PSRule.Rules.Azure
PSRule.Rules.Azure copied to clipboard
[BUG] AZR-000284: Administrator Username Types
Existing rule
AZR-000284
Description of the issue
When creating SQL server AZR-000284
and AZR-000316
are raised for username and password, even though they are passed as Secure
in bicep.
This is similar to #1762
Error messages
AZR-000284: Administrator Username Types
Severity: High
Recommendation: Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.
More information: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.AdminUsername/
Result: Failed
Line: 9
AZR-000316: Use secure resource values
Severity: High
Recommendation: Consider using secure parameters for sensitive resource properties.
More information: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.SecureValue/
Result: Failed
Line: 9
Reproduction
main.bicep
// Parameters
@description('The name of the SQL logical server.')
param sqlServerName string = uniqueString('sql', resourceGroup().id)
@description('The name of the SQL Database.')
param sqlDbName string = 'SampleDB'
@description('Location for all resources.')
param location string = resourceGroup().location
@description('The administrator username of the SQL logical server.')
@secure()
param sqlAdminLogin string
@description('The administrator password of the SQL logical server.')
@secure()
param sqlAdminPassword string
@description('SKU name. Typically a letter representing tier, followed by a number e.g. S4')
param sqlSkuName string = 'Standard'
@description('SKU level/tier. Typically Basic/Standard/Premium')
param sqlSkuTier string = 'Standard'
// Resource Declarations
module sql_database './modules/sqlDatabase.bicep' = {
name: 'sqlDatabaseDeploy'
params: {
serverName: sqlServerName
databaseName: sqlDbName
location: location
adminLogin: sqlAdminLogin
adminPassword: sqlAdminPassword
skuName: sqlSkuName
skuTier: sqlSkuTier
}
}
modules/sqlDatabase.bicep
@description('The name of the SQL logical server.')
param serverName string = uniqueString('sql', resourceGroup().id)
@description('The name of the SQL Database.')
param databaseName string = 'SampleDB'
@description('Location for all resources.')
param location string = resourceGroup().location
@description('The administrator username of the SQL logical server.')
@secure()
param adminLogin string
@description('The administrator password of the SQL logical server.')
@secure()
param adminPassword string
@description('SKU name. Typically a letter representing tier, followed by a number e.g. S4')
param skuName string = 'Standard'
@description('SKU level/tier. Typically Basic/Standard/Premium')
param skuTier string = 'Standard'
resource sqlServer 'Microsoft.Sql/servers@2022-05-01-preview' = {
name: serverName
location: location
properties: {
administratorLogin: adminLogin
administratorLoginPassword: adminPassword
publicNetworkAccess: 'Disabled'
minimalTlsVersion: '1.2'
}
}
resource sqlDatabase 'Microsoft.Sql/servers/databases@2022-05-01-preview' = {
parent: sqlServer
name: databaseName
location: location
sku: {
name: skuName
tier: skuTier
}
}
resource sqlAdmins 'Microsoft.Sql/servers/administrators@2022-05-01-preview' = {
name: 'ActiveDirectory'
parent: sqlServer
properties: {
administratorType: 'ActiveDirectory'
login: 'sql-admins'
sid: '0c82f823-ffb6-428b-8ef8-de1f967840af'
tenantId: subscription().tenantId
}
}
resource sqlSecurityAlertPolicy 'Microsoft.Sql/servers/securityAlertPolicies@2022-05-01-preview' = {
parent: sqlServer
name: 'default'
properties: {
state: 'Enabled'
emailAccountAdmins: true
disabledAlerts: []
retentionDays: 30
}
}
resource sqlAuditSettings 'Microsoft.Sql/servers/auditingSettings@2022-08-01-preview' = {
name: 'default'
parent: sqlServer
properties: {
isAzureMonitorTargetEnabled: true
state: 'Enabled'
retentionDays: 7
auditActionsAndGroups: [
'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP'
'FAILED_DATABASE_AUTHENTICATION_GROUP'
'BATCH_COMPLETED_GROUP'
]
}
}
Version of PSRule
2.9.0
Version of PSRule for Azure
1.33.2
Additional context
I'm testing using TemplateAnalyzer
- latest version.
Version of Microsoft.PSRule.Rules.Azure.Core.dll
is 1.33.2.0
@karpikpl Thanks for reporting the issue. Can you confirm you are using a key vault reference in the calling deployment or parameter file?
I'm using a parameter file in the deployment. It has tokenized values, so it looks something like this:
"sqlAdminLogin": {
"value": "__sqlAdminLogin__"
},
but I've been running TemplateAnalyzer
with the param file and without it - same results.
My first thought was that analyzers don't know that values are not hardcoded but tokenized, it doesn't seem to be the case.
Ok thanks for that @karpikpl. Let me investigate these bugs and get back to you.