enforce-https
Default Severity: critical
Explanation
By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.
Possible Impact
Anyone can access the Function App using HTTP.
Suggested Resolution
You can redirect all HTTP requests to the HTTPS port.
Insecure Example
The following example will fail the azure-appservice-enforce-https check.
resource "azurerm_function_app" "bad_example" {
name = "test-azure-functions"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
os_type = "linux"
}
Secure Example
The following example will pass the azure-appservice-enforce-https check.
resource "azurerm_function_app" "good_example" {
name = "test-azure-functions"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
os_type = "linux"
https_only = true
}