CKV_AZURE_215: False positive on azurerm_api_management_backend - protocol parameter doesn't control transport security #7412
Description
Describe the issue
CKV_AZURE_215 triggers on azurerm_api_management_backend resources with two fundamental problems:
- The protocol parameter doesn't control transport security - it specifies API type (rest vs soap)
- The url parameter can typically be an inferred/variable value, making static validation impossible
Example
resource "azurerm_api_management_backend" "backend" {
for_each = local.api_configs
name = "${each.value.name}-backend"
resource_group_name = var.resource_group_name
api_management_name = var.api_management_name
protocol = "http" # This means REST API, NOT the transport protocol
url = each.value.backend_url # Variable value - cannot be statically validated
}
The protocol parameter specifies API type (i.e. "http" = rest api, "soap" = soap api) and not transport security and are the only two valid values as per the Azure provider documentation. The Azure provider does not accept "https" as a valid value.
Transport security is controlled by the url parameter, but in real-world scenarios, backend URLs are passed as variables, not hardcoded so static analysis cannot validate variable values at scan time. This makes the check impractical for actual Terraform usage patterns which triggers a false positive:
# Variable definition (validated elsewhere, in tests, runtime, etc.)
url (i.e. backend_url in above example) = "https://api.example.com"
# Checkov cannot see the actual value, only sees:
url = each.value.backend_url # Triggers CKV_AZURE_215
Expected Behavior
CKV_AZURE_215 should not apply to azurerm_api_management_backend because:
- The protocol parameter doesn't control what the check is testing
- The url parameter is typically inferred and cannot be statically validated
- Transport security is enforced at runtime and through other validation mechanisms (tests, variable validation, etc.)
Version:
- latest Checkov Version