search

azsk / DevOpsKit

MIT License
222 stars 80 forks source link

Logic app accesscontrol validations #1365

Open psyduck101 opened 3 years ago

psyduck101 commented 3 years ago

Hey, We are building arm templates for our logic apps and APIM apis( only apis, not the apim instance) and we get some positives that we wonder if they are correct and we are missing something or we can just disable them.

Version 4.14 in powershell

  1. We have logic apps where we added accesscontrol ipranges ( hardcoded and by parameter). And we keep getting the warnings of methods CheckTriggersAccessControl/CheckContentsAccessControl that they are not present or missing.

    Azure_LogicApps_AuthZ_Provide_Triggers_Access_Control | Failed | High | Not found |   | $.properties.accessControl.triggers.allowedCallerIpAddresses.addressRange | Verify current value | resources[0] | 70 | If Logic App fires on an HTTP Request (e.g. Request or Webhook) then provide IP ranges for triggers ...

    Azure_LogicApps_AuthZ_Provide_Contents_AccessControl | Failed | High | Not found |   | $.properties.accessControl.contents.allowedCallerIpAddresses.addressRange | Verify current value | resources[0] | 70 | Must provide IP ranges for contents to prevent unauthorized access to...

  2. We deploy our apim apis, seperately from the apim instance. But for the apis, we get the remark that our api is not linked to a vnet. As far as i know, vnet is only configured on the apim instance.

      _Azure_APIManagement_NetSec_Configure_Virtual_Network_For_APIM | **Microsoft.ApiManagement/service ,  Microsoft.ApiManagement/service/apis** | Medium | Not found | -1 |   | $.properties.virtualNetworkType | NotAllow 'None' |resources[6] | 159 | Consider hosting APIM within a virtual   network for improved isolation_

Part of my logic app (also tried with parameters instead of hardcoded, or used cidr syntax '10.0.0.0/24')

  "type": "Microsoft.Logic/workflows",
      "apiVersion": "2017-07-01",
      "name": "[parameters('logicapp-testcon-name')]",
      "location": "[parameters('logicapp-location')]",
      "tags": "[parameters('resourceTags')]",
      "properties": {
        "state": "Enabled",
        "accessControl": {
          "triggers": {
            "allowedCallerIpAddresses": [
              {
                "addressRange": "10.0.0.0-11.0.0.0"
              }
            ]
          },
          "contents": {
            "allowedCallerIpAddresses": [
              {
                "addressRange": "10.0.0.0-11.0.0.0"
              }
            ]
          }
        },

To reproduce

Execute on a logic app arm template with accesscontrol configured.

Expected behavior

Not to have the errors

Actual behavior

Getting validation errors

ritika-msft commented 3 years ago

Can you please confirm if you are getting these errors at the time of template deployment. Is it a validation error or yoy can see these errors in Arm Checker.

If the above mentioned controls are going in error in ArmTemplate Checker. Can you please share the stack trace.