Control: Ensure FTP deployments are disabled
Description
By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.
Usage
Run the control in your terminal:
powerpipe control run terraform_azure_compliance.control.appservice_ftp_deployment_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_azure_compliance.control.appservice_ftp_deployment_disabled --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std -> 'site_config') is null then 'alarm' when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then 'ok' else 'alarm' end status, split_part(address, '.', 2) || case when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined' when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then ' FTPS enabled' else ' FTPS disabled' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'azurerm_function_app'
union
select address as resource, case when (attributes_std -> 'site_config') is null then 'alarm' when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then 'ok' else 'alarm' end status, split_part(address, '.', 2) || case when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined' when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then ' FTPS enabled' else ' FTPS disabled' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'azurerm_app_service';