search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
389 stars 84 forks source link

Azure.SQL.FirewallIPRange - Stating 1 entry exceeds the limit of 10 #1569

Closed ms-sambell closed 2 years ago

ms-sambell commented 2 years ago

Description of the issue

The rule Azure.SQL.FirewallIPRange fails on SQL servers when there's only 1 rule.

To Reproduce

Steps to reproduce the issue:

Run a PsRule for Azure scan against a SQL Server with a Firewall rule (parameter, 1 entry, maxLength 10).

Expected behavior

The rule evaluations that (1) exceeded 10. I would expect that the rule should evaluate as a pass if less than 10 FirewallIpRange.

| RECOMMEND:
    | SQL Server has greater then ten (10) public IP addresses that are permitted
    | network access. Some rules may not be needed or can be reduced.

    | REASON:
    | - The number of public IP addresses permitted (1) exceeded 10.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.FirewallIPRange/

Module in use and version:

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.3.0-preview.6
PSEdition                      Core
GitCommitId                    7.3.0-preview.6
OS                             Microsoft Windows 10.0.22000
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Update: As this rule is working as designed, this issue will be resolved as a feature request to make this work more as expected by the following:

BernieWhite commented 2 years ago

@ms-sambell This rule is about the number of IP addresses not so much the number of rules. There is a separate rule for a high number of rules. Maybe the documentation can do with some updates and/ or we can make it configurable.

For example:

1.1.1.1 -> 1.1.128 - exposes access from 128 addresses which is above the threshold of 10 although it may only be in a single firewall rule.

Likewise 0.0.0.0 -> 255.255.255.255 is all IPv4 addresses but still could be one firewall rule.

BernieWhite commented 2 years ago

@ms-sambell Just double checking if this is behaving as expected or still a bug?

If so maybe lets convert it to a feature/ documentation request to make sure we don't lose track of adding these improvements.

ms-sambell commented 2 years ago

@BernieWhite agreed, I'll change it to a feature and update the documentation.

ms-sambell commented 2 years ago

https://github.com/Azure/PSRule.Rules.Azure/pull/1658