Azure waf policy terraform checkov scan is failing

Copper Contributor

Hello All

 

/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.4.39
Update available 2.4.39 -> 2.4.48
Run pip3 install -U checkov to update


terraform scan results:

Passed checks: 1, Failed checks: 1, Skipped checks: 0

Check: CKV_AZURE_122: "Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes"
PASSED for resource: azurerm_web_application_firewall_policy.main
File: \main.tf:1-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-secur...
Check: CKV_AZURE_135: "Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: azurerm_web_application_firewall_policy.main
File: \main.tf:1-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-secur...

Code lines for this resource are too many. Please use IDE of your choice to review the file.

 

log4j scan is failing 

 

resource "azurerm_web_application_firewall_policy" "main" {
  name                = var.name
  resource_group_name = var.resource_group_name
  location            = var.location

  tags = var.tags

  policy_settings {
    enabled                     = var.waf_enabled
    file_upload_limit_in_mb     = var.file_upload_limit_mb
    max_request_body_size_in_kb = var.max_request_body_size_kb
    mode                        = var.firewall_mode
  }

  dynamic "custom_rules" {
    for_each = var.custom_policies
    content {
      name      = custom_rules.value.name
      priority  = custom_rules.value.priority
      rule_type = custom_rules.value.rule_type
      action    = custom_rules.value.action

      dynamic "match_conditions" {
        for_each = var.match_conditions
        content {
          dynamic "match_variables" {
            for_each = var.match_variables
            content {
              variable_name = match_variables.value.match_variable
              selector      = match_variables.value.selector
            }
          }

          operator           = match_conditions.value.operator
          negation_condition = match_conditions.value.negation_condition
          match_values       = match_conditions.value.match_values
        }
      }
    }
  }

  managed_rules {
    managed_rule_set {
      type    =  var.rule_set_type
      version =  var.rule_set_version

      dynamic "rule_group_override" {
        for_each = var.managed_policies_override
        content {
          rule_group_name = rule_group_override.value.rule_group_name
          disabled_rules  = rule_group_override.value.disabled_rules
        }
      }
    }

    dynamic "exclusion" {
      for_each = var.managed_policies_exclusions
      content {
        match_variable          = exclusion.value.match_variable
        selector                = exclusion.value.selector
        selector_match_operator = exclusion.value.selector_match_operator
      }
    }
  }
}
0 Replies