search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
394 stars 86 forks source link

No bicep processing with AZURE_PARAMETER_FILE_EXPANSION #2044

Closed khaliddermoumi closed 1 year ago

khaliddermoumi commented 1 year ago

Description of the issue As explained in "Using parameter files" docs, it should be possible to let PSRule discover a parameter file, and analyse the associated bicep file using the parameter file. This obviously does not work (at least in the versions stated below).

To Reproduce

Steps to reproduce the issue:

Here is an example.

# file: ps-rule.yaml

include:
  module:
    - PSRule.Rules.Azure

requires:
  PSRule: '>=2.7.0'
  PSRule.Rules.Azure: '>=1.24.0'

configuration:
  AZURE_PARAMETER_FILE_EXPANSION: true
  AZURE_BICEP_FILE_EXPANSION: false

execution:
  suppressedRuleWarning: false
  notProcessedWarning: false
// file: storage.bicep

@description('Storage Account type')
param storageAccountType string

@description('Location for the storage account.')
param location string = resourceGroup().location

@description('The name of the Storage Account')
param storageAccountName string = 'store${uniqueString(resourceGroup().id)}'

resource sa 'Microsoft.Storage/storageAccounts@2021-06-01' = {
    name: storageAccountName
    location: location
    sku: {
        name: storageAccountType
    }
    kind: 'StorageV2'
    properties: {}
}
# file: storage.test.bicep

targetScope = 'resourceGroup'

param storageAccountType string
param location string = resourceGroup().location

@description('Minimum configuration.')

module sa 'storage.bicep' = {
    name: 'storage'
    params: {
        storageAccountType: storageAccountType
        location: location
    }
}

file below: "storage.test.parameters.json"

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountType": {
      "value": "Standard_LRS"
    }
  }
}

Expected behaviour

Now when you run PSRule, the bicep files should be analysed, and according rule processing messages should be printed by PSRule. This does not happen. Instead, PSRule does not print anything. Note that I also tried the usage of the "metadata"-attribute, as described in the docs, which made no difference.

When you instead reconfigure the files above with "AZURE_BICEP_FILE_EXPANSION: true" for regular bicep file expansion, PSRule performs as expected, and prints rule evaluations as expected.

How does this need to be configured, to have parameter file expansion plus analysing the associated bicep files, given the example above? To me, the configuration above looks ok (given the docs), so this looks like a bug.

Module in use and version:

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.3.2
PSEdition                      Core
GitCommitId                    7.3.2
OS                             Microsoft Windows 10.0.19044
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}       
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Additional context

BernieWhite commented 1 year ago

@khaliddermoumi Thanks for raising the issue.

The example above does not include the metadata property. Are you able to try the following as per the instructions:

Alternatively, you can choose to expand and test a Bicep module from JSON parameter files by metadata.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "template": "./storage.tests.bicep"
  },
  "parameters": {
    "storageAccountType": {
      "value": "Standard_LRS"
    }
  }
}

Alternatively for the storage.tests.bicep you can just set a default for storageAccountType. You can find some examples here: https://github.com/Azure/PSRule.Rules.Azure-quickstart/blob/main/bicep/modules/keyvault/v1/.tests/main.tests.bicep

I hope that helps.

khaliddermoumi commented 1 year ago

@khaliddermoumi Thanks for raising the issue.

The example above does not include the metadata property. Are you able to try the following as per the instructions:

Alternatively, you can choose to expand and test a Bicep module from JSON parameter files by metadata. (...)

Hi Bernie, I also tried to use the "metadata" property, but it does not work too - in the same way, no bicep analysis.

Alternatively for the storage.tests.bicep you can just set a default for storageAccountType. You can find some examples here: https://github.com/Azure/PSRule.Rules.Azure-quickstart/blob/main/bicep/modules/keyvault/v1/.tests/main.tests.bicep

I would really prefer a lot to get it to run with parameter files, because we already have a lot of them. For our setup, we would need exactly this feature.

How do we get it to run?

BernieWhite commented 1 year ago

@khaliddermoumi Your ps-rule.yaml configuration is fine.

Are you able to provide some additional information:

Example pipelines are here: https://azure.github.io/PSRule.Rules.Azure/creating-your-pipeline/ Also the quick start repo has a full working sample: https://github.com/Azure/PSRule.Rules.Azure-quickstart

Also the troubleshooting page has a few points that is commonly issues if expansion is not working. No rules or no Azure resources are found.

This is the output I get from your files with the command-line assert-psrule -Format File -f . -Module psrule.rules.azure:

    ____  _____ ____        __
   / __ \/ ___// __ \__  __/ /__
  / /_/ /\__ \/ /_/ / / / / / _ \
 / ____/___/ / _, _/ /_/ / /  __/
/_/    /____/_/ |_|\__,_/_/\___/

Using PSRule v2.7.0
Using PSRule.Rules.Azure v1.24.2

----------------------------
Explore documentation: https://aka.ms/ps-rule
Contribute and find source: https://github.com/microsoft/PSRule
Report issues: https://github.com/microsoft/PSRule/issues
PSRule.Rules.Azure: https://aka.ms/ps-rule-azure
----------------------------

 -> storage.test.parameters.json : .json [4/4]

    [PASS] Azure.Template.ParameterFile (AZR-000229)
    [PASS] Azure.Template.ParameterScheme (AZR-000230)
    [PASS] Azure.Template.ParameterValue (AZR-000232)
    [PASS] Azure.Template.ValidSecretRef (AZR-000233)

 -> C:\Dev\Workspace\AzureDevOps-gov\storage.test.parameters.json : Microsoft.Resources/deployments [6/6]

