search

Azure / template-analyzer

Template scanner for security misconfiguration and best practices
MIT License
127 stars 39 forks source link

[BUG] GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a template #341

Open apalich opened 1 year ago

apalich commented 1 year ago

Describe the bug

Trying to setup defender for devops workflow for IaC repo. But workflow fails with error

Error: Error running tool 1 of 2: templateanalyzer Error: Error running templateanalyzer job: 1 of 1 Error: GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a template Error: BreakException: Guardian detected one or more breaking results. Error: Error: The process 'D:\a_msdo\versions\microsoft.security.devops.cli\0.171.1\tools\guardian.cmd' failed with exit code 1

Template has two file main.bicep with all config and main.parameter.json for the parameters. 1 instance of: An exception occurred while analyzing template D:\a\til-iac\til-iac\bicep\products\energy-demand\main.json with parameters file D:\a\my project\main.parameters.json

Expected behavior

Template Analyzer shouldnt fail

Reproduction Steps

  1. Create Project folder with Main.bicep template
  2. Create parameter files with parameter. example { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "tags": { "value": { "APPID": "AP0000", "Application Name": "name", "Business Function": "Azure Resources", "Application Owner": "name", "Data Classification": "Internal Information", "Regulatory Controlled Information": "N/A", "Application Criticality": "N/A", "TIS Portfolio Executive": "Name", "Environment Type": "de", "Business Criticality": "Level 4 - Deferrable", "Primary Business Capability": "Data Services", "Support Group": "Support Group", "TIS Application Owner": "name" } } } }

Environment

No response

jeremycolson commented 1 year ago

Getting the exact same issue when we tried to integrate this with our bicep repos today.

image

We did see some exceptions in the log...

Warning: An exception occurred while evaluating the properties of the resource named [variables('varTemplateIdentityRoleAssignmentName')]

Which correlates to this (and is perfectly valid): var varTemplateIdentityRoleAssignmentName = guid(resTemplateIdentity.id, resourceGroup().id, resTemplateIdentityRoleDefinition.id)

... and is only used as the resource name:

resource resTemplateRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: varTemplateIdentityRoleAssignmentName
  properties: {
    roleDefinitionId: resTemplateIdentityRoleDefinition.id
    principalId: resTemplateIdentity.properties.principalId
    principalType: 'ServicePrincipal'
  }
}

Warning: An exception occurred while evaluating the properties of the resource named [format('{0}ImageTemplate', variables('varDeployPrefix'))]

Which correlates to this: var varDeployPrefix = 'DeployBuildAgent-'

... and is only used for deployment names:

module modTemplateIdentity './gallery.templateidentity.bicep' = {
  scope: resAzComputeRg
  name: '${varDeployPrefix}TemplateIdentity'
  params: {
    paramTemplateIdentityName: varTemplateIdentityName
    paramLocation: paramLocation
    paramTags: paramTags
  }
}
nonik0 commented 11 months ago

Thanks for reporting this issue, we will investigate.

SorenHartvigJensen commented 7 months ago

Any updates on this? This is completely breaking the functionality of the Defender for DevOps pipeline task in Azure DevOps, as we have to skip the templateanalyzer tool - which is the most important tool for IaC in Azure.

dtopouzis commented 7 months ago

same here: Error: Error running tool 1 of 2: templateanalyzer Error: Error running templateanalyzer job: 1 of 1 Error: GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a template Leaving BaseCommand`1.HandledRun() Leaving BaseStartup.Run(options) shouldBreak = True Error: BreakException: Guardian detected one or more breaking results.

Bicep deploys without errors.

We are using main.bicep, a parameters file and a module that deploys storage account/ blob/ container. The storage resources are nested and we have some if/then/else logic to send each storage account to the appropriate subscriptions

SorenHartvigJensen commented 6 months ago

Has this been fixed in the new version 0.7.0? Has anyone verified?

If anyone can verify, i will suggest in the Azure DevOps Security extension, that they upgrade to the latest version (https://github.com/microsoft/security-devops-action/issues). Currently they use v. 0.5.2 as per the nuget package here: https://nuget.info/packages/Microsoft.Security.DevOps.Cli/0.199.0 - which obviously still has this problem.

nonik0 commented 5 months ago

Hi, the most recent release of template analyzer (0.7.0) has updates for various dependencies, most specifically bicep, which may resolve some of the issues in this thread. This will be coming out for the DevOps CLI soon as well.

However, it's likely some of the issues in this thread are related to existing issues around template parameters, e.g.: #296, #314.

SorenHartvigJensen commented 5 months ago

Unfortunately, the new TemplateAnalyzer 0.7.0 which is part of the (now fixed) Microsoft.Security.DevOps.Cli 0.204.0, still has exactly the same issue.

SorenHartvigJensen commented 4 months ago

Neither in Microsoft.Security.DevOps.Cli 0.205.0, though that was expected as it is still using TemplateAnalyzer 0.7.0.