func()

in internal/scanners/asp/rules.go [400:542]


func (a *AppServiceScanner) getLogicRules() map[string]models.AzqrRecommendation {
	return map[string]models.AzqrRecommendation{
		"logics-001": {
			RecommendationID: "logics-001",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategoryMonitoringAndAlerting,
			Recommendation:   "Logic App should have diagnostic settings enabled",
			Impact:           models.ImpactLow,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				service := target.(*armappservice.Site)
				_, ok := scanContext.DiagnosticsSettings[strings.ToLower(*service.ID)]
				return !ok, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data",
		},
		"logics-004": {
			RecommendationID: "logics-004",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategorySecurity,
			Recommendation:   "Logic App should have private endpoints enabled",
			Impact:           models.ImpactHigh,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				i := target.(*armappservice.Site)
				_, pe := scanContext.PrivateEndpoints[*i.ID]
				return !pe, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint",
		},
		"logics-006": {
			RecommendationID: "logics-006",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategoryGovernance,
			Recommendation:   "Logic App Name should comply with naming conventions",
			Impact:           models.ImpactLow,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				c := target.(*armappservice.Site)
				caf := strings.HasPrefix(*c.Name, "logic")
				return !caf, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
		},
		"logics-007": {
			RecommendationID: "logics-007",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategorySecurity,
			Recommendation:   "Logic App should use HTTPS only",
			Impact:           models.ImpactHigh,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				c := target.(*armappservice.Site)
				h := c.Properties.HTTPSOnly != nil && *c.Properties.HTTPSOnly
				return !h, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
		},
		"logics-008": {
			RecommendationID: "logics-008",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategoryGovernance,
			Recommendation:   "Logic App should have tags",
			Impact:           models.ImpactLow,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				c := target.(*armappservice.Site)
				return len(c.Tags) == 0, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json",
		},
		"logics-009": {
			RecommendationID: "logics-009",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategorySecurity,
			Recommendation:   "Logic App should use VNET integration",
			Impact:           models.ImpactMedium,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				c := target.(*armappservice.Site)
				return c.Properties.VirtualNetworkSubnetID == nil || len(*c.Properties.VirtualNetworkSubnetID) == 0, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration",
		},
		"logics-010": {
			RecommendationID: "logics-010",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategorySecurity,
			Recommendation:   "Logic App should have VNET Route all enabled for VNET integration",
			Impact:           models.ImpactMedium,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				c := target.(*armappservice.Site)
				return c.Properties.VnetRouteAllEnabled == nil || !*c.Properties.VnetRouteAllEnabled, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration",
		},
		"logics-011": {
			RecommendationID: "logics-011",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategorySecurity,
			Recommendation:   "Logic App should use TLS 1.2",
			Impact:           models.ImpactMedium,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				broken := scanContext.SiteConfig.Properties.MinTLSVersion == nil || *scanContext.SiteConfig.Properties.MinTLSVersion != armappservice.SupportedTLSVersionsOne2
				return broken, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/app-service/overview-tls",
		},
		"logics-012": {
			RecommendationID: "logics-012",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategorySecurity,
			Recommendation:   "Logic App remote debugging should be disabled",
			Impact:           models.ImpactMedium,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				broken := scanContext.SiteConfig.Properties.RemoteDebuggingEnabled == nil || *scanContext.SiteConfig.Properties.RemoteDebuggingEnabled
				return broken, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure-app-service?view=vs-2022#enable-remote-debugging",
		},
		"logics-013": {
			RecommendationID: "logics-013",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategoryHighAvailability,
			Recommendation:   "Logic App should avoid using Client Affinity",
			Impact:           models.ImpactMedium,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				c := target.(*armappservice.Site)
				return c.Properties.ClientAffinityEnabled != nil && *c.Properties.ClientAffinityEnabled, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-app-service/reliability#checklist",
		},
		"logics-014": {
			RecommendationID: "logics-014",
			ResourceType:     "Microsoft.Web/sites",
			Category:         models.CategorySecurity,
			Recommendation:   "Logic App should use Managed Identities",
			Impact:           models.ImpactMedium,
			Eval: func(target interface{}, scanContext *models.ScanContext) (bool, string) {
				// c := target.(*armappservice.Site)
				// c.Identity == nil || c.Identity.Type == nil || *c.Identity.Type == armappservice.ManagedServiceIdentityTypeNone
				// not working because SDK set's Identity to nil even when configured.
				ok := scanContext.SiteConfig.Properties.ManagedServiceIdentityID != nil || scanContext.SiteConfig.Properties.XManagedServiceIdentityID != nil
				return !ok, ""
			},
			LearnMoreUrl: "https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
		},
	}
}