feat: scm ip restriction

README.md

@@ -17,7 +17,7 @@ You can install the plugin with `tflint --init`. Declare a config in `.tflint.hc
 plugin "azurerm-security" {
   enabled = true
 
-  version = "0.1.10"
+  version = "0.1.11"
   source  = "github.com/pregress/tflint-ruleset-azurerm-security"
 }
 ```

docs/README.md

@@ -16,12 +16,14 @@
 |[azurerm_linux_function_app_ftps_state](./rules/azurerm_linux_function_app_ftps_state.md)|Warning|✔|
 |[azurerm_linux_function_app_https_only](./rules/azurerm_linux_function_app_https_only.md)|Warning|✔|
 |[azurerm_linux_function_app_minimum_tls_version](./rules/azurerm_linux_function_app_minimum_tls_version.md)|Warning|✔|
+|[azurerm_linux_function_app_scm_ip_restriction_default_action](./rules/azurerm_linux_function_app_scm_ip_restriction_default_action.md)|Warning|✔|
 |[azurerm_linux_function_app_slot_ftps_state](./rules/azurerm_linux_function_app_slot_ftps_state.md)|Warning|✔|
 |[azurerm_linux_function_app_slot_https_only](./rules/azurerm_linux_function_app_slot_https_only.md)|Warning|✔|
 |[azurerm_linux_function_app_slot_minimum_tls_version](./rules/azurerm_linux_function_app_slot_minimum_tls_version.md)|Warning|✔|
 |[azurerm_linux_web_app_ftps_state](./rules/azurerm_linux_web_app_ftps_state.md)|Warning|✔|
 |[azurerm_linux_web_app_https_only](./rules/azurerm_linux_web_app_https_only.md)|Warning|✔|
 |[azurerm_linux_web_app_minimum_tls_version](./rules/azurerm_linux_web_app_minimum_tls_version.md)|Warning|✔|
+|[azurerm_linux_web_app_scm_ip_restriction_default_action](./rules/azurerm_linux_web_app_scm_ip_restriction_default_action.md)|Warning|✔|
 |[azurerm_linux_web_app_slot_ftps_state](./rules/azurerm_linux_web_app_slot_ftps_state.md)|Warning|✔|
 |[azurerm_linux_web_app_slot_https_only](./rules/azurerm_linux_web_app_slot_https_only.md)|Warning|✔|
 |[azurerm_linux_web_app_slot_minimum_tls_version](./rules/azurerm_linux_web_app_slot_minimum_tls_version.md)|Warning|✔|
@@ -39,12 +41,14 @@
 |[azurerm_windows_function_app_ftps_state](./rules/azurerm_windows_function_app_ftps_state.md)|Warning|✔|
 |[azurerm_windows_function_app_https_only](./rules/azurerm_windows_function_app_https_only.md)|Warning|✔|
 |[azurerm_windows_function_app_minimum_tls_version](./rules/azurerm_windows_function_app_minimum_tls_version.md)|Warning|✔|
+|[azurerm_windows_function_app_scm_ip_restriction_default_action](./rules/azurerm_windows_function_app_scm_ip_restriction_default_action.md)|Warning|✔|
 |[azurerm_windows_function_app_slot_ftps_state](./rules/azurerm_windows_function_app_slot_ftps_state.md)|Warning|✔|
 |[azurerm_windows_function_app_slot_https_only](./rules/azurerm_windows_function_app_slot_https_only.md)|Warning|✔|
 |[azurerm_windows_function_app_slot_minimum_tls_version](./rules/azurerm_windows_function_app_slot_minimum_tls_version.md)|Warning|✔|
 |[azurerm_windows_web_app_ftps_state](./rules/azurerm_windows_web_app_ftps_state.md)|Warning|✔|
 |[azurerm_windows_web_app_https_only](./rules/azurerm_windows_web_app_https_only.md)|Warning|✔|
 |[azurerm_windows_web_app_minimum_tls_version](./rules/azurerm_windows_web_app_minimum_tls_version.md)|Warning|✔|
+|[azurerm_windows_web_app_scm_ip_restriction_default_action](./rules/azurerm_windows_web_app_scm_ip_restriction_default_action.md)|Warning|✔|
