PSRule state showing Fail, not Pass for PostgreSQL encryption

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.

https://azure.github.io/PSRule.Rules.Azure/

MIT License

394 stars 86 forks source link

PSRule state showing Fail, not Pass for PostgreSQL encryption #1914

Closed vegazbabz closed 1 year ago

vegazbabz commented 1 year ago

Description of the issue

Running AzGovViz including PSRule, shows us the following 2 rows regarding missing SSL and TLSv1.2 on PostgreSQL:

However, it has been configured in the recommended, secure way:

I would expect this to show Pass and not Fail in the state.

To Reproduce

Steps to reproduce the issue:

Expected behaviour

Show Pass, not Fail.

Error output

Module in use and version:

Module: PSRule.Rules.Azure
Version: [e.g. 1.22.0]

Captured output from $PSVersionTable:

Additional context

BernieWhite commented 1 year ago

@vegazbabz Thanks for reporting the issue.

If you:

Click on JSON view on the overview page of the server in the Azure Portal.
Choose the latest API version.

Do you see the properties:

properties.sslEnforcement set to Enabled?
properties.minimalTlsVersion set to TLS1_2?

vegazbabz commented 1 year ago

@BernieWhite thanks for the fast reply. Yes, I do.

I also have this issue with several other components not related to PostgreSQL (was just the easiest example). Should I log a bug for each of them? There are a quite substantial number of bugs in PSRule reporting using AzGovViz vs. Azure actual state, as I see it in the portal and in Azure Policies, where we also track many of these things.

BernieWhite commented 1 year ago

@vegazbabz Great thanks. The rule looks correct but maybe there is an issue with the integration between AzGovViz and PSRule so we will need to do some additional investigation.

What version of AzGovViz are you using?

For the other issues maybe group them based on resource/ technology and log each issue for each group if that's ok so we can track them without missing anything important.

For the issue if we can just have a list of the rule names that are incorrect we'll do some digging about the data.

vegazbabz commented 1 year ago

I am using the one from November 21:

Is it correctly understood that I should filter for State == Fail to see non-compliant ones? Pass means it is fine.

I will add them as separate issues, but just FYI: We have (100% compliant) TLS enforced policies for all of them and AzGovViz shows TLS1.2 for all storage accounts under "Storage Accounts Access Analysis results". Thanks

JulianHayward commented 1 year ago

@vegazbabz please test with fix branch

vegazbabz commented 1 year ago

Showing pass as expected