurerm_windows_function_app.example.id
+  storage_account_name = azurerm_storage_account.example.name
+
+  site_config {
+    minimum_tls_version = "1.1"
+  }
+}