    [PASS] Azure.Deployment.OutputSecretValue (AZR-000279)
    [PASS] Azure.Deployment.AdminUsername (AZR-000284)
    [PASS] Azure.Deployment.SecureValue (AZR-000316)
    [PASS] Azure.Deployment.OuterSecret (AZR-000331)
    [PASS] Azure.Template.ParameterStrongType (AZR-000227)
    [PASS] Azure.Template.ExpressionLength (AZR-000228)

 -> C:\Dev\Workspace\AzureDevOps-gov\storage.test.parameters.json : Microsoft.Resources/deployments [5/5]

    [PASS] Azure.Deployment.OutputSecretValue (AZR-000279)
    [PASS] Azure.Deployment.AdminUsername (AZR-000284)
    [PASS] Azure.Deployment.SecureValue (AZR-000316)
    [PASS] Azure.Template.ParameterStrongType (AZR-000227)
    [PASS] Azure.Template.ExpressionLength (AZR-000228)

 -> store5f3e65afb63bb : Microsoft.Storage/storageAccounts [2/10]

    [FAIL] Azure.Resource.UseTags (AZR-000166)
    | Template: storage.test.bicep:71:13
    | Parameter: storage.test.parameters.json:1:0

    | RECOMMEND:
    | Consider tagging resources using a standard convention. Identify mandatory and
    | optional tags then tag all resources and resource groups using this standard.
    | Also consider using Azure Policy to enforce mandatory tags.

    | REASON:
    | - The resource is not tagged.
    | - Path tags: Does not exist.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Resource.UseTags/

    [FAIL] Azure.Storage.UseReplication (AZR-000195)
    | Template: storage.test.bicep:71:13
    | Parameter: storage.test.parameters.json:1:0

    | RECOMMEND:
    | Consider using GRS for storage accounts that contain data.

    | REASON:
    | - Path sku.name: The field value 'Standard_LRS' was not included in the set.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.UseReplication/

    [FAIL] Azure.Storage.SoftDelete (AZR-000197)
    | Template: storage.test.bicep:71:13
    | Parameter: storage.test.parameters.json:1:0

    | RECOMMEND:
    | Consider enabling soft delete on storage accounts to protect blobs from
    | accidental deletion or modification.

    | REASON:
    | - A sub-resource of type 'Microsoft.Storage/storageAccounts/blobServices' has not been specified.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.SoftDelete/

    [PASS] Azure.Storage.BlobAccessType (AZR-000199)
    [PASS] Azure.Storage.Name (AZR-000201)
    [FAIL] Azure.Storage.ContainerSoftDelete (AZR-000289)
    | Template: storage.test.bicep:71:13
    | Parameter: storage.test.parameters.json:1:0

    | RECOMMEND:
    | Consider enabling container soft delete on storage accounts to protect blob
    | containers from accidental deletion or modification.

    | REASON:
    | - A sub-resource of type 'Microsoft.Storage/storageAccounts/blobServices' has not been specified.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.ContainerSoftDelete/

    [FAIL] Azure.Storage.Firewall (AZR-000202)
    | Template: storage.test.bicep:71:13
    | Parameter: storage.test.parameters.json:1:0

    | RECOMMEND:
    | Consider configuring storage firewall to restrict network access to permitted
    | clients only. Also consider enforcing this setting using Azure Policy.

    | REASON:
    | - Path properties.networkAcls.defaultAction: The field 'properties.networkAcls.defaultAction' does not exist.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.Firewall/

    [FAIL] Azure.Storage.MinTLS (AZR-000200)
    | Template: storage.test.bicep:71:13
    | Parameter: storage.test.parameters.json:1:0

    | RECOMMEND:
    | Consider configuring the minimum supported TLS version to be 1.2. Also consider
    | enforcing this setting using Azure Policy.

    | REASON:
    | - Path properties.minimumTlsVersion: The field 'properties.minimumTlsVersion' does not exist.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.MinTLS/

    [FAIL] Azure.Storage.SecureTransfer (AZR-000196)
    | Template: storage.test.bicep:71:13
    | Parameter: storage.test.parameters.json:1:0

    | RECOMMEND:
    | Storage accounts should only accept secure traffic. Consider only accepting
    | encrypted connections by setting the Secure transfer required option. Also
    | consider using Azure Policy to audit or enforce this configuration.

    | REASON:
    | - Path properties.supportsHttpsTrafficOnly: The field 'properties.supportsHttpsTrafficOnly' does not exist.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.SecureTransfer/

    [FAIL] Azure.Storage.BlobPublicAccess (AZR-000198)
    | Template: storage.test.bicep:71:13
    | Parameter: storage.test.parameters.json:1:0

    | RECOMMEND:
    | Consider disallowing anonymous access to storage account blobs unless
    | specifically required. Also consider enforcing this setting using Azure Policy.

    | REASON:
    | - Path properties.allowBlobPublicAccess: The field 'properties.allowBlobPublicAccess' does not exist.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.BlobPublicAccess/

Rules processed: 25, failed: 8, errored: 0
Run fe750ef0122c2931a8c0ef8d072d5ef57bf0b1e4 completed in 00:00:24.2842382
Assert-PSRule: One or more rules reported failure.
khaliddermoumi commented 1 year ago

Hi, I was using the PS CLI, and this command: "Invoke-PSRule -InputPath .". Using your command line, I get the same output as you do - thanks a lot. I was assuming "Invoke-PSRule -InputPath ." was ok, as this worked with the "bicep expansion". So I see, the command was obviously the reason it didn't work.

Thanks a lot for your help!