 |[azurerm_windows_web_app_slot_ftps_state](./rules/azurerm_windows_web_app_slot_ftps_state.md)|Warning|✔|
 |[azurerm_windows_web_app_slot_https_only](./rules/azurerm_windows_web_app_slot_https_only.md)|Warning|✔|
 |[azurerm_windows_web_app_slot_minimum_tls_version](./rules/azurerm_windows_web_app_slot_minimum_tls_version.md)|Warning|✔|
@@ -83,6 +87,7 @@
 - [azurerm_linux_function_app_ftps_state](./rules/azurerm_linux_function_app_ftps_state.md)
 - [azurerm_linux_function_app_https_only](./rules/azurerm_linux_function_app_https_only.md)
 - [azurerm_linux_function_app_minimum_tls_version](./rules/azurerm_linux_function_app_minimum_tls_version.md)
+- [azurerm_linux_function_app_scm_ip_restriction_default_action](./rules/azurerm_linux_function_app_scm_ip_restriction_default_action.md)
 
 ### azurerm_linux_function_app_slot
 
@@ -95,6 +100,7 @@
 - [azurerm_linux_web_app_ftps_state](./rules/azurerm_linux_web_app_ftps_state.md)
 - [azurerm_linux_web_app_https_only](./rules/azurerm_linux_web_app_https_only.md)
 - [azurerm_linux_web_app_minimum_tls_version](./rules/azurerm_linux_web_app_minimum_tls_version.md)
+- [azurerm_linux_web_app_scm_ip_restriction_default_action](./rules/azurerm_linux_web_app_scm_ip_restriction_default_action.md)
 
 ### azurerm_linux_web_app_slot
 
@@ -133,6 +139,7 @@
 - [azurerm_windows_function_app_ftps_state](./rules/azurerm_windows_function_app_ftps_state.md)
 - [azurerm_windows_function_app_https_only](./rules/azurerm_windows_function_app_https_only.md)
 - [azurerm_windows_function_app_minimum_tls_version](./rules/azurerm_windows_function_app_minimum_tls_version.md)
+- [azurerm_windows_function_app_scm_ip_restriction_default_action](./rules/azurerm_windows_function_app_scm_ip_restriction_default_action.md)
 
 ### azurerm_windows_function_app_slot
 
@@ -145,6 +152,7 @@
 - [azurerm_windows_web_app_ftps_state](./rules/azurerm_windows_web_app_ftps_state.md)
 - [azurerm_windows_web_app_https_only](./rules/azurerm_windows_web_app_https_only.md)
 - [azurerm_windows_web_app_minimum_tls_version](./rules/azurerm_windows_web_app_minimum_tls_version.md)
+- [azurerm_windows_web_app_scm_ip_restriction_default_action](./rules/azurerm_windows_web_app_scm_ip_restriction_default_action.md)
 
 ### azurerm_windows_web_app_slot
 

docs/rules/azurerm_linux_function_app_scm_ip_restriction_default_action.md

@@ -0,0 +1,72 @@
+# azurerm_linux_function_app_scm_ip_restriction_default_action
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_linux_function_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Allow"
+    }
+}
+```
+or 
+```hcl
+resource "azurerm_linux_function_app" "example" {
+    site_config {
+        # Missing scm_ip_restriction_default_action (defaults to Allow)
+    }
+}
+```
+
+## Why
+
+Setting the `scm_ip_restriction_default_action` to "Deny" prevents unauthorized access to the Source Control Manager (SCM) interface, reducing exposure to potential threats and ensuring only trusted networks can connect to the deployment and management endpoints.
+
+## How to Fix
+
+Set the `scm_ip_restriction_default_action` to "Deny" and configure specific `scm_ip_restriction` rules to allow legitimate access.
