From c9368286076b37112de3518c2ce584c718a4d71e Mon Sep 17 00:00:00 2001
From: nikpivkin <nikita.pivkin@smartforce.io>
Date: Thu, 15 Aug 2024 19:08:22 +0600
Subject: [PATCH] fix(azure): change default TLS values for the storage account

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
---
 pkg/iac/adapters/arm/storage/adapt.go             | 2 +-
 pkg/iac/adapters/arm/storage/adapt_test.go        | 2 +-
 pkg/iac/adapters/terraform/azure/storage/adapt.go | 6 ++++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkg/iac/adapters/arm/storage/adapt.go b/pkg/iac/adapters/arm/storage/adapt.go
index 1b10ebbe9ad8..018949e24e10 100644
--- a/pkg/iac/adapters/arm/storage/adapt.go
+++ b/pkg/iac/adapters/arm/storage/adapt.go
@@ -59,7 +59,7 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
 				Metadata:      resource.Properties.GetMetadata(),
 				EnableLogging: types.BoolDefault(false, resource.Properties.GetMetadata()),
 			},
-			MinimumTLSVersion: resource.Properties.GetMapValue("minimumTlsVersion").AsStringValue("TLS1_0", resource.Properties.GetMetadata()),
+			MinimumTLSVersion: resource.Properties.GetMapValue("minimumTlsVersion").AsStringValue("", resource.Properties.GetMetadata()),
 			Queues:            queues,
 		}
 		accounts = append(accounts, account)
diff --git a/pkg/iac/adapters/arm/storage/adapt_test.go b/pkg/iac/adapters/arm/storage/adapt_test.go
index d1e124e2449e..f4fd81f47ad2 100644
--- a/pkg/iac/adapters/arm/storage/adapt_test.go
+++ b/pkg/iac/adapters/arm/storage/adapt_test.go
@@ -26,7 +26,7 @@ func Test_AdaptStorageDefaults(t *testing.T) {
 	require.Len(t, output.Accounts, 1)
 
 	account := output.Accounts[0]
-	assert.Equal(t, "TLS1_0", account.MinimumTLSVersion.Value())
+	assert.Equal(t, "", account.MinimumTLSVersion.Value())
 	assert.False(t, account.EnforceHTTPS.Value())
 
 }
diff --git a/pkg/iac/adapters/terraform/azure/storage/adapt.go b/pkg/iac/adapters/terraform/azure/storage/adapt.go
index edc5f0029be7..6a51cf1fca2b 100644
--- a/pkg/iac/adapters/terraform/azure/storage/adapt.go
+++ b/pkg/iac/adapters/terraform/azure/storage/adapt.go
@@ -6,6 +6,8 @@ import (
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
+const minimumTlsVersionOneTwo = "TLS1_2"
+
 func Adapt(modules terraform.Modules) storage.Storage {
 	accounts, containers, networkRules := adaptAccounts(modules)
 
@@ -106,7 +108,7 @@ func adaptAccount(resource *terraform.Block) storage.Account {
 			Metadata:      resource.GetMetadata(),
 			EnableLogging: iacTypes.BoolDefault(false, resource.GetMetadata()),
 		},
-		MinimumTLSVersion: iacTypes.StringDefault("TLS1_2", resource.GetMetadata()),
+		MinimumTLSVersion: iacTypes.StringDefault(minimumTlsVersionOneTwo, resource.GetMetadata()),
 	}
 
 	networkRulesBlocks := resource.GetBlocks("network_rules")
@@ -127,7 +129,7 @@ func adaptAccount(resource *terraform.Block) storage.Account {
 	}
 
 	minTLSVersionAttr := resource.GetAttribute("min_tls_version")
-	account.MinimumTLSVersion = minTLSVersionAttr.AsStringValueOrDefault("TLS1_0", resource)
+	account.MinimumTLSVersion = minTLSVersionAttr.AsStringValueOrDefault(minimumTlsVersionOneTwo, resource)
 	return account
 }