search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
389 stars 84 forks source link

The output exposes a secure value from managed identity #1886

Closed maxricketts closed 1 year ago

maxricketts commented 1 year ago

Description of the issue

A module that is being referenced (computer/scalesets) is returns an output of the below. 

@description('The principal ID of the system assigned identity.')
output systemAssignedPrincipalId string = systemAssignedIdentity && contains(vmss.identity, 'principalId') ? vmss.identity.principalId : ''

PSRule is flagging this as an error

Consider removing any output values that return secret values in code. See details online .

The following reasons were reported:

Path properties.template.outputs.systemAssignedPrincipalId: The output 'systemAssignedPrincipalId' exposes a secure value.

failed Azure.Deployment.OutputSecretValue. Avoid outputting sensitive deployment values

Module in use and version:

Task         : PSRule analysis
Description  : Run analysis with PSRule.
Version      : 2.6.2211040
Author       : Bernie White
Help         : https://github.com/Microsoft/PSRule-pipelines/blob/main/docs/tasks.md#ps-rule-assert

The modules that I am referencing are a clone of https://github.com/Azure/ResourceModules

Kind regards, Max

BernieWhite commented 1 year ago

@maxricketts Thanks for reporting the issue.

I think this is related to #1826. However I couldn't reproduce the issue.

Do you have a slightly more complete sample that you can share that has the issue?

maxricketts commented 1 year ago

Yes this is the same issue, but I am seeing this returned with the scale set module with the system identity.

Here is the link to the line that I think is causing the issue.

https://github.com/Azure/ResourceModules/blob/d28cadd77c075be5f237d454c217107b54c61e43/modules/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep#L659

I am here to help it you require any assistance with this issue.

Here is my pipeline task

# yaml-language-server: $schema=./deploy.yml

stages: 
  - stage: PSRuleScanning
    displayName: PSRule Scanning
    jobs:
      - job: PSRule
        displayName: PS Rule Scanning
        steps:
          - checkout: Exg.DevOps.ScaleSets
            # Analyze Azure resources using PSRule for Azure
          - task: ps-rule-assert@2
            displayName: Analyze Azure template files
            inputs:
              modules: 'PSRule.Rules.Azure'
              inputPath: bicep/
              outputFormat: Nunit3
              outputPath: reports/rule-report.xml
            env:
              # Define environment variables within Azure Pipelines
              AZURE_CLIENT_ID: $(psrule-clientid)
              AZURE_CLIENT_SECRET: $(psrule-secret)
              AZURE_TENANT_ID: $(psrule-tenant)
          # PSRule results
          - task: PublishTestResults@2
            displayName: 'Publish PSRule results'
            inputs:
              testRunTitle: 'PSRule'
              testRunner: NUnit
              testResultsFiles: 'reports/rule-report.xml'
              mergeTestResults: true
              publishRunAttachments: true
            condition: succeededOrFailed()

Here is my ps-rule.yaml

configuration:
  # Enable expansion for Bicep source files.
  AZURE_BICEP_FILE_EXPANSION: true
  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15
  AZURE_PARAMETER_DEFAULTS:
    resourceGroupName: test-rg

input:
  pathIgnore:
  # Exclude bicepconfig.json
  - 'bicep/bicepconfig.json'
  # # Exclude module files
  # - 'modules/**/*.bicep'
  # # Include test files from modules
  # - '!modules/**/*.tests.bicep'

# YAML: Using the execution/notProcessedWarning property
execution:
  notProcessedWarning: false
BernieWhite commented 1 year ago

@maxricketts I found the issue on this one. It's caused by an empty secure parameter being incorrectly handled.

It will be fixed in the next release.