Open apalich opened 1 year ago
Getting the exact same issue when we tried to integrate this with our bicep repos today.
We did see some exceptions in the log...
Which correlates to this (and is perfectly valid):
var varTemplateIdentityRoleAssignmentName = guid(resTemplateIdentity.id, resourceGroup().id, resTemplateIdentityRoleDefinition.id)
... and is only used as the resource name:
resource resTemplateRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: varTemplateIdentityRoleAssignmentName
properties: {
roleDefinitionId: resTemplateIdentityRoleDefinition.id
principalId: resTemplateIdentity.properties.principalId
principalType: 'ServicePrincipal'
}
}
Which correlates to this:
var varDeployPrefix = 'DeployBuildAgent-'
... and is only used for deployment names:
module modTemplateIdentity './gallery.templateidentity.bicep' = {
scope: resAzComputeRg
name: '${varDeployPrefix}TemplateIdentity'
params: {
paramTemplateIdentityName: varTemplateIdentityName
paramLocation: paramLocation
paramTags: paramTags
}
}
Thanks for reporting this issue, we will investigate.
Any updates on this? This is completely breaking the functionality of the Defender for DevOps pipeline task in Azure DevOps, as we have to skip the templateanalyzer tool - which is the most important tool for IaC in Azure.
same here: Error: Error running tool 1 of 2: templateanalyzer Error: Error running templateanalyzer job: 1 of 1 Error: GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a template Leaving BaseCommand`1.HandledRun() Leaving BaseStartup.Run(options) shouldBreak = True Error: BreakException: Guardian detected one or more breaking results.
Bicep deploys without errors.
We are using main.bicep, a parameters file and a module that deploys storage account/ blob/ container. The storage resources are nested and we have some if/then/else logic to send each storage account to the appropriate subscriptions
Has this been fixed in the new version 0.7.0? Has anyone verified?
If anyone can verify, i will suggest in the Azure DevOps Security extension, that they upgrade to the latest version (https://github.com/microsoft/security-devops-action/issues). Currently they use v. 0.5.2 as per the nuget package here: https://nuget.info/packages/Microsoft.Security.DevOps.Cli/0.199.0 - which obviously still has this problem.
Hi, the most recent release of template analyzer (0.7.0) has updates for various dependencies, most specifically bicep, which may resolve some of the issues in this thread. This will be coming out for the DevOps CLI soon as well.
However, it's likely some of the issues in this thread are related to existing issues around template parameters, e.g.: #296, #314.
Unfortunately, the new TemplateAnalyzer 0.7.0 which is part of the (now fixed) Microsoft.Security.DevOps.Cli 0.204.0, still has exactly the same issue.
Neither in Microsoft.Security.DevOps.Cli 0.205.0, though that was expected as it is still using TemplateAnalyzer 0.7.0.
Describe the bug
Trying to setup defender for devops workflow for IaC repo. But workflow fails with error
Error: Error running tool 1 of 2: templateanalyzer Error: Error running templateanalyzer job: 1 of 1 Error: GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a template Error: BreakException: Guardian detected one or more breaking results. Error: Error: The process 'D:\a_msdo\versions\microsoft.security.devops.cli\0.171.1\tools\guardian.cmd' failed with exit code 1
Template has two file main.bicep with all config and main.parameter.json for the parameters. 1 instance of: An exception occurred while analyzing template D:\a\til-iac\til-iac\bicep\products\energy-demand\main.json with parameters file D:\a\my project\main.parameters.json
Expected behavior
Template Analyzer shouldnt fail
Reproduction Steps
Environment
No response