fix(sdk): use case-insensitive comparison for Azure MySQL flexible server checks

- Normalize config values with .lower() in ssl_connection_enabled, audit_log_enabled and audit_log_connection_activated - Add tests to verify case-insensitive matching when Azure returns lowercase values - Update SDK changelog
2026-03-21 18:58:04 +00:00 · 2026-03-19 13:03:43 +00:00
parent ab266080d0
commit 793fd45d41
7 changed files with 168 additions and 4 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -2,6 +2,14 @@

 All notable changes to the **Prowler SDK** are documented in this file.

+## [5.21.1] (Prowler UNRELEASED)
+
+### 🐞 Fixed
+
+- Azure MySQL flexible server checks now compare configuration values case-insensitively to avoid false negatives when Azure returns lowercase values [(#10386)](https://github.com/prowler-cloud/prowler/pull/10386)
+
+---
+
 ## [5.21.0] (Prowler v5.21.0)

 ### 🚀 Added
--- a/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.py
+++ b/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.py
@@ -21,9 +21,9 @@ class mysql_flexible_server_audit_log_connection_activated(Check):
                        "audit_log_events"
                    ].resource_id

-                    if "CONNECTION" in server.configurations[
+                    if "connection" in server.configurations[
                        "audit_log_events"
-                    ].value.split(","):
+                    ].value.lower().split(","):
                        report.status = "PASS"
                        report.status_extended = f"Audit log is enabled for server {server.name} in subscription {subscription_name}."

--- a/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.py
+++ b/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.py
@@ -21,7 +21,7 @@ class mysql_flexible_server_audit_log_enabled(Check):
                        "audit_log_enabled"
                    ].resource_id

-                    if server.configurations["audit_log_enabled"].value == "ON":
+                    if server.configurations["audit_log_enabled"].value.lower() == "on":
                        report.status = "PASS"
                        report.status_extended = f"Audit log is enabled for server {server.name} in subscription {subscription_name}."

--- a/prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.py
+++ b/prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.py
@@ -20,7 +20,10 @@ class mysql_flexible_server_ssl_connection_enabled(Check):
                    report.resource_id = server.configurations[
                        "require_secure_transport"
                    ].resource_id
-                    if server.configurations["require_secure_transport"].value == "ON":
+                    if (
+                        server.configurations["require_secure_transport"].value.lower()
+                        == "on"
+                    ):
                        report.status = "PASS"
                        report.status_extended = f"SSL connection is enabled for server {server.name} in subscription {subscription_name}."

--- a/tests/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated_test.py
+++ b/tests/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated_test.py
@@ -56,6 +56,57 @@ class Test_mysql_flexible_server_audit_log_connection_activated:
            result = check.execute()
            assert len(result) == 0

+    def test_mysql_audit_log_connection_activated_lowercase(self):
+        server_name = str(uuid4())
+        mysql_client = mock.MagicMock
+        mysql_client.flexible_servers = {
+            AZURE_SUBSCRIPTION_ID: {
+                "/subscriptions/resource_id": FlexibleServer(
+                    resource_id="/subscriptions/resource_id",
+                    name=server_name,
+                    location="location",
+                    version="version",
+                    configurations={
+                        "audit_log_events": Configuration(
+                            resource_id=f"/subscriptions/{server_name}/configurations/audit_log_events",
+                            description="description",
+                            value="connection",
+                        )
+                    },
+                )
+            }
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_azure_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.azure.services.mysql.mysql_flexible_server_audit_log_connection_activated.mysql_flexible_server_audit_log_connection_activated.mysql_client",
+                new=mysql_client,
+            ),
+        ):
+            from prowler.providers.azure.services.mysql.mysql_flexible_server_audit_log_connection_activated.mysql_flexible_server_audit_log_connection_activated import (
+                mysql_flexible_server_audit_log_connection_activated,
+            )
+
+            check = mysql_flexible_server_audit_log_connection_activated()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].subscription == AZURE_SUBSCRIPTION_ID
+            assert result[0].resource_name == server_name
+            assert result[0].location == "location"
+            assert (
+                result[0].resource_id
+                == f"/subscriptions/{server_name}/configurations/audit_log_events"
+            )
+            assert (
+                result[0].status_extended
+                == f"Audit log is enabled for server {server_name} in subscription {AZURE_SUBSCRIPTION_ID}."
+            )
+
    def test_mysql_audit_log_connection_not_connection(self):
        server_name = str(uuid4())
        mysql_client = mock.MagicMock
--- a/tests/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled_test.py
+++ b/tests/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled_test.py
@@ -56,6 +56,57 @@ class Test_mysql_flexible_server_audit_log_enabled:
            result = check.execute()
            assert len(result) == 0

