PSRule.Rules.Azure icon indicating copy to clipboard operation
PSRule.Rules.Azure copied to clipboard

Published 20 hours ago verified publisher icon Azure

[BUG] False positives for rule AZR-000279?

Open ThijmenDam opened this issue 4 months ago • 3 comments

Existing rule

Azure.Deployment.OutputSecretValue (AZR-000279)

Description of the issue

Perhaps I am missing something, but it seems that AZR-000279 is incorrectly flagged in the following situation.

Our team implements the AVM Storage Account module like so:

// function.data.bicep

module storageAccountFunction 'br/public:avm/res/storage/storage-account:0.20.0' = {
  name: XYZ
  params: {
    ....
  }
}

output storageAccountFunctionId string = storageAccountFunction.outputs.resourceId

This triggers AZR-000279:

 -> function.data.bicep : Microsoft.Resources/deployments [6/7]

    [FAIL] Azure.Deployment.OutputSecretValue (AZR-000279)
    | Template: function.data.bicep:0:0

    | RECOMMEND:
    | Consider removing any deployment output values that return secret values or use
    | secure outputs.

    | REASON:
    | - Path outputs.storageAccountFunctionId: The output 'storageAccountFunctionId' exposes a secure value.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.OutputSecretValue/

However, when I look at the AVM module's source, we can see that the resourceId output is not a secure output:

// br/public:avm/res/storage/storage-account:0.20.0 - main.bicep

....
@description('The resource ID of the deployed storage account.')
output resourceId string = storageAccount.id
....

Is this a false positive, or am I missing something here?

We can "resolve" the issue by adding the @secure() decorator to our module's output variable, but I do not see why this should be necessary considering that the AVM module's output is not marked as secure.

Error messages

No response

Reproduction

  1. Implement module br/public:avm/res/storage/storage-account:0.20.0 as someModule
  2. Refer to the module's outputs using someModule.outputs.resourceId and set it as a non-secure output variable in your own module, for example output someId string = someModule.outputs.resourceId

Version of PSRule

2.9.0

Version of PSRule for Azure

1.44.0

Additional context

No response

ThijmenDam avatar Jun 10 '25 09:06 ThijmenDam