search

azsk / DevOpsKit

MIT License
222 stars 81 forks source link

Get-AzSKARMTemplateSecurityStatus, support for linked templates #855

Open bremnes opened 4 years ago

bremnes commented 4 years ago

Get-AzSKARMTemplateSecurityStatus, support for linked templates

Description

We have an API management project following the proposed structure of Azure API Management DevOps Resource Kit, which means we are using linked templates.

When sending in a master template with links, no controls are found in the template and it's skipped in its entirety. I'm guessing that is because it doesn't evaluate or retrieve the linked templates and just checks the master template for controls it can recognize. Microsoft.Resources/deployments not being one of those, ergo the file is skipped.

Any plans on supporting linked templates?

Steps to reproduce

Have two ARM templates, one master which is being deployed and one template that is linked to from the master.

Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath C:\temp\master.template.json -ParameterFilePath C:\temp\master.parameters.dev.json -Debug
================================================================================
AzSK Version: 4.3.0
================================================================================
Method Name: Get-AzSKARMTemplateSecurityStatus
Input Parameters:
Key               Value
---               -----
ARMTemplatePath   C:\temp\master.template.json
ParameterFilePath C:\temp\master.parameters.dev.json
Debug             True
================================================================================
================================================================================
Starting analysis: [FileName: .\master.template.json]
--------------------------------------------------------------------------------
No controls have been evaluated for file: .\master.template.json
================================================================================
Skipped file(s): 1
.\master.template.json
--------------------------------------------------------------------------------
One or more files were skipped during the scan.
Either the files are invalid as ARM templates or those resource types are currently not supported by this command.
Please verify the files and re-run the command.
For files that should not be included in the scan, you can use the '-ExcludeFiles' parameter.
--------------------------------------------------------------------------------
No controls have been evaluated for ARM Template(s).
--------------------------------------------------------------------------------
** Next steps **
Look at the individual control evaluation status in the CSV file.
        a) If the control has passed, no action is necessary.
        b) If the control has failed, look at the control evaluation detail in the CSV file (LineNumber, ExpectedValue, CurrentValue, etc.) and fix the issue.
        c) If the control status says 'Skipped', it means that you have chosen to skip certain controls using the '-SkipControlsFromFile' parameter.
For further details, refer: https://aka.ms/devopskit/cicd
--------------------------------------------------------------------------------
Status and detailed logs have been exported to: C:\Users\redacted\AppData\Local\Microsoft\AzSKLogs\ARMChecker\20191209_150524
================================================================================
C:\Users\redacted\AppData\Local\Microsoft\AzSKLogs\ARMChecker\20191209_150524

Expected behavior

All ARM templates are being analyzed.

Actual behavior

Only the "master" template is analyzed, which is of low value when it only contains Microsoft.Resources/deployments resources.

Garima-msft commented 4 years ago

This feature request is in our backlog due to other priority tasks.