terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Deploy-Sql-vulnerabilityAssessments definition vulnerabilityAssessmentsEmail parameter type should be a list

Open evaldaseb opened this issue 3 years ago • 3 comments

/modules/archetypes/lib/policydefinitions/policydefinitionesdeploysqlvulnerabilityassessments.json policy definition has a "vulnerabilityAssessmentsEmail" parameter: 

    "parameters": {
      "vulnerabilityAssessmentsEmail": {
        "type": "String",
        "metadata": {
          "description": "The email address to send alerts",
          "displayName": "The email address to send alerts"
        }
      }

Created an assignment, specified parameters: 

 "parameters": {
      "vulnerabilityAssessmentsEmail": {
        "value": "[email protected]"
      },
      "vulnerabilityAssessmentsStorageID": {
        "value": "storageaccountid"
      }
    },

and a remediation but the policy is still non-compliant.

Compliance details:

Current value ["[email protected]"] Target value "[email protected]"

It looks like it is expecting a list of strings not a single string.

Just to confirm this we can go to the Azure portal - subscription - resource group - SQL server blade - Security - Security Center - Azure Defender for SQL: Enabled at the subscription-level (Configure) - click on configure - hover with mouse over 'i' next to Send scan reports to:

image

expects a list.

If I specify my parameter in brackets: 

parameters": {
      "vulnerabilityAssessmentsEmail": {
        "value": ["[email protected]"]
      }

executing code comes up with an error complaining about wrong parameter type.

evaldaseb avatar Jul 02 '21 16:07 evaldaseb

@evaldaseb, thank you for logging your issue.

Just to confirm, the template for this Policy Definition take a string input, and then places this into a single-item array within the DINE template:

https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/65a69f108bc410150653eb73b1f7ef25cd071d98/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json#L99-L101

As such, the expected input for the parameter vulnerabilityAssessmentsEmail must also be a string when creating your Policy Assignment.

It sounds like you have done all of this correctly and that the fault actually lies within the Policy Definition template itself. As these are maintained in our Azure/Enterprise-Scale repository, I will duplicate this issue in their, and link to this issue for tracking.

As customers should also be able to provide a list of emails, I will also mention this within the issue to see whether we can get this also updated accordingly.

krowlandson avatar Jul 07 '21 12:07 krowlandson

The fix for this issue appears to be blocked due to a platform issue with the target resource provider. Removing from the v1.2.0 milestone whilst we investigate further.

krowlandson avatar Mar 01 '22 09:03 krowlandson

Trigger ADO Sync

jtracey93 avatar Sep 09 '22 15:09 jtracey93

Closing this as we are tracking in the Azure/Enterprise-Scale backlog. Please follow the linked issue above.

krowlandson avatar Oct 28 '22 15:10 krowlandson

Upstream issue now resolved.

Will pull this in for the next release.

krowlandson avatar Jan 04 '23 10:01 krowlandson