PSRule.Rules.Azure icon indicating copy to clipboard operation
PSRule.Rules.Azure copied to clipboard

Published 20 hours ago verified publisher icon Azure

Azure.AppService.UseHTTPS reports fail although app service is deployed with https only

Open MarcelHeek opened this issue 2 years ago • 9 comments

Description of the issue

We have (via IaC) deployed app services with the property 'https_only = true' in Terraform F CAF code. When reviewing the deployed resource in the Azure portal is is actually set to HTTP Only, as can be seen in the screenshot image

We see the same incorrect PSRule results on multiple app services deployed with similar code and with the HTTPS Only property set.

Steps to reproduce the issue:

Expected behaviour

I would expect that app service resources with HTTPS only would flag as passed instead of failed.

Error output

Module in use and version:

  • Module: PSRule.Rules.Azure
  • Version: 1.21.2

Captured output from $PSVersionTable:

Additional context

MarcelHeek avatar Nov 30 '22 11:11 MarcelHeek

@MarcelHeek Thanks for reporting the issue.

Is this false positive being reported from AzGovViz or from the in-flight process mentioned here https://azure.github.io/PSRule.Rules.Azure/export-rule-data/?

BernieWhite avatar Nov 30 '22 11:11 BernieWhite

@BernieWhite , I am actually reviewing the AzGovViz output, so yes, from AzGovViz.

MarcelHeek avatar Nov 30 '22 12:11 MarcelHeek

@BernieWhite I am actually also getting false-positives from the rule Azure.Storage.MinTLS

So is this an integration issue with the AzGovViz tool, right ? Should I also raise issue here : https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting ?

MarcelHeek avatar Nov 30 '22 12:11 MarcelHeek

@MarcelHeek Just investigating it, but I think the properties of each resource is not being exported so the data being exported is not complete.

We have a similar issue with #1914.

BernieWhite avatar Nov 30 '22 12:11 BernieWhite

@MarcelHeek please test with fix branch

JulianHayward avatar Dec 02 '22 18:12 JulianHayward

@JulianHayward Is this fix branch already merged in v6_major_20221204_1 release, by any chance? Gues so, so I will give that one a go.

MarcelHeek avatar Dec 05 '22 08:12 MarcelHeek

@MarcelHeek Please let us know if that fixes the problem. Thanks @JulianHayward.

BernieWhite avatar Dec 05 '22 12:12 BernieWhite

@BernieWhite @JulianHayward

I still get FAIL results for a simple WebApp.

First proof of new version being used: image

The results as obtained from the PSRule csv output generated by the AzGovViz tool: image

And the actual configuration in the Azure portal: image

Last Friday I looked into a manual run of the PSRule.Rules.Azure module, and there (I only collected the FAIL results) the webapp was not in the list for this rule violation.

If any additional information is needed, please let me know.

MarcelHeek avatar Dec 05 '22 15:12 MarcelHeek

FYI: evaluating how to handle resources with child resources in the AzGovViz integration https://github.com/Azure/PSRule.Rules.Azure/blob/ab0910359c1b9826d8134041d5ca997f6195fc58/src/PSRule.Rules.Azure/PSRule.Rules.Azure.psm1#L1582

JulianHayward avatar Dec 05 '22 18:12 JulianHayward