turbot/terraform_azure_compliance

GitHub
apimanagement_service_with_virtual_networkapplication_gateway_waf_enabledappservice_authentication_enabledappservice_azure_defender_enabledappservice_environment_internal_encryption_enabledappservice_ftp_deployment_disabledappservice_function_app_client_certificates_onappservice_function_app_cors_no_starappservice_function_app_ftps_enabledappservice_function_app_latest_http_versionappservice_function_app_latest_java_versionappservice_function_app_latest_python_versionappservice_function_app_latest_tls_versionappservice_function_app_only_https_accessibleappservice_function_app_uses_managed_identityappservice_web_app_client_certificates_onappservice_web_app_cors_no_starappservice_web_app_diagnostic_logs_enabledappservice_web_app_ftps_enabledappservice_web_app_incoming_client_cert_onappservice_web_app_latest_http_versionappservice_web_app_latest_java_versionappservice_web_app_latest_php_versionappservice_web_app_latest_python_versionappservice_web_app_latest_tls_versionappservice_web_app_register_with_active_directory_enabledappservice_web_app_remote_debugging_disabledappservice_web_app_use_httpsappservice_web_app_use_virtual_service_endpointappservice_web_app_uses_managed_identityazure_redis_cache_in_virtual_networkazure_redis_cache_ssl_enabledbatch_account_encrypted_with_cmkbatch_account_logging_enabledcognitive_account_encrypted_with_cmkcognitive_account_public_network_access_disabledcognitive_account_restrict_public_accesscognitive_service_local_auth_disabledcompute_vm_and_scale_set_encryption_at_host_enabledcompute_vm_guest_configuration_installedcompute_vm_guest_configuration_installed_linuxcompute_vm_guest_configuration_installed_windowscompute_vm_malware_agent_installedcompute_vm_system_updates_installedcompute_vm_uses_azure_resource_managercompute_vm_utilizing_managed_diskcontainer_registry_azure_defender_enabledcontainer_registry_encrypted_with_cmkcontainer_registry_restrict_public_accesscontainer_registry_use_virtual_service_endpointcosmosdb_account_encryption_at_rest_using_cmkcosmosdb_account_with_firewall_rulescosmosdb_use_virtual_service_endpointdata_factory_encrypted_with_cmkdatalake_store_account_encryption_enableddns_azure_defender_enabledeventhub_namespace_cmk_encryption_enabledeventhub_namespace_use_virtual_service_endpointfrontdoor_waf_enabledhealthcare_fhir_azure_api_encrypted_at_rest_with_cmkhealthcare_fhir_public_network_access_enablediot_hub_logging_enabledkeyvault_azure_defender_enabledkeyvault_key_expiration_setkeyvault_logging_enabledkeyvault_managed_hms_logging_enabledkeyvault_managed_hms_purge_protection_enabledkeyvault_purge_protection_enabledkeyvault_secret_expiration_setkeyvault_vault_public_network_access_disabledkeyvault_vault_use_virtual_service_endpointkubernetes_azure_defender_enabledkubernetes_cluster_add_on_azure_policy_enabledkubernetes_cluster_authorized_ip_range_definedkubernetes_cluster_os_and_data_disks_encrypted_with_cmkkubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_hostkubernetes_instance_rbac_enabledkusto_cluster_disk_encryption_enabledkusto_cluster_double_encryption_enabledkusto_cluster_encrypted_at_rest_with_cmklogic_app_workflow_logging_enabledmachine_learning_workspace_encrypted_with_cmkmariadb_server_geo_redundant_backup_enabledmariadb_server_public_network_access_disabledmonitor_log_profile_enabled_for_all_categoriesmonitor_log_profile_enabled_for_all_regionsmonitor_logs_storage_container_not_public_accessiblemysql_db_server_geo_redundant_backup_enabledmysql_server_encrypted_at_rest_using_cmkmysql_server_infrastructure_encryption_enabledmysql_server_public_network_access_disabledmysql_ssl_enablednetwork_interface_ip_forwarding_disablednetwork_security_group_not_configured_gateway_subnetsnetwork_security_group_subnet_associatedpostgres_db_server_connection_throttling_onpostgres_db_server_geo_redundant_backup_enabledpostgres_db_server_log_checkpoints_onpostgres_db_server_log_connections_onpostgres_db_server_log_disconnections_onpostgres_db_server_log_retention_days_3postgres_sql_server_encrypted_at_rest_using_cmkpostgres_sql_ssl_enabledpostgresql_server_infrastructure_encryption_enabledpostgresql_server_public_network_access_disabledresource_manager_azure_defender_enabledsearch_service_public_network_access_disabledsearch_service_uses_sku_supporting_private_linksecuritycenter_automatic_provisioning_monitoring_agent_onsecuritycenter_azure_defender_on_for_appservicesecuritycenter_azure_defender_on_for_containerregistrysecuritycenter_azure_defender_on_for_k8ssecuritycenter_azure_defender_on_for_keyvaultsecuritycenter_azure_defender_on_for_serversecuritycenter_azure_defender_on_for_sqldbsecuritycenter_azure_defender_on_for_sqlservervmsecuritycenter_azure_defender_on_for_storagesecuritycenter_email_configuredsecuritycenter_notify_alerts_configuredsecuritycenter_security_alerts_to_owner_enabledservicefabric_cluster_active_directory_authentication_enabledservicefabric_cluster_protection_level_as_encrypt_and_signspring_cloud_service_network_injection_enabledsql_database_allow_internet_accesssql_database_long_term_geo_redundant_backup_enabledsql_database_server_azure_defender_enabledsql_db_active_directory_admin_configuredsql_db_public_network_access_disabledsql_server_atp_enabledsql_server_auditing_storage_account_destination_retention_90_dayssql_server_audting_retention_period_90sql_server_azure_ad_authentication_enabledsql_server_vm_azure_defender_enabledstorage_account_blob_containers_public_access_privatestorage_account_blob_service_logging_enabledstorage_account_block_public_accessstorage_account_default_network_access_rule_deniedstorage_account_encryption_at_rest_using_cmkstorage_account_encryption_scopes_encrypted_at_rest_with_cmkstorage_account_infrastructure_encryption_enabledstorage_account_queue_services_logging_enabledstorage_account_restrict_network_accessstorage_account_secure_transfer_required_enabledstorage_account_trusted_microsoft_services_enabledstorage_account_use_virtual_service_endpointstorage_account_uses_azure_resource_managerstorage_account_uses_private_linkstorage_azure_defender_enabledstorage_sync_private_link_usedsynapse_workspace_encryption_at_rest_using_cmksynapse_workspace_private_link_used

Query: appservice_web_app_cors_no_star

Usage

steampipe query terraform_azure_compliance.query.appservice_web_app_cors_no_star

Plugins & Tables

SQL

select
type || ' ' || name as resource,
case
when (arguments -> 'site_config') is null then 'alarm'
when (
arguments -> 'site_config' -> 'cors' -> 'allowed_origins'
) @> '["*"]' then 'alarm'
else 'ok'
end status,
name || case
when (arguments -> 'site_config') is null then ' ''site_config'' not defined'
when (
arguments -> 'site_config' -> 'cors' -> 'allowed_origins'
) @> '["*"]' then ' CORS allow all domains to access the application'
else ' CORS does not all domains to access the application'
end || '.' reason,
path || ':' || start_line
from
terraform_resource
where
type = 'azurerm_app_service';

Controls

The query is being used by the following controls: