search

Azure / template-analyzer

Template scanner for security misconfiguration and best practices
MIT License
128 stars 40 forks source link

[BUG] Placeholder metadata value causing TemplateAnalyzerException #293

Open VeraBE opened 2 years ago

VeraBE commented 2 years ago

Describe the bug

A user reported that the tool was throwing a TemplateAnalyzerException on a valid ARM template. The error logged to the console output:

Error: An exception occurred while analyzing a template 
Exception details: 
Microsoft.Azure.Templates.Analyzer.Core.TemplateAnalyzerException: Error while processing template. 
---> Azure.Deployments.Templates.Exceptions.TemplateValidationException: The template resource 'name' at line '18' and column '13' is not valid: The language expression property array index '1' is out of bounds.. Please see https://aka.ms/arm-template-expressions for usage details.

The template parameter name in the template has a default value of [format('{0}-{1}-{2}', replace(parameters('addressSpace')[0], '/', '-'), split(subscription().displayName, '.')[0], split(subscription().displayName, '.')[1])], and for our analysis we don’t have access to the subscription information, so instead of using the real displayName, we use a placeholder value, that doesn’t have a dot, that’s why split(subscription().displayName, '.')[1] is an out of bounds access

Expected behavior

The template should be analyzed

Reproduction Steps

Analyze a template that anywhere uses an expression like split(subscription().displayName, '.')[1]

Environment

No response

maikvandergaag commented 1 year ago

Hi all have the same issue but then when working from bicep.

See the below sample which is one of my modules where in we use the metadata keyword to be able to save info on the template:

`metadata info = { name: 'RBAC Module' description: 'This module deploys a Role Based Access assignments' version: '1.0.0' author: 'Maik van der Gaag' }

param principalId string param roleDefinitionResourceId string

@description('This is the built-in Contributor role. See https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor') resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = { scope: subscription() name: roleDefinitionResourceId }

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { name: guid(resourceGroup().id, principalId, roleDefinition.id) properties: { roleDefinitionId: roleDefinition.id principalId: principalId principalType: 'ServicePrincipal' } scope: resourceGroup() }`

When we analyze this with '.\TemplateAnalyzer.exe analyze-template D:\source\rbac.bicep -v'

We get the following errors: image

Removing the metadata section solved the problem.

JohnathonMohr commented 1 year ago

Thanks for reporting this @maikvandergaag. This looks like it's actually a different issue specific to Bicep, maybe a Bicep compiler version issue. Can you please create a new bug report with the above? @nonik0 FYI.