+
+### Using service tag
+```hcl
+resource "azurerm_linux_function_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Deny"
+
+        scm_ip_restriction {
+            service_tag = "AzureDevOps"
+            name        = "Allow Azure DevOps"
+            priority    = 100
+            action      = "Allow"
+        }
+    }
+}
+```
+
+### Using IP range
+```hcl
+resource "azurerm_linux_function_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Deny"
+
+        scm_ip_restriction {
+            ip_address = "203.0.113.0/24"
+            name       = "Corporate Network"
+            priority   = 100
+            action     = "Allow"
+        }
+    }
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_linux_function_app_scm_ip_restriction_default_action" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_linux_web_app_scm_ip_restriction_default_action.md

@@ -0,0 +1,72 @@
+# azurerm_linux_web_app_scm_ip_restriction_default_action
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_linux_web_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Allow"
+    }
+}
+```
+or 
+```hcl
+resource "azurerm_linux_web_app" "example" {
+    site_config {
+        # Missing scm_ip_restriction_default_action (defaults to Allow)
+    }
+}
+```
+
+## Why
+
+Setting the `scm_ip_restriction_default_action` to "Deny" prevents unauthorized access to the Source Control Manager (SCM) interface, reducing exposure to potential threats and ensuring only trusted networks can connect to the deployment and management endpoints.
+
+## How to Fix
+
+Set the `scm_ip_restriction_default_action` to "Deny" and configure specific `scm_ip_restriction` rules to allow legitimate access.
+
+### Using service tag
+```hcl
+resource "azurerm_linux_web_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Deny"
+
+        scm_ip_restriction {
+            service_tag = "AzureDevOps"
+            name        = "Allow Azure DevOps"
+            priority    = 100
+            action      = "Allow"
+        }
+    }
+}
+```
+
+### Using IP range
+```hcl
+resource "azurerm_linux_web_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Deny"
+
+        scm_ip_restriction {
+            ip_address = "203.0.113.0/24"
+            name       = "Corporate Network"
+            priority   = 100
+            action     = "Allow"
+        }
+    }
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_linux_web_app_scm_ip_restriction_default_action" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_windows_function_app_scm_ip_restriction_default_action.md

@@ -0,0 +1,72 @@
+# azurerm_windows_function_app_scm_ip_restriction_default_action
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_windows_function_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Allow"
+    }
+}
+```
+or 
+```hcl
+resource "azurerm_windows_function_app" "example" {
+    site_config {
+        # Missing scm_ip_restriction_default_action (defaults to Allow)
+    }
+}
+```
+
+## Why
+
+Setting the `scm_ip_restriction_default_action` to "Deny" prevents unauthorized access to the Source Control Manager (SCM) interface, reducing exposure to potential threats and ensuring only trusted networks can connect to the deployment and management endpoints.
+
+## How to Fix
+
+Set the `scm_ip_restriction_default_action` to "Deny" and configure specific `scm_ip_restriction` rules to allow legitimate access.
+
+### Using service tag
+```hcl
+resource "azurerm_windows_function_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Deny"
+
+        scm_ip_restriction {
+            service_tag = "AzureDevOps"
+            name        = "Allow Azure DevOps"
+            priority    = 100
+            action      = "Allow"
+        }
+    }
+}
+```
+
+### Using IP range
+```hcl
+resource "azurerm_windows_function_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Deny"
+
+        scm_ip_restriction {
+            ip_address = "203.0.113.0/24"
+            name       = "Corporate Network"
+            priority   = 100
+            action     = "Allow"
+        }
+    }
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_windows_function_app_scm_ip_restriction_default_action" {
+  enabled = false
+}
+```
+

docs/rules/azurerm_windows_web_app_scm_ip_restriction_default_action.md

@@ -0,0 +1,72 @@
+# azurerm_windows_web_app_scm_ip_restriction_default_action
+
+**Severity:** Warning
+
+
+## Example
+
+```hcl
+resource "azurerm_windows_web_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Allow"
+    }
+}
+```
+or 
+```hcl
+resource "azurerm_windows_web_app" "example" {
+    site_config {
+        # Missing scm_ip_restriction_default_action (defaults to Allow)
+    }
+}
+```
+
+## Why
+
+Setting the `scm_ip_restriction_default_action` to "Deny" prevents unauthorized access to the Source Control Manager (SCM) interface, reducing exposure to potential threats and ensuring only trusted networks can connect to the deployment and management endpoints.