+    def test_mysql_audit_log_enabled_lowercase(self):
+        server_name = str(uuid4())
+        mysql_client = mock.MagicMock
+        mysql_client.flexible_servers = {
+            AZURE_SUBSCRIPTION_ID: {
+                "/subscriptions/resource_id": FlexibleServer(
+                    resource_id="/subscriptions/resource_id",
+                    name=server_name,
+                    location="location",
+                    version="version",
+                    configurations={
+                        "audit_log_enabled": Configuration(
+                            resource_id=f"/subscriptions/{server_name}/configurations/audit_log_enabled",
+                            description="description",
+                            value="on",
+                        )
+                    },
+                )
+            }
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_azure_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.azure.services.mysql.mysql_flexible_server_audit_log_enabled.mysql_flexible_server_audit_log_enabled.mysql_client",
+                new=mysql_client,
+            ),
+        ):
+            from prowler.providers.azure.services.mysql.mysql_flexible_server_audit_log_enabled.mysql_flexible_server_audit_log_enabled import (
+                mysql_flexible_server_audit_log_enabled,
+            )
+
+            check = mysql_flexible_server_audit_log_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].subscription == AZURE_SUBSCRIPTION_ID
+            assert result[0].resource_name == server_name
+            assert result[0].location == "location"
+            assert (
+                result[0].resource_id
+                == f"/subscriptions/{server_name}/configurations/audit_log_enabled"
+            )
+            assert (
+                result[0].status_extended
+                == f"Audit log is enabled for server {server_name} in subscription {AZURE_SUBSCRIPTION_ID}."
+            )
+
    def test_mysql_audit_log_disabled(self):
        server_name = str(uuid4())
        mysql_client = mock.MagicMock
--- a/tests/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled_test.py
+++ b/tests/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled_test.py
@@ -107,6 +107,57 @@ class Test_mysql_flexible_server_ssl_connection_enabled:
                == f"SSL connection is enabled for server {server_name} in subscription {AZURE_SUBSCRIPTION_ID}."
            )

+    def test_mysql_connection_enabled_lowercase(self):
+        server_name = str(uuid4())
+        mysql_client = mock.MagicMock
+        mysql_client.flexible_servers = {
+            AZURE_SUBSCRIPTION_ID: {
+                "/subscriptions/resource_id": FlexibleServer(
+                    resource_id="/subscriptions/resource_id",
+                    name=server_name,
+                    location="location",
+                    version="version",
+                    configurations={
+                        "require_secure_transport": Configuration(
+                            resource_id=f"/subscriptions/{server_name}/configurations/require_secure_transport",
+                            description="description",
+                            value="on",
+                        )
+                    },
+                )
+            }
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_azure_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.azure.services.mysql.mysql_flexible_server_ssl_connection_enabled.mysql_flexible_server_ssl_connection_enabled.mysql_client",
+                new=mysql_client,
+            ),
+        ):
+            from prowler.providers.azure.services.mysql.mysql_flexible_server_ssl_connection_enabled.mysql_flexible_server_ssl_connection_enabled import (
+                mysql_flexible_server_ssl_connection_enabled,
+            )
+
+            check = mysql_flexible_server_ssl_connection_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].subscription == AZURE_SUBSCRIPTION_ID
+            assert result[0].resource_name == server_name
+            assert result[0].location == "location"
+            assert (
+                result[0].resource_id
+                == f"/subscriptions/{server_name}/configurations/require_secure_transport"
+            )
+            assert (
+                result[0].status_extended
+                == f"SSL connection is enabled for server {server_name} in subscription {AZURE_SUBSCRIPTION_ID}."
+            )
+
    def test_mysql_ssl_connection_disabled(self):
        server_name = str(uuid4())
        mysql_client = mock.MagicMock