+
+## How to Fix
+
+Set the `scm_ip_restriction_default_action` to "Deny" and configure specific `scm_ip_restriction` rules to allow legitimate access.
+
+### Using service tag
+```hcl
+resource "azurerm_windows_web_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Deny"
+
+        scm_ip_restriction {
+            service_tag = "AzureDevOps"
+            name        = "Allow Azure DevOps"
+            priority    = 100
+            action      = "Allow"
+        }
+    }
+}
+```
+
+### Using IP range
+```hcl
+resource "azurerm_windows_web_app" "example" {
+    site_config {
+        scm_ip_restriction_default_action = "Deny"
+
+        scm_ip_restriction {
+            ip_address = "203.0.113.0/24"
+            name       = "Corporate Network"
+            priority   = 100
+            action     = "Allow"
+        }
+    }
+}
+```
+
+
+## How to disable
+
+```hcl
+rule "azurerm_windows_web_app_scm_ip_restriction_default_action" {
+  enabled = false
+}
+```
+

main.go

@@ -25,12 +25,14 @@ func createRuleSet() *tflint.BuiltinRuleSet {
 			rules.NewAzurermLinuxFunctionAppFtpsState(),
 			rules.NewAzurermLinuxFunctionAppHTTPSOnly(),
 			rules.NewAzurermLinuxFunctionAppMinimumTLSVersion(),
+			rules.NewAzurermLinuxFunctionAppScmIPRestrictionDefaultAction(),
 			rules.NewAzurermLinuxFunctionAppSlotFtpsState(),
 			rules.NewAzurermLinuxFunctionAppSlotHTTPSOnly(),
 			rules.NewAzurermLinuxFunctionAppSlotMinimumTLSVersion(),
 			rules.NewAzurermLinuxWebAppFtpsState(),
 			rules.NewAzurermLinuxWebAppHTTPSOnly(),
 			rules.NewAzurermLinuxWebAppMinimumTLSVersion(),
+			rules.NewAzurermLinuxWebAppScmIPRestrictionDefaultAction(),
 			rules.NewAzurermLinuxWebAppSlotFtpsState(),
 			rules.NewAzurermLinuxWebAppSlotHTTPSOnly(),
 			rules.NewAzurermLinuxWebAppSlotMinimumTLSVersion(),
@@ -48,12 +50,14 @@ func createRuleSet() *tflint.BuiltinRuleSet {
 			rules.NewAzurermWindowsFunctionAppFtpsState(),
 			rules.NewAzurermWindowsFunctionAppHTTPSOnly(),
 			rules.NewAzurermWindowsFunctionAppMinimumTLSVersion(),
+			rules.NewAzurermWindowsFunctionAppScmIPRestrictionDefaultAction(),
 			rules.NewAzurermWindowsFunctionAppSlotFtpsState(),
 			rules.NewAzurermWindowsFunctionAppSlotHTTPSOnly(),
 			rules.NewAzurermWindowsFunctionAppSlotMinimumTLSVersion(),
 			rules.NewAzurermWindowsWebAppFtpsState(),
 			rules.NewAzurermWindowsWebAppHTTPSOnly(),
 			rules.NewAzurermWindowsWebAppMinimumTLSVersion(),
+			rules.NewAzurermWindowsWebAppScmIPRestrictionDefaultAction(),
 			rules.NewAzurermWindowsWebAppSlotFtpsState(),
 			rules.NewAzurermWindowsWebAppSlotHTTPSOnly(),
 			rules.NewAzurermWindowsWebAppSlotMinimumTLSVersion(),